The US is targeting hackers in the same way it's targeted terrorists and nuclear proliferations programs.
President Obama issued a broad and far-reaching cybersecurity executive order Wednesday that allows the executive branch to unilaterally financially target foreign-based hackers, regardless of any laws or extradition treaties the United States has with the country the hacker or hacker group lives in.
The order empowers the State Department and Treasury Department to freeze the bank accounts and financial assets of those suspected of hacking the US government or US companies, of those who have sponsored hacking, and of those who used hacked information to get a "competitive advantage or private financial gain."
It would also allow the government to go after hackers who attack critical infrastructure (which includes the power grid, water sanitation plants and more), cause a "significant disruption to the availability of a computer network," steal intellectual property, or have impacted the "economic health or financial stability of the United States."
And although the language of the order is very careful to not specifically mention "governments" that hack the United States—that's what this order is actually about, experts say.
"Our reach in the global financial network is all-encompassing"
The order has been in the works for more than two years, according to the Washington Post. The text of the order declares foreign hackers an "unusual and extraordinary threat" that constitutes a "national emergency."
That last "national emergency" bit is important: A law passed in 1977 called the International Emergency Economic Powers Act allows the president to regulate commerce in the event of a "national emergency" caused by a foreign source, and is where Obama has taken the order's power from.
The order applies to any individual or hacker "entity," which means a "partnership, trust, joint venture, corporation, group, subgroup, or other organization." The language has been purposefully kept vague to apply to essentially any foreign cyber threat, according to Peter W. Singer, a cybersecurity strategist at the New America Foundation.
The order is modeled on previous US anti terrorism and anti nuclear weapons proliferations policies, and is likely considered a tool to threaten, deter, and sanction countries that sponsor or harbor cyber hacking groups, Singer said.
"This is designed to go after the ultimate big fish, whether or not it specifically says that in the order—the state-linked fish," he told me. "It's a useful tool for punishing and messaging, but for highly motivated actors, it's unlikely to shift their ultimate calculation."
"The White House's newest executive order once again sensationalizes current events to increase government powers"
Unlike ongoing terrorist programs and nuclear weapons, however, hacking is both notoriously difficult to attribute to individuals or specific groups, and it can be done to a highly effective degree on a shoestring budget with just a couple people. Cyber crime is difficult to attribute in part because hackers often use proxies or co-opt other people's computers or networks in order to make it seem like someone else is doing the hacking.
And though the order seems intended to go after state-sponsored hackers, there's nothing in the language of the order that would prevent the government from sanctioning, say, individual hacktivists or hacktivist groups that have no relation to any government. In theory, it means that someone who ostensibly has nothing to do with a hack could have their lives ruined by the US government regardless of how insulated and US-independent their financial situation may seem.
"Our reach in the global financial network is as broad as it gets," Singer said. "It's all-encompassing. It allows you to go after lots of people in a lot of different ways."
Amie Stepanovich, US policy manager of Access, a digital human rights organization, said that the US government already has enough ways of going after hackers, and that this order can be looked at as an overreaction to the Sony hack and other high-profile incidents.
"The White House's newest executive order once again sensationalizes current events to increase the government's powers," Stepanovich told me. "The fact is, we already have strong rules for addressing criminal activity while protecting human rights. The president should to look to applying those rules to the internet rather than inventing dangerous new authorities."
Singer noted that the US has, indeed, sanctioned foreign governments for hacking before. But he says this bill gives the government better flexibility to go after China, Russia, and some of the other major players in the international cybercrime world.
Whether it'll work is another question altogether.
The US has thrown every sanction possible at North Korea, for example, but it hasn't deterred the country from developing nuclear weapons any less. In the past, the US has also sanctioned nations suspected of harboring terrorist organizations, but that has also had little effect.
But, because many of the most successful hackers are state-sponsored groups in China and Russia—countries that the US can't exactly end financial dealings with without causing massive international instability—the government wants flexibility to target not only national governments, but smaller groups within foreign countries.
Cutting off all of the Chinese government's financial dealings with the United States would crash the worldwide economy and cause a major international incident; cutting off the bank accounts of individual hackers or a small group of hackers within the Chinese government might have a better impact.
"Look at the parallel between the North Korea Sony hack and Chinese hackers. In the Sony hack, we put targeted sanctions not on the individuals we thought were directly behind it, but on the North Korean government," Singer said. "By comparison, we indicted five Chinese [military] hackers who were low level [for a separate hack against US power companies]."
"These countries are of different sizes and scales, so that's why the government wants to separate it from overall state relations," he added.
With hacking now being placed on the same level as terrorism and anti-nuke programs, President Obama has now given his government the power, if it wants to, to cause serious financial ruin and international instability.