Cyber-related Sanctions

Cyber-related Sanctions

448

Answer

The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.

Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events

Date Released
April 1, 2015

447

Answer

We anticipate that regulations to be promulgated will define “cyber-enabled” activities to include any act that is primarily accomplished through or facilitated by computers or other electronic devices. For purposes of E.O. 13694, malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain. These activities are often the means through which the specific harms enumerated in the E.O. are achieved, including compromise to critical infrastructure, denial of service attacks, or massive loss of sensitive information, such as trade secrets and personal financial information.

E.O. 13694 is tailored to address cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. As this language indicates, it is intended to counter the most significant cyber threats that we face, whether they target our critical infrastructure, our companies, our citizens, or our economic health or financial stability.

Date Released
April 1, 2015

504

Answer

No, the sanctions on the FSB do not apply to transactions by U.S. persons that are ordinarily incident to travel to or from Russia, including those transactions required to enter into or exit the country (i.e., complying with Russian border control requirements).

Date Released
March 15, 2018

503

Answer

No. GL 1B does not authorize the export of any goods, technology, or services directly or indirectly to the Federal Security Service or any other blocked person, except for the limited purposes of complying with rules and regulations administered by, and certain actions and investigations involving, the Federal Security Service or requesting certain licenses or authorizations for the importation, distribution, or use of information technology products in the Russian Federation.

Date Released
March 2, 2021

502

Answer

GL 1B only authorizes certain transactions and activities with the Federal Security Service acting in its administrative and law enforcement capacities. The GL was issued in order to ensure that U.S. persons engaging in certain business activities in Russia that are not otherwise prohibited are not unduly impacted. All other transactions and activities involving any property subject to U.S. jurisdiction or within the possession or control of U.S. persons in which the Federal Security Service has an interest, including all other transactions and activities directly or indirectly with the Federal Security Service, remain prohibited unless exempt or otherwise authorized by OFAC.

Date Released
March 2, 2021

501

Answer

GL 1Bauthorizes transactions and activities with the Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a. FSB) that are necessary and ordinarily incident to requesting, receiving, utilizing, paying for, or dealing in certain licenses and authorizations for the importation, distribution, or use of certain information technology products in the Russian Federation. It also authorizes transactions and activities necessary and ordinarily incident to compliance with rules and regulations administered by, and certain actions or investigations involving, the Federal Security Service.

This general license does not authorize U.S. persons to engage in transactions and activities with the Federal Security Service, except for the limited purposes described above, nor does it authorize the exportation, reexportation, or provision of any goods, technology, or services to the Crimea region of Ukraine.

 

Date Released
March 2, 2021

445

Answer

As with many of the sanctions programs that Treasury administers, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to E.O. 13694, as amended, or any entity owned by such persons.

As a general matter, U.S. persons, including firms that facilitate or engage in online commerce, are responsible for ensuring that they do not engage in unauthorized transactions or dealings with persons named on any of OFAC’s sanctions lists or operate in jurisdictions targeted by comprehensive sanctions programs. Such persons, including technology companies, should develop a tailored, risk-based compliance program, which may include sanctions list screening or other appropriate measures. An adequate compliance solution will depend on a variety of factors, including the type of business involved, and there is no single compliance program or solution suitable for every circumstance.

The names of, and identifying information for, all individuals and entities included on OFAC’s sanctions lists may be located via OFAC’s free, online search engine at the following URL: http://sanctionssearch.ofac.treas.gov. In addition, OFAC offers text and PDF versions of these lists for manual review and a number of data file versions of its lists that are designed to facilitate automated screening. Depending on the scale, sophistication, and risk profile of your business, you may consider one of the numerous commercially available screening software packages. [12-29-2016]

Date Released
December 29, 2016

444

Answer

Executive Order (E.O.) 13694, as amended on December 29, 2016, focuses on specific harms caused by significant malicious cyber-enabled activities, and directs the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions on those persons he or she determines to be responsible for or complicit in activities leading to such harms. Acting pursuant to delegated authority, Treasury’s Office of Foreign Assets Control (OFAC) works in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in E.O. 13694, as amended, and designate them for sanctions. Persons designated under this authority are added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).

E.O. 13694, as amended, is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. [12-29-2016]

Date Released
December 23, 2016