Frequently Asked Questions

Print this topic

Cyber-related Sanctions

444. How will Treasury decide whom to sanction under this authority?

Executive Order (E.O.) 13694, as amended on December 29, 2016, focuses on specific harms caused by significant malicious cyber-enabled activities, and directs the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those persons he determines to be responsible for or complicit in activities leading to such harms. Acting pursuant to delegated authority, Treasury’s Office of Foreign Assets Control (OFAC) works in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in E.O. 13694, as amended, and designate them for sanctions. Persons designated under this authority are added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).

E.O. 13694, as amended, is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. [12-29-2016]

445. What are my compliance obligations with respect to E.O. 13694, as amended?

As with many of the sanctions programs that Treasury administers, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to E.O. 13694, as amended, or any entity owned by such persons.

As a general matter, U.S. persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC’s sanctions lists or operate in jurisdictions targeted by comprehensive sanctions programs. Such persons, including technology companies, should develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures. An adequate compliance solution will depend on a variety of factors, including the type of business involved, and there is no single compliance program or solution suitable for every circumstance.

The names of, and identifying information for, all individuals and entities included on OFAC’s sanctions lists may be located via OFAC’s free, online search engine at the following URL: http://sanctionssearch.ofac.treas.gov. In addition, OFAC offers text and PDF versions of these lists for manual review and a number of data file versions of its lists that are designed to facilitate automated screening. Depending on the scale, sophistication, and risk profile of your business, you may consider one of the numerous commercially available screening software packages. [12-29-2016]

447.  What will significant malicious “cyber-enabled” activities mean for the purposes of Executive Order (E.O.) 13694?

We anticipate that regulations to be promulgated will define “cyber-enabled” activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices. For purposes of E.O. 13694, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain. These activities are often the means through which the specific harms enumerated in the E.O. are achieved, including compromise to critical infrastructure, denial of service attacks, or massive loss of sensitive information, such as trade secrets and personal financial information.

E.O. 13694 is tailored to address cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. As this language indicates, it is intended to counter the most significant cyber threats that we face, whether they target our critical infrastructure, our companies, our citizens, or our economic health or financial stability.

448. I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?

The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.

Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events

449. I administer a network for my employer and I regularly deny access to certain services and systems (e.g., retail websites, social media platforms) in order to ensure the performance of the network for authorized business activities. Could I or my employer be sanctioned for this?

The measures in this order are designed to address the threat posed by individuals and entities engaged in significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms. These measures are not designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage.

450. Will Treasury impose sanctions on persons whose personal computers (or other networked electronic devices) are, without their knowledge or consent, used in malicious cyber-enabled activities (e.g., in denial-of-service attacks against U.S. financial institutions)?

No. These sanctions are designed to target those actors whose malicious cyber-enabled conduct is reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. These measures are not intended to target victims of such activities, including the unwitting owners of compromised computers.

For more information about best practices for securing home networks and engaging in responsible online behavior, visit the Federal Trade Commission’s website at OnGuardOnline.gov.

451. How do financial sanctions relate to existing legal authorities in this context?

The United States’ whole-of-government strategy to combat cyber threats draws from a broad range of tools and authorities to respond to the growing and evolving threat posed by malicious cyber actors. Similar to our approach to global threats from terrorists, narcotics traffickers, and transnational criminal organizations, we will use financial sanctions in the fight against malicious cyber actors as a complement to existing tools, including diplomatic outreach and law enforcement authorities.

452. Are these sanctions consistent with international obligations?

As with all financial sanctions programs Treasury administers, these measures will be implemented in accordance with domestic law and our international obligations.

489. The President has amended E.O. 13694 to cover “misappropriation of information.” What does that term mean? Does that mean that Treasury will impose sanctions related to the publication of information by American whistleblowers or members of the press?

No. This authority does not target American whistleblower activity or constitutionally protected activity. The E.O. defines misappropriation to be the “taking or obtaining by improper means, without permission or consent, or under false pretenses.” Importantly, to be eligible for sanctions under this provision, an individual or entity must not only “misappropriate” information, but it must also do so with the purpose or effect of interfering with or undermining election processes or institutions.

501. What does General License 1A (GL 1A), “Authorizing Certain Transactions with the Federal Security Service,” authorize?

GL 1A authorizes transactions with the Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a. FSB) that are necessary and ordinarily incident to requesting, receiving, utilizing, paying for, or dealing in certain licenses and authorizations for the importation, distribution, or use of certain information technology products in the Russian Federation. It also authorizes transactions necessary and ordinarily incident to compliance with rules and regulations administered by, and certain actions or investigations involving, the FSB.

This general license does not authorize U.S. persons to engage in transactions with the FSB except for the limited purposes described above, nor does it authorize the exportation, reexportation, or provision of any goods, technology, or services to the Crimea region of Ukraine.

A prior version of this general license was issued on February 2, 2017 (GL 1). On March 15, 2018, GL 1 was amended and reissued as GL 1A to ensure the scope of activities already authorized with respect to the FSB is not affected by the designation of the FSB under Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA). The changes to GL 1 are limited to adding CAATSA authorities. GL 1A replaces and supersedes GL 1 effective March 15, 2018.

502. What sanctions remain in place on the FSB following the issuance of GL 1A?

GL 1A only authorizes certain transactions with the FSB acting in its administrative and law enforcement capacities. The GL was issued in order to ensure that U.S. persons engaging in certain business activities in Russia that are not otherwise prohibited are not unduly impacted. All other transactions involving any property subject to U.S. jurisdiction or within the possession or control of U.S. persons in which the FSB has an interest, including all other transactions directly or indirectly with the FSB, remain prohibited unless exempt or otherwise authorized by OFAC.

503. Does GL 1A authorize the exportation of hardware or software directly to the FSB, or where the FSB is the end user of such hardware and software?

No. GL 1A does not authorize the export of any goods, technology, or services directly or indirectly to the FSB or any other blocked person or entity, except for the limited purposes of complying with certain rules, regulations, and investigations involving the FSB or requesting certain licenses or authorizations for the importation, distribution, or use of information technology products in the Russian Federation.

504. I understand that travel to Russia involves clearing Russian border control, which is part of the FSB. Do I need a license from OFAC to travel to Russia, or to clear Russian customs?

No, the sanctions on the FSB do not apply to transactions by U.S. persons that are ordinarily incident to travel to or from Russia, including those transactions required to enter into or exit the country (i.e., complying with Russian border control requirements).

646. How do I block digital currency?

Once it has been determined that your institution is holding digital currency that is required to be blocked pursuant to OFAC’s regulations, you must ensure that access to that digital currency is denied to the blocked person and that your institution complies with OFAC regulations related to blocked assets. Institutions may choose, for example, to block each digital currency wallet associated with the digital currency addresses that OFAC has identified as being associated with blocked persons, or opt to use its own wallet to consolidate wallets that contain the blocked digital currency (similar to an omnibus account) titled, for example, “Blocked SDN Digital Currency.” Each of these methods is satisfactory, so long as there is an audit trail that will allow the digital currency to be unblocked only when the legal prohibition requiring the blocking of the digital currency ceases to apply. The institution is not obligated to convert the blocked digital currency into traditional fiat currency (e.g., U.S. dollars). Blocked digital currency must be reported to OFAC within 10 business days. Questions about whether a transaction should be blocked should be directed to OFAC at 202-622-2490 or ofac_feedback@treasury.gov.

647. Should an institution tell its customer that it blocked access to their digital currency and, if so, how does the institution explain it to the customer?

An institution may notify its customer that it has blocked digital currency pursuant to OFAC regulations. The customer has the right to apply for the unblocking and release of the digital currency.

To apply online to have the virtual currency released, please go to OFAC’s online application page.