To defend Americans against cybercrime, the Obama administration has tried suing individual hackers and "naming and shaming" the countries that allegedly sponsored them. Last week the administration added a new, more powerful weapon to its arsenal: financial and trade sanctions against everyone involved.
Cybersecurity is a top national priority because of the incessant attacks on computer networks and stored data by hackers around the world, many under the auspices of foreign governments. According to a recent estimate, the toll from cybercrimes in 2013 was more than $100 billion in the U.S. and roughly half a trillion dollars globally. Much of the work in Washington has focused on improving the defenses of banks, energy companies and other potential targets. On Wednesday, though, President Obama sought to punch back harder against the hackers themselves.
Obama's executive order aims at only the most damaging attacks or attempted attacks by foreign hackers: those that have caused or are likely to pose "a significant threat to the national security, foreign policy, or economic health or financial stability of the United States." They would also have to harm crucial infrastructure; steal identities, assets or valuable information; or disrupt sites or networks. The Treasury Department would be empowered to freeze the assets of and prohibit transactions with not just the individuals responsible for the attacks, but also their sponsors, clients and anyone who assists them.
Security experts welcomed the order, saying the sanctions could help deter the hackers-for-hire who steal industrial secrets and crash websites. One challenge is identifying the people behind an attack, although improving technology is making that less daunting. Once the culprits are named, the Treasury Department has to offer enough evidence to show that it isn't abusing its new power. If top-secret surveillance programs are an essential part of tracking the source of an attack, the administration may find itself in the awkward position of having to choose between revealing classified programs and not seeking sanctions.
Considering that the administration acts as prosecutor, judge and jury when deciding to impose sanctions, it would be better to have Congress set rules that protect all the interests involved. But lawmakers have been stymied for years on cybersecurity by a split among corporate lobbyists, consumer advocates and the administration over privacy and liability concerns. Congress needs to resolve those differences and move ahead on legislation to improve the country's cyberdefenses, rather than having Obama try to solve the problem one executive order at a time.