This afternoon the White House announced several actions against Russia in retaliation for Russian interference in the U.S. election. Key among them is the use of the cybersecurity sanctions regime created by Executive Order 13694 in April 2015. But the White House had to amend the Executive Order to use it against Russia.
As I previously explained, the Executive Order was designed primarily to address interference with “critical infrastructure” and cyber-enabled theft of intellectual property or other information for competitive advantage or financial gain. Election infrastructure, however, is not (yet) designated as critical infrastructure in the United States. The omission of election infrastructure from critical infrastructure poses problems internationally because it means that the internationally agreed norm against attacks on critical infrastructure doesn’t necessarily reach U.S. election systems. The omission also posed a domestic challenge because the existing Order did not clearly apply. To remedy that problem, White House amended the Order to allow punishment of “(E) tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.”