When we recorded our cyber-sanctions podcast with NYU’s Zach Goldman last week, we laid out a few different scenarios for the initial batch of designations. We generally agreed that at the very least, some Eastern European cyber-criminals or Chinese hackers engaged in corporate espionage would be listed. But it might be time to reconsider in light of reports that the St. Louis Cardinals are being investigated by the FBI for hacking into internal networks of the rival Houston Astros.
While I think it’s fairly unlikely that the Office of Foreign Assets Control (“OFAC”) would consider the Cardinals for the list of Specially Designated Nationals and Blocked Persons (“SDN List”), for obvious reasons, it’s an interesting academic question: Would the Cardinals qualify for designation under Executive Order 13694?
Generally speaking, the cyber sanctions have two categories of designation criteria. First, § 1(a)(i) authorizes the blocking of individuals or entities determined by the Secretary of the Treasury to
“… be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States…”
The second criteria, §1(a)(ii) is for persons found
“…to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated…”
Right off the bat OFAC would need to satisfy the requirement under §1(a)(i) that the activities originated from or were directed from outside the United States, §1(a)(ii) that the receipt of trade secrets occurred outside the United States. While there does not appear to be an international connection to this story, there’s an argument to be made that if the information taken from the Astros’ network were sent to the Cardinal’s international scouts, the foreign component of §1(a)(ii) would be satisfied.
If the foreign component were able to be satisfied, it would appear the Cardinals would be in serious trouble. According to the New York Times,
“Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said.”
At the very least it seems the Cardinals are guilty of “receipt or use for commercial or competitive advantage… trade secrets misappropriated through cyber-enabled means.”
Fortunately (if you’re a Cardinals fan) or unfortunately (if you’re a Cubs fan), both criteria require the violation to constitute a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” Baseball may be America’s Pastime but it’s probably a stretch to claim stealing player information and trade plans is a threat to the country as a whole.
Again, the Cardinals are not going to be added to the SDN List. If nothing else, U.S. persons are almost never subject to designation, unless of course you are Richard Chichakli. But it’s a useful exercise in analyzing who the potential EO 13694 targets will be and how they will be evaluated by Treasury.