The “September 6th Rule”: The Fight Against Foreign Cybercriminals

By: Natalie Kempton

Entities that pose a security threat to the U.S. now have to face newly finalized cyber-related sanctions coined as the “September 6th Rule”.  On September 6th, 2022, the Office of Foreign Assets Control (“OFAC”) updated and reissued Cyber-Related Sanction Regulations which include President Obama’s Executive Orders 13694, 13757, as well as certain provisions of the Countering America’s Adversaries Through Sanctions Act (“CAATSA”).  These sanctions are an important and necessary response to the growing number of cybersecurity threats from foreign adversaries.  The revamped rules “target activities by foreign regimes, terrorists, international narcotic traffickers, purveyors for weapons of mass destruction and other threats to national security.”

Obama’s original Executive Orders 13694 and 13757 focused on tackling cyber-terrorism in the United States.  Executive Order 13694 titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” was signed in 2015.  The order was created to defend the U.S. against rising cyberattacks by permitting the U.S government to freeze assets and deny entry into the U.S. to people determined to have engaged in malicious cyberattacks against American networks.  Executive Order 13694 was amended in December 2016 by Executive Order 13757 after President Obama issued a national emergency as a response to the increasing threat of malicious cyber-enabled activities.  This national emergency was a result of Russian entities meddling in U.S. elections through cyber-terrorism.  The updated order included a list of people engaged in alleged malicious cyber activity whose U.S. property would be blocked as a result.  This list included many prominent cyber hackers which were notably many Russian entities.

OFAC’s new regulations also specifically address the continuing threat Russia poses to the United States by including the CAATSA provisions.  CAATSA was originally signed into law in 2017 to establish sanctions relating to Ukraine and Russia Executive orders and directives.  CAATSA requires the imposition of sanctions to activities of the Russian federation that undermine cybersecurity and persons who knowingly provide financial services in support of activities that undermine cybersecurity.

The “September 6th Rule” is an amalgamation of these Executive Orders, regulations, and related laws, meant to strengthen and consolidate regulations preventing malicious cyber-enabled activity.  The OFAC regulations specify previous measures used to counter malicious activity by laying out interpretive guidance, general licenses, and key definitions for terms within these laws.  The order describes potential civil and criminal penalties to be issued if one is found guilty of engaging in such activity.  Civil fines can be issued of an amount twice that of the transaction which is the basis of the violation.  Those criminally convicted can be fined up to $1 million and be given up to a 20-year prison sentence.  Further punishments from the treasury department include bans on cyber criminals from dealing in U.S.-based securities trade, as well as prohibiting banks from issuing credit cards, debit cards, or having any other financial agreement with sanctioned individuals.  However, there are exceptions to this, as some sanctions have transactions that remain exempt such as communications that are not valuable.  Also exempt are activities related to U.S. intelligence gathering or NASA collaboration with the Russian Space program.  In order to lift sanctions imposed under this rule, Congressional approval is required.  These regulations also incorporate definitions of entities and people which the U.S. Treasury department can sanction, whether their harmful involvement in malicious cyber activity was direct or indirect.  The list of definitions includes dangerous malicious cyber activity which is explicated as an activity that harms “critical U.S. infrastructure, computer networks, funds, trade secrets, personal and financial information.”  Providing these foundational definitions of cyberterrorism is key to clarifying the merged orders, regulations, and laws.

While these rules may restate previous regulations and do not necessarily revise any laws, they are still incredibly important as they serve as a fundamental step to maintaining national security as technology continues to rapidly advance.  Cybersecurity threats are a massive issue globally, but especially in the United States.  In 2020 alone, online scams spiked more than 400% and data breaches resulted in 36 billion records being exposed.  The U.S. currently has the world’s highest data breach costs with the average attack costing $8.6 million.  These numbers are shocking and show how necessary these rules are to further protect the U.S. and its citizens from hackers threatening the nation’s infrastructure and security.  Sanctions and regulations will help provide thorough guidance to the public and ensure Americans are as protected as possible by imposing strong and transparent cybersecurity punishments.  A cohesive defensive front is essential in preventing future malicious cybersecurity threats from occurring and lowering the average attack cost.  In the wake of increasing cybersecurity threats and Russia waging war in Ukraine, maintaining cohesive cybersecurity sanctions should be an essential focus for the United States government now more than ever.

 

Student Bio: Natalie Kempton is a second-year law student at Suffolk University Law School.  She is a staff writer on the Journal of High Technology Law.  Natalie received a Bachelor’s Degree in International Studies and Italian from the College of the Holy Cross.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.

Print Friendly, PDF & Email