indicate that the U.S. Treasury Department is preparing designations under its malicious cyber-enabled activities authority. Prior to these reports, which cite anonymous administration sources, there were clear signs that this sanctions authority would probably remain dormant.
Empty Executive Order, Without Regulations
First, Executive Order 13694 is “an empty E.O.,” in that it does not contain an annex of designees. OFAC utilizes derivative designations of individuals and entities listed in an annex to effectively and efficiently block vast networks. With no annex, the Office of Foreign Assets Control (OFAC) has to start the designations of networks with identifications of key nodes and then derivatively designate those that act for or on behalf of, or provide services to key actors.
Secondly, OFAC has yet to implement regulations for this sanctions program. Although such regulations are not necessary for the designation process, the licensing, enforcement and compliance aspects of the program will need regulatory guidance. Therefore, expect OFAC to issue regulations concurrently with, or shortly after the announcement of designations.
Designation Criteria, and Likely Targets
E.O. 13694 targets both those that engage in malicious cyber-activities (hacking and Distributed Denial of Service (DDoS) attacks) and most significantly, those that receive or use stolen trade secrets. Persons who compromise “critical infrastructure sector,”[1] networks, cause DDoS attacks, or steal trade secrets, financial information, or personal identifiers may also be designated. The designation criteria limits the later categories to theft “for commercial or competitive advantage or private financial gain.” This limitation probably limited OFAC’s ability to immediately respond to the Office of Personnel Management cybersecurity breaches, as the hacks were likely conducted to further China’s ongoing espionage recruiting efforts.
The companies that receive or use hacked trade secrets will be most vulnerable to this authority. They are likely to be large, multinational entities that rely heavily on access to the U.S. Dollar. As a recent Northern District of California indictment demonstrates, Chinese universities are also known recipients and users of stolen U.S. trade secrets, and are therefore likely targets of this authority. Assuming OFAC seeks to maximize the effectiveness of the trade secret protection aspect of this program, it will focus on the demand-side of cybertheft.
Post Designation
Once an individual or entity is designated under this authority, it will be added to the List of Specially Designated Nationals (SDN List) and its property and interests in property will be blocked. U.S. persons will be generally prohibited from any transactions or dealings with these designees. Absent special permission from OFAC through a General or Specific License, U.S. persons cannot “wind-down” their activities with an SDN. Absent such a license, all transactions and dealings with a designee must cease immediately. Although OFAC will consider the proximity in time between the designation and the violating transactions when calculating a civil penalty, OFAC may refer willful violations to the Department of Justice for criminal prosecution.
U.S. businesses should assess whether they have reason to believe that their partners or vendors may be involved with the misappropriation of trade secrets. Those companies should pay especially careful attention in the coming weeks to designation announcements from the U.S. Treasury Department.
We will continue to monitor OFAC designation actions and regulatory changes and publish updates as new developments arise.
View the original content and more from this author here: http://ift.tt/1KH4bcu
from critical infrastructure alliance http://ift.tt/1O7SGd9
via IFTTT
No comments:
Post a Comment