New U.S. government sanctions targeting the bank accounts of suspected cyberattackers raise questions about due process for people who feel they’re wrongly accused and about how agencies will identify the source of attacks.
The new sanctions, announced by President Barack Obama’s administration Wednesday, would allow the U.S. Department of the Treasury to freeze the funds held in U.S. banks of people and organizations suspected of engaging in malicious cyberattacks that pose a “significant threat to the national security, foreign policy, economic health, or financial stability” of the U.S., according to information released by the White House.
The Treasury Department, consulting with the Department of Justice and Department of State, could impose the sanctions if it has a “reasonable basis to believe” the targeted organization or person is engaging in the malicious attacks.
But attributing the source of cyberattacks is still difficult, and it’s unclear what standard of proof the U.S. government will use to impose the new sanctions, some legal and cybersecurity experts said. In addition, the White House offered few details about how accused organizations can challenge the sanctions, critics said.
“What standard of proof are agencies going to use?” said Nick Akerman, a veteran lawyer focused on cybersecurity and privacy at law firm Dorsey and Whitney in New York City. “It’s not always clear who the hackers are.”
Akerman praised the Obama administration for calling cyberattacks a “national emergency,” saying such recognition is long overdue, but he questioned how targeted groups will challenge the sanctions.
He also questioned how the Treasury Department and other agencies involved would determine an attack was serious enough to impose sanctions. “Are we just taking the word of the company that was hacked, or are they just going after a competitor overseas?” he said.
The new sanctions will be limited and will not be used to target free speech or interfere with an open Internet, Obama administration officials said during a press briefing Wednesday. “We very much intend this tool to be one that is targeted and judicious in its use,” White House Cybersecurity Coordinator Michael Daniel said. “It’s not one that we are expecting to use every day.”
Affected organizations or people will be able to appeal the sanctions, added John Smith, acting director of the Treasury Department’s Office of Foreign Assets Control. Targets of the sanctions can file an administrative appeal with Smith’s office, or they can file a lawsuit in U.S. district court, he said.
The goal of the order appears to be targeting overseas criminal syndicates and “fraudsters,” said Ken Westin, a security analyst at cybersecurity vendor Tripwire.
Implementing the sanctions will be challenging because of the difficulty attributing attacks, he added by email. “You may be able to identify from what country an attack is routed through, but identifying who is behind the keyboard or phone is a different story altogether,” he said. “One of the reason cyberattacks and technology enabled fraud have been so prevalent is due to the ease of evading detection and relative anonymity that a number of tools available provide.”
The order may help beef up U.S. cyberdefenses, but attributing the source of attacks is “not nearly as easy as it sounds”, added Greg Foss, senior security engineer with LogRhythm, another cybersecurity vendor.
“It is trivial for hackers to pivot through other countries and misplace blame in order to create the illusion that an attack originated from a specific location,” Foss added by email. “Malware can and will be created that contains false data, to shift culpability.”