Cyber EO Hits the Mark

On April 1st the White House issued a new Executive Order (EO) that provides the basis for using economic sanctions in response to significant cyber attacks.  This EO is ground-breaking in several ways.  First, unlike the vast majority of sanctions regimes, this EO focuses on harm rather than on a specific actor or set of activities.  As a result, the U.S. government has created the legal means to address the economic consequences, not just the national security consequences, of cyber intrusions.  This enables the U.S. to respond to incidents that may cause serious economic harm but do not cross the threshold into use of force, which would justify a military response.  Previously, the White House had few options for dealing with such incidents.  Diplomatic tools were often ineffectual and military actions were too severe.  Economic sanctions can be viewed as the Goldilocks solution for a wide range of cyber activities that cause significant harm to the country. 

Second, the EO is not just focused on direct economic harm, such as might occur from denial of service attacks that disrupt financial institutions, it explicitly addresses harm from the use of stolen trade secrets to provide economic advantage.  In addition, the EO can be applied to patterns of activity, such as the targeting of an industrial sector or a specific type of technology.  This use of the EO greatly strengthens U.S. efforts to establish norms against the use of state-sponsored espionage to support corporate innovation. 

A third feature of the EO is that it strengthens deterrence.  To be effective, deterrence must be credible and impose costs that alter the decisions of adversaries.  In the past, the U.S. has had few means for deterring activities such as widespread economic espionage because there were few mechanisms for imposing appropriate costs on attackers and military responses were unlikely to be used.  The EO gives the White House a credible response option that can impose proportional costs on actors who cause harm via a wide range of cyber activities.    

While the new EO is both necessary and important, it does carry a set of challenges.  The main obstacles facing the White House concern the implementation of sanctions, especially in cases involving harm from economic espionage.  For example, it may be extremely difficult to determine that stolen intellectual property has been used to cause significant harm to the U.S.  While it is difficult to detect and attribute the theft of IP to a particular actor, it is possible.  Several companies have demonstrated the ability do this and public-private cooperation on attribution makes this problem challenging but doable, at least in some cases.  The greater challenge is in determining whether stolen IP has caused harm to the U.S. economy.  Depending on the type of information, the nature of the industry in question, and the dynamics of competition, it may be difficult for a company that obtains stolen IP to use it effectively.  Thus, the loss of IP may not, in and of itself, lead to significant harm.    

It may also be difficult to gather the information needed to determine whether stolen IP was integrated into a particular product or service.  U.S. companies may not have the means to gather such information, or if they do, may not have the time and resources to dedicate to the task.  Thus, to demonstrate harm, the U.S. government may have to gather intelligence on foreign companies that are competing with U.S. companies to determine if stolen IP is being used to alter the dynamics of competition.  Such intelligence gathering looks similar to the type of activity the U.S. is trying to prevent: government espionage focused on gathering intelligence from foreign companies to learn more about their products and services.  The White House could argue that its activities are meant to level the playing field rather than tip it to advantage U.S. industry, but such a distinction is both subtle and a hard sell with those who do not support the U.S. position on this matter.

While these and other challenges may make the EO difficult to implement in some cases, the EO is an important step in the right direction.  By focusing on harm, the EO sets a standard that can be used across the wide range of cyber actions.  By calling out economic as well as national security consequences, the EO makes clear that IP theft and large-scale DDOS attacks can have serious repercussions.  Finally, by opening the door to economic sanctions in response to such attacks, the EO gives policymakers more choices to enable proportional responses to serious incidents.  On the whole, this EO hits the mark.  

 

Irv Lachow is Senior Associate (Non-Resident) in the Strategic Technologies Program at the Center for Strategic and International Studies.