On April 1, President Obama released an Executive Order titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”. Cybersecurity has become a very important aspect of our country’s security, so at a glance this order seems like a good step towards keeping our nation’s critical infrastructure safe. But there are some important reasons why this might not be the case.
First of all, it’s important to note that our nation’s infrastructure is constantly under attack from various nations and organizations across the globe. I believe that our country needs to do as much as possible to secure these critical systems from attacks. If someone is attacking the United States, we should be able to freeze any assets in our jurisdiction of that group or individual – I think that’s common sense. The problem is in allowing a few people in our government to secretly make this decision. Freezing assets of criminals is just one example of things our nation’s courts can already do. In fact, if you want an example of the United States seizing assets held even outside the country, look no further than the polarizing case of Kim Dotcom.
Second, one needs to question whether this Executive Order actually makes our country any more secure. Many attacks against the United States come from persons or organizations who would not be affected by this. In fact, why would anyone attacking the United States want to have assets in our country? Wouldn’t they already expect to lose those assets if their intentions came to light? Whether or not some attackers do have assets under United States jurisdiction, this would not truly secure our infrastructure. The actual way to secure it is by developing better access controls and monitoring tools. The way this Executive Order secures our country is akin to a medieval castle promising to seize any assets possible of an approaching army instead of actually building higher and thicker walls.
Third, this Executive Order extends past those attacking our critical infrastructure to those “causing a significant disruption to the availability of a computer or network of computers”, as long as the attacks are “originating from, or directed by persons located, in whole or in substantial part, outside the United States” and “are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States”. This is an extremely broad and ambiguous statement. What is considered a significant threat to for example the economic health of the United States? Does a group of teenagers (some in the US, others across the globe) running a distributed denial of service attack on a company qualify? I don’t question that such attacks are bad and should be punished, but this order allows US citizens to be treated similarly to terrorists: It lacks due process, and Section 2 disallows people from supporting anyone this Executive Order is used against (whether contributing funds, goods or services).
Finally, the EFF brings up a very good point about the impact this could have on the security industry. Section 1(ii)(B) states implicates anyone who provides “technological support for, or goods or services in support of” the illicit activities the order lays out. This broad wording could be construed to include penetration testers, who develop (often open source) tools that may end up being used by real attackers. While the President has stated “this executive order [doesn’t] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity”, there have been plenty of cases where the government has been rather assertive in its use of anti-hacking laws. This means it is especially important for these kinds of laws and policies to be unambiguous.
As we enter an age where more and more aspects of our society are supported by computers, it is vitally important to our safety and wellbeing to give cybersecurity more attention. However, we need to make smart decisions about what practices will actually be worthwhile in protecting our country. I think that this Executive Order is largely useless because it does little to punish attackers more than our courts are already able to. It also has the (ever unlikely) potential to implicate researchers working to secure our nation, and is also very questionable in how it treats citizens breaking the law. This Executive Order is not the right solution to cyberattacks against our country.