Obama puts 'malicious cyber actors' on notice

A new executive order lets the US Attorney General and the Secretaries of Treasury and State go after cyberattackers "where it really hurts -- at their bottom line."

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
3 min read

In February, President Obama went to Silicon Valley to hold a summit on cybersecurity. James Martin/CNET

President Barack Obama is taking aim at "malicious cyber actors" who attempt to profit from digital attacks on US interests.

An executive order announced Wednesday authorizes the Secretary of the Treasury, Secretary of State and Attorney General to impose sanctions on cyberattackers hacking into the networks of US companies or government agencies.

"Effective incident response requires the ability to increase the costs and reduce the economic benefits from malicious cyber activity," Lisa Monaco, assistant to the president for homeland security and counterterrorism, wrote in a statement. "And this means, in addition to our existing tools, we need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts -- at their bottom line."

The White House aims to make it hard for hackers to profit from stolen information. After identifying the people behind a cyberattack -- which could be an individual, company or even a country -- the US could impose sanctions that would prevent US companies from doing business with them. Individuals would also be banned from traveling to the United States.

"This new executive order is specifically designed to be used to go after the most significant malicious cyber actors we face," Monaco wrote. "It is not a tool that we will use every day."

The executive order comes in the wake of massive attacks that targeted dozens of companies and millions of people across the US. Major hacks reported over the last year include those on retail giant Target -- in which hackers stole credit card data for more than 110 million customers -- as well as on department store Neiman Marcus, restaurant chain P.F. Chang's, crafts-supplies chain Michaels Stores, hardware chain Home Depot, office-supplies chain Staples and insurance provider Anthem.

One of the most notable breaches was last November's incursion at Sony Pictures, which revealed private e-mails among Sony executives and inside details on upcoming films. The hack is believed to have been politically motivated in reaction to the impending release of "The Interview," a comedy that featured an assassination plot on North Korea leader Kim Jong-un. The FBI has said that North Korea was behind the attack, but the country has denied any involvement.

There were more than 1,500 data breaches worldwide last year, up nearly 50 percent from 2013.

Dmitri Alperovitch, co-founder of cybersecurity company Crowdstrike, hailed Wednesday's executive order. He also noted the order would allow the Secretary of State and Attorney General to put the bad actors, including companies or individuals, on the US government's Specially Designated Nationals List, alerting US companies that they are not allowed to do business with them.

"The administration deserves tremendous credit for taking this extraordinary bold step," he wrote in a blog post. "Today the individuals listed on the SDN include terrorists, WMD proliferators and narcotics traffickers. In the not too distant future, cyber criminals, companies that benefit from commercial espionage, and operatives of foreign intelligence services may very well find themselves added to such dubious company. Welcome to the Brave New World!"

A push from the White House on cybersecurity

President Obama has made cybersecurity a priority in 2015. During his State of the Union address earlier this year, the president proposed adding $14 billion to the 2016 budget to help improve protection of government and corporate computer systems.

In February, the president signed a separate executive order to establish a framework for US government and companies in the private sector to more easily share information on cybersecurity threats. He signed that order at a special cybersecurity summit the White House hosted at Stanford University, in the heart of Silicon Valley.

But information-sharing and threats of sanctions are just part of the battle against cyberthreats. Actually prosecuting the hackers has proved extremely difficult -- in part because hackers often reside in countries, like Russia and China, that do not have extradition treaties with the US.

Last month, The New York Times reported federal investigators were closing in on the hackers behind the JPMorgan Chase attack that stole the contact information for 76 million households and 7 million small businesses. An arrest would be the first since the US apprehended Albert Gonzalez, who in 2010 was sentenced to 20 years in jail for a hack on retailer TJ Maxx and other companies.

This story has been updated throughout the morning.