It’s one of the great paradoxes of our Information Age — the very technologies that empower us to do great good can also be used by adversaries to inflict great harm. The same technologies that help keep our military strong are used by hackers in China and Russia to target our defense contractors and systems that support our troops. Networks that control much of our critical infrastructure — including our financial systems and power grids — are probed for vulnerabilities by foreign governments and criminals.
Cyber intrusions and attacks — many of them originating overseas — are targeting our businesses, stealing trade secrets, and costing American jobs. Iranian hackers have targeted American banks. The North Korean cyber attack on Sony Pictures destroyed data and disabled thousands of computers. In other recent breaches that have made headlines, more than 100 million Americans had their personal data compromised, including credit card and medical information.
In response to these cyber threats, our government is using every tool at our disposal — including diplomacy, law enforcement, and cooperation with other nations and the private sector — to strengthen our defenses and detect, prevent, respond to, and recover from attacks. Still, it’s often hard to go after bad actors, in part because of weak or poorly enforced foreign laws, or because some governments are either unwilling or unable to crack down on those responsible.
That’s why, with the new Executive Order I’m signing today, I’m for the first time authorizing targeted sanctions against individuals or entities whose actions in cyberspace result in significant threats to the national security, foreign policy, economic health or financial stability of the United States.
Our primary focus will be on cyber threats from overseas. In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst.
Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit. From now on, we have the power to freeze their assets, make it harder for them to do business with U.S. companies, and limit their ability to profit from their misdeeds.
While we’re focused on the supply side of this problem — those who engage in these acts — we’ll also go after the demand side — those who profit from them. As of today, there’s a new deterrent because I’m also authorizing sanctions against companies that knowingly use stolen trade secrets to undermine our nation’s economic health.
These sanctions are meant to protect our national security, personal privacy and civil liberties. As such, sanctions will in no way target the unwitting victims of cyberattacks, like people whose computers are hijacked by botnets. Nor does this executive order target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity. And unlike some other countries, we will never try to silence free expression online or curb Internet freedom.
After all, a core principle of my Administration’s approach to cybersecurity is that we want more partnerships and innovation, not less. I want more Americans thriving in our digital world. That’s why we’re working to improve our ability to quickly integrate and share intelligence about cyber threats across government and with our foreign partners. It’s why we’re working to share more information about threats and solutions with industry and why we need Congress to pass legislation to help us meet this challenge. And it’s why
I’ve come out strongly for net neutrality — because we have to keep the Internet open and free.
As Americans, our security, prosperity, and privacy in the 21st century will depend on our ability to learn, innovate, build, and do business online — and to do it safely, knowing that our sensitive or personal information will be protected. As of today, the United States has a new tool to protect our nation, our companies, and our citizens — and in the days and years ahead, we will use it.