As the U.S. looks to get tougher on cyber criminals that threaten the nation's critical infrastructure, the Treasury Department released an abridged version of a proposed regulation for imposing cyber-related sanctions to foreign actors, whether individuals, groups or nation-states.
A major part of the administration's strategy to prevent international actors from perpetrating cyberattacks against the U.S. — citizens, companies and, in some instances, the government itself — is a carrot and stick approach, including a multinational community abiding by cyber norms coupled with sanctions on those who stray.
Federal Register: Cyber-Related Sanctions Regulations
In April, President Barack Obama signed an executive order strengthening the administration's ability to impose such sanctions and tasked Treasury with taking the lead developing and ultimately applying penalties. Before taking any action, the department would first consult with the attorney general and secretary of state, according to the executive order.
Prior to the order, the U.S. imposed sanctions on governments and certain multinational organizations. The new regulation enables the feds to go after specific individuals, freezing any assets within America's jurisdiction, restricting travel to the U.S. and prohibiting U.S. companies from doing business with those individuals.
The regulation posted on the Federal Register defines the terms and scope of the authority, such as who can be sanctioned and what those penalties look like.
"We are focusing on those actors that pose a significant threat to the national security, the foreign policy or the economic health or security of the United States as a whole," he said, listing some of the specific kinds of actions that could result in sanctions. "Damaging attacks on our critical infrastructure; disrupting computer networks through a widespread distributed denial of service attack; widespread or significant thefts of personal information, financial data, trade secrets or personal property; and the knowing use or receipt of those stolen goods."
While the rule has been finalized as of Dec. 31, the post on the Federal Register is an abbreviated version, with a more comprehensive version expected in the near future.