Search for:

On April 1, 2015, President Obama issued an Executive Order (the “Cyber EO”) authorizing the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) to designate as Specially Designated Nationals (“SDNs”) certain persons that have engaged in “significant malicious cyber-enabled activities.” No party has yet been designated under the Cyber EO. OFAC has stated in its Frequently Asked Questions (FAQs) that the Cyber EO is “intended to address situations where, for jurisdictional or other issues,” significant actors “may be beyond the reach of other authorities available to the U.S. government,” which is similar to the intent behind certain other OFAC programs, such as the Foreign Sanctions Evaders program. U.S. Persons and persons otherwise subject to OFAC jurisdiction (e.g., non-U.S. persons that cause prohibited acts to occur in the United States or by U.S. Persons) are prohibited from dealing with SDNs, as well as their 50%-or-more owned entities (collectively, “Blocked Persons”). In addition, the property and interests in property of such Blocked Persons must be frozen if they come within the United States or the possession/control of a U.S. Person. The Cyber EO targets a broad range of “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” In particular, the Cyber EO authorizes designation of (i) parties “responsible for or complicit in or [who] have engaged in, directly or indirectly, cyber-enabled activities” that originate or are directed from outside the United States and that have the purpose or effect of:

  1. harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
  2. significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
  3. causing a significant disruption to the availability of a computer or network of computers; or
  4. causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

In addition, the Cyber EO authorizes designation of (ii) parties “responsible for or complicit in or [who] have engaged in . . . the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated,” as well as (iii) parties who have “materially” supported parties blocked pursuant to the Cyber EO, (iv) parties who are owned or controlled by, or acting or purporting to act on behalf of those blocked parties, and (v) parties that have attempted to engage in the targeted activities. According to OFAC’s accompanying FAQs, the term “cyber-related activities” will be further defined in forthcoming OFAC regulations. For current purposes, these activities include “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” OFAC’s FAQs clarify that the Cyber EO is not meant to target:

  • legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage;
  • legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies;
  • activities to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events; or
  • unwitting owners of compromised computers.
Author

Janet Kim is a partner in Baker McKenzie's Washington, DC office. Ms. Kim advises clients — including US and foreign companies —on outbound compliance issues arising from the US Foreign Corrupt Practices Act, as well as in criminal and regulatory proceedings, internal investigations and compliance reviews relating to these areas of law. She also advises on the application of these laws in cross-border transactions, including mergers and acquisitions, divestitures and joint venture arrangements. Additionally, Ms. Kim helps develop and implement workable, risk-based compliance programs for companies in a wide range of industries.

Author

Lise Test, an associate in Baker & McKenzie’s International Trade Group in Washington, DC, practices in the area of international trade regulation and compliance — with emphasis on US export control laws, trade sanctions, anti-boycott laws and the Foreign Corrupt Practices Act. Prior to joining Baker & McKenzie, Ms. Test served as a lawyer at the Danish Ministry of Defence where she focused on international public law and Danish torts, administrative law and military criminal law. In addition to her practice, Ms. Test also taught international humanitarian law and contract law at the Danish Royal Naval Academy.

Write A Comment