OFAC Reissues Cyber-Related Sanctions Regulations
An inherent aspect of any new technology is that it doesn’t take long for bad actors to figure out how it can be weaponized for nefarious purposes. Cyber-related technologies represent an increasingly dangerous area of risk for everyone, whether they are individual citizens, business and infrastructure entities, or governments. Adversaries of the U.S., including China, Russia, and North Korea have engaged in acts of cyberespionage, often intended not only to cause actual harm, but also to test our ability to counter acts of malicious cyber-intrusion. The range of cyber-attacks include attempts by China to obtain sensitive information critical to American national security and the security of our NATA partners, the hacking of cryptocurrency exchanges, ransomware attacks on critical infrastructure, and disinformation activities intended to undermine our democratic processes. The U.S. government has in recent years issued a number of laws and regulations intended to deal with cyber intrusions, although much work remains to be done to keep pace with the ever-increasing and ever-evolving risks. This article addresses the recent re-issue, in full of the Cyber-Related Sanctions Regulations (31 C.F.R. § 578) by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
Summary of current law
Back in 2015 and 2016, President Obama issued two executive orders that provided the basis for OFAC’s cyber-regulations. E.O 13694, issued on April 1, 2015, authorized the sanctioning of entities and persons found:
“to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities … that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:
(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.
(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector.
(C) causing a significant disruption to the availability of a computer or network of computers; or
(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
E.O. 13757, issued on December 28, 2016, took “additional steps to deal with the national emergency with respect to significant malicious cyber-enabled activities declared in [E.O. 13694] and in view of the increasing use of such activities to undermine democratic processes or institutions.”
In order to implement E..O 13694, OFAC published its initial, abbreviated version of the Cyber-Related Sanctions Regulations in the Federal Register of December 31, 2015. OFAC noted that the regulations were published “for the purpose of providing immediate guidance to the public. OFAC intends to supplement this part 578 with a more comprehensive set of regulations, which may include additional interpretive and definitional guidance, including regarding ‘‘cyber-enabled’’ activities, and additional general licenses and statements of licensing policy.”
On September 6, 2021, OFAC published, in their entirety, the Cyber-Related Sanctions Regulations in the Federal Register. OFAC determined that a wholesale reissuance of the regulations was appropriate “to further implement an April 1, 2015 cyber-related Executive order, as amended by a December 28, 2016 cyber-related Executive order, as well as certain provisions of the Countering America’s Adversaries Through Sanctions Act (CAATSA). The reissued regs include a patchwork of additional interpretive guidance and definitions, general licenses, and other regulatory provisions that will provide further guidance to the public. Because of the extensive changes and additions, OFAC determined it was appropriate to reissue the Cyber-Related Sanctions Regulations in their entirety.
Companies, individuals, and government agencies must take a proactive stance with their cyber security measures. While these regulations—and any similar actions taken by Congress or the executive branch—will not prevent malicious cyber events, half the battle of effectively thwarting or mitigating a cyber-attack is understanding the range of risks and taking measures to stay at least one step ahead of the attackers. But in the unfortunate event that you or your company have been targeted—let’s say your ERP has been shut down by a ransomware attack—make sure you seek appropriate legal and technical assistance before taking any action. Paying an illegal ransom to a sanctioned entity can make a bad situation worse. As with any other compliance-related scenario, the successful resolution of a malicious cyber-related incident requires a deliberate and focused response.