In the absence of congressional action on cybercrime, this week’s executive order is a significant new step in dealing with what the president called a national emergency.
Former NSA director Keith B. Alexander said recently that the government has a responsibility to protect private companies in cyberspace. Because companies are forbidden to retaliate against their online adversaries, it is up to government to make espionage and theft more risky and less profitable for cyberspies and criminals. President Obama took a step in that direction with his April 1 Executive Order blocking the U.S. assets and travel of cybercriminals.
This order is part of the president’s efforts to address pressing national issues through executive powers in the absence of congressional action. The order is by no means without teeth, but it is only one step toward gaining control over a cybersecurity problem that the president declared to be a national emergency. Supporters and critics alike agree that it is not a solution and that comprehensive legislation is needed to better address the problem.
“Without a Congress that is willing to address the whole problem, you can only do so much,” said attorney Nick Akerman, who specializes in cybersecurity privacy at the law firm Dorsey and Whitney. “This is a huge national security issue,” he said, and neither government nor the private sector has done enough to address it.
The order allows the Treasury Department, cooperating with Homeland Security, to block the assets of anyone whose malicious activity harms the nation’s critical infrastructure or computer networks, disrupts economic activity, or steals identities and intellectual property. Bad actors also can be barred from entering the country.
The trick, of course, is enforcing the order, which requires first identifying the bad actors. This is left up to the Secretary of the Treasury, Secretary of State and Attorney General. No standards are specified for this determination, although it presumably will be less than the reasonable doubt standard for a criminal conviction. To be effective, the target also must have some assets in this country or under U.S. control, which could leave a lot of low-level activity untouched.
But the order could significantly raise the stakes for overseas businesses that engage in cyberespionage and the theft of intellectual property. In today’s global economy, any sizeable company eventually will do business in or cross the boundaries of the United States, and the order could block U.S. imports or the use of U.S. banks and financial networks. This could effectively negate much of the commercial advantage to be gained through business espionage.
We also are getting better at locating and identifying cyber perpetrators, often with the help of industry. Microsoft has set up a Digital Crimes Unit that treats cybercrime as a legal as well as a technology problem. The unit includes attorneys, forensic analysts and investigators, and other business professionals in 30 countries who cooperate with law enforcement and other government and non-governmental agencies. The goal is to understand how technology is used in crime, how this crime can be disrupted, and to help bring law and order into cyberspace. Microsoft’s efforts have been instrumental in identifying and shutting down—legally—the command and control systems for a number of major botnets.
Still, more needs to be done. Organizations, both private and public sector, need to improve their security and incident response, and Congress needs to enact reasonable legislation setting baseline security requirements and establishing the responsibilities of information systems operators. Until Congress is willing to act and the private sector wakes up to its own interests, the executive order is a good, although limited, step.