The New Sanctions Noone is Talking About: The Industrial Espionage in Cyberspace Sanctions
On December 19, 2014, the President issued a new executive order imposing sanctions on the geographic region of the Crimea as part of the Ukraine-related sanctions program. Earlier that week, the President announced a policy change towards Cuba that will lead to major relaxation of Cuba sanctions. Pretty busy week for sanctions, right? You may not even know that half of it. That’s because being overshadowed by the developments in the Ukraine and Cuba sanctions program, and the fact that the holidays were getting started, was the enactment of a new sanctions authority. This authority, found in Section 1637 of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015 (“NDAA 2015″), provided for sanctions designed to target those engaged in industrial espionage in cyberspace.
Undoubtedly spurned by the recent hacking of Sony Pictures, this new authority allows the President to utilize his powers under the International Emergency Economic Powers Act (“IEEPA”) to block and prohibit transactions in property with foreign persons who knowingly request, engage in, support, facilitate, the significant appropriation, through economic or industrial espionage in cyberspace, of technologies or proprietary information developed by United States persons. One caveat though, the President cannot impose restrictions on imports of goods to the United States by those parties designated pursuant to the authority. The new industrial espionage through cyberspace sanctions authority also imposes reporting requirements whereby the President will report to Congress regarding foreign countries engaged in, or facilitating, economic or industrial espionage through cyberspace.
The definition of cyberspace for purposes of the new authority is fairly obvious in that it includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers. What’s not so obvious is the definition of “economic or industrial espionage” which includes not only stealing a trade secret or proprietary information without the authorization of the owner of the trade secret or proprietary information, but also buying, receiving, possessing, copying, duplicating, downloading, uploading, destroying, transmitting, delivering, sending, communicating, or conveying a trade secret or proprietary information without the authorization of the owner of the trade secret or proprietary information.
After delaying the release of “The Interview”, and giving us plenty of Hollywood gossip via leaked Sony executive emails, cybercrime and cyberterrorism have become all the rage. This isn’t too surprising as cyberattacks and cyberterrorism have been the discussion of frequent and growing discourse amongst members of the national security law bar. It seems that the financial warriors of the United States Department of the Treasury will now also be getting into the game. This only makes sense given that the utilization of U.S. economic sanctions has become one of the primary tools employed by the U.S. when seeking to further its foreign policy and national security interests.
It will be interesting, however, to see how the President and Treasury go about imposing these sanctions, as cybercriminals, cyberterrorists, and cyber industrial spies operate anonymously. From the perspective of delisting a party designated under this authority there will be some difficult hurdles to overcome. First, I assume all of the evidence underlying the designation would be classified, given that the parties designated will have remained anonymous in the course of their conduct. As such, I don’t foresee much, if any, open source information being relied upon to designate them. Second, when the authority allows for sanctions to be imposed upon a party who engages in industrial espionage through cyber space, how can the designated party show a change in circumstances to warrant an SDN delisting pursuant to 31 CFR 501.807? Do they sign an affidavit saying they will not engage in industrial espionage through cyberspace anymore? Can other more proactive steps be implemented to change the circumstances? The answers to these questions are as unclear as the answers to how the Administration will implement and enforce these sanctions, and I don’t think there is a hacker in the world who can find out at this time how Treasury is going to deal with this new authority.