As the Assistant to the President for Homeland Security and Counterterrorism, I advise President Obama on the range of security challenges facing the United States every day, from terror threats at home and abroad and pandemic disease, to natural disasters and cybersecurity. Cyber threats are at the top of the President’s list of security concerns. In just the past year, we have seen a significant increase in the frequency, scale, and sophistication of cyber incidents targeting the American people, including everything from large data breaches and significant intrusions to destructive and coercive cyber attacks intended to influence the way ordinary Americans exercise their constitutional rights. In many cases, these threats stem from actors overseas using malicious cyber activities to inflict harm on Americans without ever leaving their desks.
No one connected to the Internet is immune from these harms — not businesses, not private citizens, and not the government. Moreover, the implications of these harms are as real as they are complex — everyone can feel the effects of malicious cyber activity, from the consumer who is forced to deal with the consequences of a data breach affecting a business with whom he or she deals, to the company whose trade secret is stolen by faraway competitors.
We are at a transformational moment in how we approach cybersecurity. The actions we take today will help ensure that the Internet remains an enabler of global commerce and innovation.
A significant part of the U.S. government’s actions in the cybersecurity realm are focused on network defense and incident response. In this regard, we are working to enhance cybersecurity capabilities both in government and across the private sector. Initiatives like the Cybersecurity Framework have helped industry not only respond to threats and recover from attacks, but prevent them in the first place. We’ve bolstered the government’s cyber defenses, enhanced information sharing with the private sector, and we are forming the Cyber Threat Intelligence Integration Center (CTIIC), which will provide integrated all-source analysis of cyber threats and help ensure that the U.S. government is sharing the intelligence needed to defend critical networks. The President has taken executive action to expand private-sector information sharing and to protect consumers. He has also sent Congress proposed legislation that would better protect consumers who have been the victims of identity theft, modernize the tools law enforcement uses to investigate and deter cybercrimes, and promote increased cyber threat information sharing among private-sector entities and the government.
Efforts to improve our defenses and response capabilities are essential, but insufficient standing alone. We can and must do more. In particular, we need to deter malicious cyber activity and to impose costs in response to the most significant cyber intrusions and attacks, especially when those responsible try to hide behind international boundaries. Effective incident response requires the ability to increase the costs and reduce the economic benefits from malicious cyber activity. And this means, in addition to our existing tools, we need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts — at their bottom line.
That is why today, the President announced a new sanctions program that authorizes the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to sanction malicious cyber actors whose actions threaten the national security, foreign policy, or economic health or financial stability of the United States.
Malicious cyber activity — whether it be stealing sensitive information, including personal identifiers, or trade secrets — is often profit-motivated. Because those responsible want to enjoy the ill-gotten proceeds of their activities, sanctions can have a significant impact. By freezing assets of those subject to sanctions and making it more difficult for them to do business with U.S. entities, we can remove a powerful economic motivation for committing these acts in the first place. With this new tool, malicious cyber actors who would target our critical infrastructure or seek to take down Internet services would be subject to these costs when designated for sanctions.
This new executive order is specifically designed to be used to go after the most significant malicious cyber actors we face. It is not a tool that we will use every day. Law-abiding companies have absolutely nothing to worry about; for them, it’s business as usual. We will never use it to try to silence free expression online or curb Internet freedom. Nor will this authority be used to go after legitimate cybersecurity researchers or innocent victims whose computers are compromised. It is designed to be used in conjunction with our other authorities — including law enforcement and diplomatic efforts — to help deter and disrupt the worst of the cyber threats that we face.
This much is clear: Our ability to connect reliably and communicate freely online is a bedrock of U.S. companies’ innovation and our global economic competitiveness. That is why strengthening U.S. cybersecurity is and will remain a defining challenge of the 21st century, and why we will continue to take action to protect our companies and our citizens from the greatest threats we face — online and off. The Executive Order signed by President Obama today provides one more tool to do so.