Yesterday the Office of Foreign Assets Control published an executive order and accompanying FAQs under which the White House establishes the circumstances under which it will add certain persons and entities engaged in hacking computers and networks in the United States to the Specially Designated Nationals and Blocked Persons list. U.S. persons would be prohibited from engaging in any transactions with any of the designated cyberviolaters and all property of the cyberviolaters that comes into the United States or under the control of U.S. persons would required to be blocked.
Unlike most executive orders of this type, no parties have been designated yet under its authority; it is purely prospective in nature. This suggests that the order is, for the moment, mostly a diplomatic salvo and that its likely target is China. The numerous cyber attacks on the United States by China, including the recent Anthem breach, have been well documented and just as vociferously denied (in a clear methinks the lady doth protest too much” fashion) by the Chinese government.
Whether this will be effective in deterring China remains to be seen. One response by China to any future designation might be to double down and engage in cyber retaliation. Given the asymmetric nature of cyber warfare between the U.S. and China, due to the fact that the U.S. is more connected and more vulnerable than China, such retaliation cannot be discounted.
An additional point should be made on these new sanctions. I have seen some popular tech media and bloggers suggest that the sanctions might be applied to domestic hackers, even relatively benign ones doing things similar to what got Aaron Schwartz in trouble. It is important to remember, however, that the International Emergency Economic Powers Act, under which the executive order was issued, restricts the scope of the order to blocking “any property in which any foreign country or a national thereof has any interest,” thereby preventing purely domestic application of these sanctions. A domestic hacker would have to be working on behalf of a foreign country or foreign national to be designated under the new cyber sanctions.