In the wake of growing international hacking threats, like the one that hit Sony last year, President Obama issued an executive order Wednesday (April 1) declaring a national emergency and empowering the Treasury Department to impose economic sanctions on cybercriminals abroad, including blocking the importation of goods from foreign companies and otherwise limiting their access to the U.S. financial system.
"Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit," the president said.
The White House said the threat was both to national security and economic competitiveness.
"This authority will be used in a targeted manner against the most significant cyber threats that we face, whether they are directed against our critical infrastructure, our companies or our citizens," President Obama said. "The United States will continue to employ all available means, including diplomatic and law enforcement mechanisms, to counter these threats."
The president has already taken action more directly related to the Sony attack.
In January, he issued an executive order levying sanctions on North Korea, which the U.S. government identified as behind the Sony hack; the White House called it a "destructive and coercive" action.
But Wednesday's order also takes aim at hacks "significantly disrupting the availability of a computer or network of computers," which would certainly apply to the Sony attack. The new order also targets the receipt or use of stolen trade secrets or sensitive information.
Nick Akerman, attorney and computer crime expert with Dorsey & Whitney in New York, said tagging the problem as a national emergency is long overdue, but added he forsees problems in enforcing the new order, specifically with "being able to determine who is responsible for the hacking and whether the right person, company or foreign government is the object of the sanctions."
"For example, if an oversees company is believed to have hacked into a U.S. company to steal competitively sensitive information, what standard of proof will be used to determine whether that foreign company's products will be banned from the entering the U.S.?" Akerman said in a comment emailed to Multichannel News.
In addition to the order, the White House put in a plug for legislation "strengthening protections for victims of identity theft, modernizing law enforcement tools for investigating and deterring cybercrimes, and promoting increased cyber threat information-sharing among the private sector and government."
Internet service providers are also supportive of legislation that would make it easier for them to share threat information among themselves and with the government, so long as there are liability protections for that sharing.
Akerman said that while addressing the international portion is important, it fails to address the whole problem, which includes the "American side of the equation" and companies that are not taking the proper precautions against cyber attacks.
"It should be a misdemeanor crime for companies not to take proper precautions," Akerman said.