Introduction 

A lawyer is the founder and owner of a small law firm. After years of investment and relationship building, she builds her business into a respectable practice with fifteen attorneys helping people throughout the community. Over several years, thousands of clients entrust the firm with their sensitive information, which the firm stores on its office computers. 

One day, after coming into her office, the lawyer opens her computer to a message: “Your network has been penetrated and all files have been encrypted. Transfer a payment of $50,000 in Bitcoin to the wallet attached to the QR code below within 3 days. Sensitive documents will be released to the public if you do not pay.” 

The lawyer is concerned. Without network access, the firm will likely miss several of its upcoming court filing deadlines. Further, she realizes that if the clients’ information were leaked, the firm would be exposed to a significant liability risk. These factors, in combination with the likely reputational harm, lead the lawyer to one conclusion: if she does not pay the ransom, it may be the end of her business. 

Before paying the ransom, however, the lawyer quickly conducts research and discovers that a little-known sub-agency of the Department of Treasury, the Office of Foreign Asset Control (“OFAC”), threatens to punish victims of ransomware attacks with civil penalties for payments to entities on the agency’s Specially Designated Nationals and Blocked Persons List (“SDN List”).¹Off. of Foreign Assets Control, U.S. Dep’t of the Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments 1 (2021) [hereinafter OFAC Advisory], https://perma.cc/EW8R-87QJ. The policy’s strict-liability basis raises more concerns:²Id. even if the victim did not know, nor reasonably should have known, that their attacker was on OFAC’s SDN List, the agency may nevertheless impose hefty civil penalties. Since the policy’s introduction in October 2020, however, the lawyer notices that the agency has yet to follow through on its threat.³Amy Deen Westbrook, A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security, 18 N.Y.U. J.L. & Bus. 391, 412 (2022). 

The lawyer weighs her options. To face an OFAC penalty, (1) the attacker must be on the SDN List and (2) OFAC must discover the payment. Given that OFAC has yet to bring an enforcement action under this policy, she assumes that the probability of an OFAC penalty is low. On the other hand, the firm will almost certainly suffer immediate and irreparable harm if she does not pay the ransom. Given these two options, the lawyer decides to pay the ransom and cover up the attack. 

The lawyer quickly raises the funds, converts the money into Bitcoin, and sends the ransom to her attacker. Within a few hours, the computers are decrypted, and the firm continues its usual operations. Meanwhile, the attacker, emboldened by the successful attack on the lawyer, repeats the scheme several times to other small firms throughout the country. Faced with the same risks as the lawyer, each firm decides to pay the ransom and cover up the attack. The attacker continues to profit, and the government continues to be oblivious. Rinse and repeat. 

The lawyer’s dilemma is not unique. Thousands of U.S. organizations fall victim to anonymous ransomware attackers each year, yet only about 25% of attacks are reported to the government.⁴Staff of S. Comm. on Homeland Sec. & Governmental Affs., 117th Cong., Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns 5, 39 n.173 (Comm. Print 2022) [hereinafter Senate Report]. To address this dearth of crucial information, Congress created the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which implements a cooperative mandatory reporting program with liability protections for organizations victimized by ransomware attacks.⁵Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, §§ 101–03, 2240–46, 136 Stat. 1038, 1038–54 (codified at 6 U.S.C. §§ 101, 665j, 681–681f). OFAC, however, has taken the opposite approach by threatening to punish victims for payments to attackers on its SDN List.⁶OFAC Advisory, supra note 1. In doing so, OFAC contradicts the cooperative approach under CIRCIA and disincentivizes victims, like the lawyer, from sharing information on their ransomware attacks with the government. The amount of influence wielded through this little-known sub-agency’s policy begs the question: Is it lawful? 

This Comment argues that the answer is no. First, the policy is not authorized by the statute in which it claims authority, the International Emergency Economic Powers Act (“IEEPA”), as it conflicts with the statute’s plain text, legislative intent, and central purpose. Second, from a separation-of-powers perspective, the policy is unconstitutional as it conflicts with Congress’s prescribed mechanism for combatting ransomware, as expressed in CIRCIA. Lastly, as a policy matter, OFAC’s threat is problematic in that it incentivizes ransomware victims to cover up, rather than report, information on their attacks. This Comment does not propose a comprehensive solution to curbing the rise of ransomware attacks in America. Rather, it simply argues that OFAC should renounce its policy and defer to the measured judgment of Congress. 

This Comment proceeds in three parts. Part I discusses the evolution of ransomware, law enforcement challenges, and the government’s response. Part II discusses the origins and evolution of IEEPA, the statute that OFAC claims authority for its policy, and the constitutional limits of the executive’s emergency economic powers. Part III argues that OFAC’s policy is (1) unconstitutional because it lacks authorization from either an act of Congress or the Constitution, and (2) problematic because it disincentivizes information sharing. 

I.      Ransomware Evolution, Law Enforcement Challenges, CIRCIA, and OFAC’s Policy 

To analyze the validity of OFAC’s policy, it is first necessary to discuss the background of ransomware regulation in the United States. Section A discusses ransomware’s evolution from a niche criminal hobby to a lucrative, multi-billion-dollar industry. Section B then discusses the challenges faced in ransomware law enforcement. Section C discusses CIRCIA and Congress’s plan for curbing ransomware attacks through cooperative information sharing. Lastly, Section D discusses the contours of OFAC’s strict liability threat for ransomware payments to entities on its SDN List. 

A.      The Evolution of Ransomware—From a Cottage Industry to a Major Problem 

Ransomware is a form of malicious computer software (“malware”) that infects a computer network, encrypts data, and then demands the victim pay a ransom to decrypt and recover the files or prevent the hacker from distributing or destroying the data.⁷See Ransomware 101, Cybersecurity & Infrastructure Sec. Agency, https://perma.cc/BXT9-KEEW (defining ransomware as a “form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable”). Victims unknowingly download ransomware by opening email attachments, clicking on online advertisements, or visiting infected websites.⁸Ransomware, Fed. Bureau of Investigation, https://perma.cc/SN9R-5NRL. In many instances, ransomware infections go undetected for months as malicious actors strategically wait for their moment to strike.⁹Jeffrey May, Ransomware on the Rise, Mich. Bar J., May 2022, at 30, 30. 

The first reported example of a ransomware attack traces back to 1989, when biologist Joseph Popp distributed 20,000 infected floppy disks to AIDS researchers.¹⁰Kaveh Waddell, The Computer Virus That Haunted Early AIDS Researchers, The Atlantic (May 10, 2016), https://perma.cc/A954-2EK9. Popp’s malware encrypted computer files, at which time he demanded the victims send $189 each to a P.O. Box in Panama to decrypt the machines.¹¹Id. Given the difficulty of payment and the ease of decryption, the attack led to little profit, and Popp was soon arrested in the United Kingdom and charged with blackmail.¹²Id. 

From these humble beginnings, ransomware has mutated into a threat that permeates every part of the global economy.¹³See Westbrook, supra note 3, at 404. While the government and private entities have struggled to compile a comprehensive data set,¹⁴See infra Section I.B for a discussion on the lack of ransomware information sharing. the available data paints an alarming picture. Since 2016, an average of 4,000 ransomware attacks occur daily in the United States alone.¹⁵U.S. Dep’t of Just. et al., How to Protect Your Networks from Ransomware [hereinafter DOJ Ransomware Advisory], https://perma.cc/SZ9X-QLAV. Malicious actors target entities across a broad range of sectors, including healthcare, education, and government (at the federal, state, and local levels).¹⁶The State of Ransomware in the US: Report and Statistics 2020, Emsisoft Blog (Jan. 18, 2021) [hereinafter Emsisoft Report], https://perma.cc/TT6T-Z69Q (finding that in 2020, ransomware attackers hit at least 560 healthcare facilities, 1,681 educational institutions, and 113 government agencies). Attackers regularly target small-to-medium-sized businesses: in 2020, 55% of all ransomware attacks hit businesses with less than 100 employees, and 75% hit businesses with under $50 million in revenue.¹⁷Ransomware Attacks Fracture Between Enterprises and Ransomware-as-a-Service in Q2 as Demands Increase, Coveware (Aug. 3, 2020) [hereinafter Coveware Report], https://perma.cc/5XMV-47AH. In 2020 alone, nearly 2,500 ransomware attacks were reported to the Federal Bureau of Investigation (“FBI”).¹⁸Fed. Bureau of Investigation, Internet Crime Report 2020 14 (2021) [hereinafter 2020 FBI Crime Report], https://perma.cc/LTA3-EL6R. 

Perhaps the most concerning trend in ransomware is the exponential growth in costs. The average ransomware demand jumped from $5,000 in 2018 to roughly $200,000 in 2020.¹⁹The Growing Ransomware Wave, Nat’l Sec. Inst. [hereinafter NSI Report], https://perma.cc/23F6-ADQS; Coveware Report, supra note 17. But the true cost of ransomware is more than just the ransom demanded: one report suggested that the cost of operational downtime caused by an attack is nearly fifty times greater than the ransom requested.²⁰Datto’s Global State of the Channel Ransomware Report, Datto [hereinafter Datto Report], https://perma.cc/XLQ4-76Q8; see also Jessica Davis, Ransomware Causes 15 Days of EHR Downtime, as Payments Avg $111K, TechTarget (May 4, 2020), https://perma.cc/22EQ-FK6C; Paul Bischoff, Ransomware Attacks Cost the US $159.4bn in Downtime Alone in 2021, Comparitech (July 19, 2022), https://perma.cc/H4P5-XS7W. In other words, the cost of being locked out of encrypted files is often exponentially more expensive than the ransom demand itself. In total, ransomware cost businesses $20 billion in 2021.²¹David Braue, Global Ransomware Damage Costs Predicted to Exceed $265 Billion By 2031, Cybercrime Mag. (June 2, 2022), https://perma.cc/2N9E-X59C. By 2031, the average annual cost is expected to reach to $265 billion.²²Id. 

Though the empirical data remains scattered and incomplete, it nevertheless illustrates the magnitude of the problem. Ransomware impacts organizations across all sectors, imposes billions of dollars in costs, and is likely here to stay. 

B.      The Challenges of Ransomware Law Enforcement: Identity, Accountability, and Information 

Certain characteristics unique to ransomware have hindered law enforcement efforts and allowed cybercriminals to thrive. First, because cybercriminals demand ransomware payments in the form of cryptocurrency, like Bitcoin, law enforcement often struggles to track the source of attacks.²³James A. Sherer, Melinda L. McLellan, Emily R. Fedeles & Nichole L. Sterling, Ransomware – Practical and Legal Considerations for Confronting the New Economic Engine of the Dark Web, 23 Rich. J.L. & Tech. 1, 38 (2017). Cryptocurrencies are pseudonymous: while each exchange in cryptocurrency is recorded on a digital ledger, the accounts are tied to digital addresses, rather than to individual names or addresses.²⁴Westbrook, supra note 3, at 415–17 (“[C]ryptocurrency transfers—including ransom payments—are generally difficult to connect with a particular person . . . .”). To complicate matters further, ransomware attackers typically launder payments through “mixers,” where potentially identifiable or tainted funds are mixed in a pool of other funds, thereby increasing the difficulty of tracing funds back to the original source.²⁵The Wild World of Crypto Ransomware Payments, Fin. Execs. Int’l Daily (Oct. 25, 2021), https://perma.cc/C64N-83MK. The FBI’s Recovery Asset Team (“RAT”), which functions as a “liaison between law enforcement and financial institutions,” has reported success in freezing assets for reporting entities. Fed. Bureau of Investigation, Internet Crime Report 2022 9–10 (2023) [hereinafter 2022 FBI Report], https://perma.cc/8JTU-UKK5. Since its creation in 2018, RAT reports a 73% success rate, freezing $433.30 million out of $590.62 million in fraudulent transfers. Id. 

Second, ransomware is often used as a tool to further nations’ geo-political objectives without triggering economic sanctions. National governments, such as Russia, China, and Iran, have either encouraged or refused to condemn ransomware attacks against organizations from the United States and other rival countries.²⁶Westbrook, supra note 3, at 410–12; Emily Flitter & David Yaffe-Bellany, Russia Could Use Cryptocurrency to Blunt the Force of U.S. Sanctions, N.Y. Times (Feb. 23, 2022), https://perma.cc/7WWB-2MKC. Experts recognize that the connection between national governments and cybercriminals is obscure by design: states establish ambiguous relationships with cybercriminals to create plausible deniability as to awareness of their criminal activities.²⁷See, e.g., Erica D. Lonergan, Cyber Proxies in the Ukraine Conflict: Implications for International Norms, Council on Foreign Rel. (Mar. 21, 2022), https://perma.cc/MXJ4-2LKZ. For example, when asked about Russian cyber interference in the 2016 U.S. presidential election, Russian Prime Minister Vladimir Putin stated, “If they did not break Russian law, there is nothing to prosecute them for in Russia.”²⁸Isabelle Khurshudyan & Loveday Morris, Ransomware’s Suspected Russian Roots Point to a Long Detente Between the Kremlin and Hackers, Wash. Post (June 12, 2021), https://perma.cc/GA8V-THVD (“[Russian cybercriminals] explicitly say there’s no going after Russian targets, . . . [a]nd that allows them to operate with impunity. . . . They are not operating at the behest of Russia, but they’re operating with the tacit acknowledgement of Russia.”). 

Third, perhaps most pertinent, the lack of information sharing between victims and the government hampers ransomware regulation. A 2021 investigative report by the Senate Committee on Homeland Security and Government Affairs highlighted the need for increased information sharing, noting that only about 25% of ransomware attacks are reported to the government.²⁹Senate Report, supra note 4, at 5. With more information sharing, “the federal government will be in a better position to assist existing and potential cybercrime victims with prevention, detection, mitigation, and recovery” and “facilitate[] more efficient investigation and prosecution of illicit actors.”³⁰Id. at 3. But without three-quarters of the available data, the effectiveness of the government’s enforcement tools is blunted and the development of effective solutions is inhibited.³¹Id. at 4. The FBI has publicly acknowledged its limited data set and the need for increased information sharing. In its 2022 Internet Crime Report, the FBI stated, 

[I]t has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement. By reporting the incident, the FBI may be able to provide information on decryption, recover stolen data, [seize/recover] ransom payments, and gain insight on adversary tactics. Ultimately, the information you provide will lead us to bring the perpetrators to justice. 

2022 FBI Report, supra note 25, at 13. The significance of this data shortage is obvious: with only a fraction of the available data on ransomware attacks, U.S. law enforcement fights an enemy in the dark. 

The lack of ransomware reporting may reflect the victims’ risk landscape: if an attack were to go public, a victim organization may face significant reputational harm, regulatory fines, and civil litigation. As a result, many victims, like the lawyer in the opening hypothetical, find that covering up an attack is the most prudent decision for their organization. 

C.      CIRCIA: Congress Prescribes Mandatory Reporting with Liability Protections 

Federal agencies have pushed for increased information sharing between the private and public sectors to address the persistent ransomware threat. The federal government has historically relied on voluntarily-reported information and a patchwork of laws, regulations, and guidance to map out the ransomware threat landscape.³²Senate Report, supra note 4, at 35 (noting that while the DOJ, SEC, and FinCEN each collect data on ransomware, no dataset is accessible across government agencies). As discussed above, these methods have proven ineffective. For example, experts describe the FBI’s ransomware dataset as “a subset of a subset of data,” with figures that are “incredibly low” and “inconsistent.”³³Alexander Culafi, FBI IC3 Report’s Ransomware Numbers Are Low, Experts Say, TechTarget (Mar. 18, 2021), https://perma.cc/Z7GR-BB4Y. As suggested by one expert, the incomplete dataset on ransomware can be explained by a “lack of reporting requirements and incentives [to cooperate].”³⁴Senate Report, supra note 4, at 40. 

In 2021, several bills aimed at increasing ransomware information sharing were introduced and considered in Congress.³⁵Chris Jaikaran, Cong. Rsch. Serv., R46944, Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills—In Brief 1 (2021) [hereinafter Proposed Incident Reporting Bills] (comparing four cyber incident reporting bills from the first session of the 117th Congress: the Cyber Incident Reporting for Critical Infrastructure Act of 2021 (H.R. 5440), the Cyber Incident Notification Act of 2021 (S. 2407), the Cyber Incident Reporting Act of 2021 (S. 2875), and the Ransom Disclosure Act (S. 2943)). Ultimately, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which was signed into law by President Biden that March.³⁶Cybersecurity & Infrastructure Sec. Agency, Cyber Incident Reporting For Critical Infrastructure Act of 2022 (CIRCIA) Fact Sheet 1 (2022), https://perma.cc/2MNF-B344. CIRCIA required the director of the Cybersecurity and Infrastructure Agency (“CISA”) to publish proposed rules for implementing the statute’s reporting requirements by March 2024 and set the deadline for the final rule at eighteen months from the publishing of the proposed rules.³⁷Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, § 2242(b), 136 Stat. 1038, 1044 (codified at 6 U.S.C. § 681b). 

Under CIRCIA, organizations in critical infrastructure sectors must report cyber incidents to CISA within seventy-two hours from the time they “reasonably believe” the incident occurred.³⁸Id. § 2242(a)(1). If a ransom payment is made after a ransomware attack, CIRCIA requires the entity to report to CISA within twenty-four hours.³⁹Id. § 2242(a)(2). 

The reporting requirements in CIRCIA apply only to what the statute defines as “covered entities.”⁴⁰Id. § 2240 (codified at 6 U.S.C. § 681). CIRCIA borrows the definition of “covered entities” from Presidential Policy Directive 21, though it requires the Director of CISA to promulgate a specific definition by the final rule. Id. Covered entities are organizations in sixteen critical infrastructure sectors “vital to . . . the Nation’s safety, prosperity, and well-being,”⁴¹Id.; Press Release, Off. of the Press Sec’y, The White House, Presidential Policy Directive—Critical Infrastructure Security and Resilience (Feb. 12, 2013) [hereinafter Presidential Policy Directive], https://perma.cc/2PKM-5AP8. including organizations in the communications, energy, financial services, and transportation systems sectors.⁴²Presidential Policy Directive, supra note 41. Chemical, Commercial Facilities, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Food and Agriculture, Governmental Facilities, Information Technology, Nuclear, and Water and Wastewater Systems are also designated as critical infrastructure sectors. Id. CIRCIA encourages but does not require non-covered entities to report cyber incidents as well. 

CIRCIA provides comprehensive liability protections for reporting entities, whether the information is reported mandatorily or voluntarily. For one, the statute provides that the government will treat reported information as “the commercial, financial, and proprietary information of the covered entity.”⁴³Cyber Incident Reporting for Critical Infrastructure Act of 2022 § 2245(b)(1). In other words, the government will not make the information provided publicly available, nor allow it to be used as the basis of civil litigation. In addition, CIRCIA prohibits federal, state, and local governments from pursuing enforcement actions based on information in reports.⁴⁴Id. § 2245(a)(5)(A). In the context of ransomware, this clause prohibits the government at all levels from prosecuting reporting entities for ransomware payments based on reported information.⁴⁵Id. By prohibiting the use of reported information in litigation and government enforcement actions, CIRCIA significantly reduces the risks faced by ransomware victims in sharing information with the government. 

CIRCIA’s explicit liability protections suggest that, after considering and debating various solutions to curb the ransomware problem,⁴⁶Proposed Incident Reporting Bills, supra note 35, at 1. Congress determined that the best defense against today’s ransomware threat is to provide victims with liability protection, not liability imposition. CIRCIA’s combination of reporting obligations and liability protections ensures greater governmental awareness of ransomware attacks and incentivizes cooperation by lowering the liability risk for reporting entities. With these protections, the government will gain better access to the most important tool in curbing ransomware: information. In sum, CIRCIA illustrates that, with respect to ransomware payments, Congress has decided that the “carrot” is more effective than the “stick.” 

D.      OFAC’s Ransomware Policy 

As opposed to CIRCIA’s cooperative information-sharing framework, OFAC has opted to threaten victims of ransomware attacks with strict liability civil penalties for payments to persons on its SDN List. Subsection 1 discusses OFAC’s SDN List designation process and Subsection 2 outlines OFAC’s ransomware policy. 

1.      The SDN List Designation Process

OFAC’s SDN List is comprised of individuals and entities located in, controlled by, or acting on behalf of, several targeted countries, like North Korea, Iran, Syria, and Cuba.⁴⁷Off. of Foreign Assets Control, U.S. Dep’t of the Treasury, Specially Designated Nationals and Blocked Persons List (SDN) Human Readable Lists (Jan. 6, 2023), https://perma.cc/U4ZN-98AQ; Off. of Foreign Assets Control, U.S. Dep’t of the Treasury, Sanctions Programs and Country Information, https://perma.cc/BD2C-BH46. The SDN List also includes non-governmental actors, such as terrorist organizations and narcotics traffickers.⁴⁸Off. of Foreign Assets Control, U.S. Dep’t of the Treasury, Sanctions Programs and Country Information, https://perma.cc/BD2C-BH46. Once designated to the SDN List, OFAC blocks the entity’s assets and generally prohibits U.S. persons from dealing with them.⁴⁹Id. 

OFAC has designated several malicious cyber actors under its cyber-related sanctions program and other sanctions programs.⁵⁰OFAC Advisory, supra note 1, at 2. For example, in December 2016, OFAC designated Evgeniy Mikhailovich Bogachev, the developer of a ransomware strain known as “Cryptolocker” that infected over 234,000 computers.⁵¹Id. In December 2019, OFAC designated Evil Corp, a Russia-based cybercriminal organization that launched ransomware attacks against hundreds of financial institutions across forty countries.⁵²Id. at 3. OFAC has extended the SDN List to include cryptocurrency exchanges: in September 2021, OFAC designated SUEX OTC, S.R.O. for its part in facilitating financial transactions for ransomware attackers.⁵³Id. 

In the context of cybercrime, OFAC’s designation process has faced challenges. Because cryptocurrencies allow ransomware attackers to retain their anonymity, OFAC can designate only the attackers’ digital currency addresses (“cryptocurrency wallets”) to its SDN List.⁵⁴Senate Report, supra note 4, at 45. Ransomware attackers, once designated to the SDN List, routinely re-brand their organizations and create new cryptocurrency wallets.⁵⁵Id.; see, e.g., Lawrence Abrams, Conti Ransomware Shuts Down Operation, Rebrands Into Smaller Units, BleepingComputer (May 19, 2022), HYPERLINK “https://perma.cc/2JFP-FHD8″https://perma.cc/2JFP-FHD8. For example, shortly after OFAC designated Evil Corp, several experts suspected that the group simply re-branded to “Babuk” to shirk OFAC sanctions.⁵⁶Phil Muncaster, Evil Corp Rebrands Ransomware to Escape Sanctions, Infosecurity Mag. (June 8, 2021), https://perma.cc/L5RQ-CJWN. Thus, the wallets listed on OFAC’s SDN List are often either outdated or inaccurate.⁵⁷Senate Report, supra note 4, at 45. 

2.      OFAC’s Ransomware Payment Policy and Enforcement Framework

In October 2020 and September 2021, OFAC released and updated an advisory claiming the authority to impose strict liability civil penalties on ransomware victims for payments to entities on its SDN List.⁵⁸OFAC Advisory, supra note 1, at 4. The policy states that ransomware payments may “enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims” or “fund activities adverse to the national security and foreign policy objectives of the United States.”⁵⁹Id. at 3. OFAC’s policy marks a departure from the FBI’s position on ransomware payments. In 2019, the FBI released guidance stating that, although it “does not advocate paying a ransom,” “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” Fed. Bureau of Investigation, FBI Public Service Announcement, Alert No. I-100219-PSA, High-Impact Ransomware Attacks Threaten U.S. Business and Organizations, (2019), https://perma.cc/C8HR-FJKF. OFAC claims the authority to impose these strict liability penalties under the International Emergency Economic Powers Act.⁶⁰OFAC Advisory, supra note 1, at 3. 

When OFAC determines the occurrence of a violation, it typically issues a pre-penalty notice and provides an opportunity for a written response.⁶¹31 C.F.R. pt. 501, app. A § V(A) (2023). Ultimately, the director of OFAC retains the discretion to determine whether to impose a penalty and the amount of that penalty, limited only by OFAC’s “Enforcement Guidelines.”⁶²Id. §§ II(A), III. OFAC recognizes two significant mitigating factors for ransomware payments. First, OFAC will consider “the existence, nature, and adequacy of a sanctions compliance program.”⁶³OFAC Advisory, supra note 1, at 4. If a victim takes “meaningful steps . . . to reduce the risk of extortion by a sanction actor through improving cybersecurity practices,” it may mitigate the severity of OFAC’s enforcement response.⁶⁴Id. Second, OFAC will consider “the nature and extent of a [victim’s] cooperation with OFAC, law enforcement, and other relevant agencies, including whether an apparent violation of U.S. sanctions is voluntarily self-disclosed.”⁶⁵Id. at 5. If a victim voluntarily discloses information and cooperates fully with law enforcement, OFAC suggests it would impose only a mild penalty.⁶⁶Id. 

As opposed to CIRCIA’s cooperative approach, which provides comprehensive liability protections to victims, OFAC’s policy starts with a presumption of liability for payments to attackers who happen to be on the agency’s SDN List.⁶⁷Id. at 4. This liability can be mitigated only if OFAC’s director finds that the victim had adequate cybersecurity hygiene practices and cooperated sufficiently with law enforcement. 

OFAC’s policy takes the opposite approach of CIRCIA in incentivizing victims to report. Under CIRCIA, the government aims to incentivize information sharing by minimizing the risk of reporting.⁶⁸Cyber Incident Reporting for Critical Infrastructure of 2022, Pub. L. No. 117-103, §§ 2245(a)(5)(A), (a)(5)(c), 136 Stat. 1038, 1052–53 (codified at 6 U.S.C. § 681e). If a victim organization fulfills its reporting obligations, it is immune from certain risks, including government enforcement and civil litigation based on the reported information.⁶⁹Id. § 2245(c). OFAC, on the other hand, attempts to incentivize information sharing by increasing the risk of not reporting. If OFAC finds that the attacker is on the agency’s SDN List, it may penalize the victim at its discretion.⁷⁰OFAC Advisory, supra note 1, at 3–4. This risk is heightened even more by the difficulty or impossibility for victims to identify their attackers.⁷¹Sherer et al., supra note 23, at 19–20. By threatening the victims of ransomware attacks with strict liability civil penalties, OFAC has opted for the “stick,” rather than the “carrot,” to curb ransomware attacks. 

II.      The Origins of IEEPA and Judicial Interpretation of Executive Emergency Economic Powers 

To determine the legality of OFAC’s threat of strict liability civil penalties for ransomware payments, it is helpful to examine the source from which OFAC claims this broad authority—the International Emergency Economic Powers Act. IEEPA, as currently amended, provides that the president may “investigate, regulate, or prohibit (1) any transactions in foreign exchange . . . and (2) the importing or exporting of currencies or securities.”⁷²50 U.S.C. § 1702(a)(1)(A). The president may exercise these powers only “to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States.”⁷³Id. § 1701(a). 

Section A discusses IEEPA’s predecessor, the Trading with the Enemy Act of 1917 (“TWEA”), and the problems that Congress intended for IEEPA to remedy. Section B outlines the substantive limitations under IEEPA. Lastly, Section C discusses the courts’ interpretation of the executive’s emergency power and IEEPA. 

A.      TWEA: From a Limited Wartime Statute to a Source of Vast Executive Power 

The origins of the International Economic Powers Act trace back to 1917 and the Trading with the Enemy Act. Congress passed TWEA to regulate private international transactions with enemy powers following the United States’ entry into World War I.⁷⁴Benjamin A. Coates, The Secret Life of Statutes: A Century of the Trading with the Enemy Act, 1 Mod. Am. Hist. 151, 152 (2018). Section 5(b) of TWEA, as originally enacted, states: 

[T]he President may investigate, regulate, or prohibit, under such rules and regulations as he may prescribe . . . any transaction in foreign exchange . . . between the United States and any foreign country, whether enemy, ally of enemy, or otherwise, or between residents of one or more foreign countries, by any person within the United States.⁷⁵Trading with the Enemy Act, Pub. L. No. 65-91, § 5(b), 40 Stat. 411, 415 (1917) (codified as amended at 50 U.S.C. § 4305(b)). 

While the statute was originally intended for use during the war, Congress amended Section 5(b) of TWEA in 1933 for peacetime application: “During time of war or during any other period of national emergency declared by the President . . . .”⁷⁶Emergency Banking Relief Act, ch. 1, sec. 2, § 5(b), 48 Stat. 1, 1 (1933) (emphasis added). Following this amendment, presidents utilized TWEA to address numerous challenges associated with the Great Depression, World War II, and the Cold War.⁷⁷Christopher A. Casey, Ian F. Fergusson, Dianne E. Rennack & Jennifer K. Elsea, Cong. Rsch. Serv., R45618, The International Emergency Economic Powers Act: Origins, Evolution, and Use 4–6 (2020) [hereinafter IEEPA Origins, Evolution, and Use] (outlining the expansion of executive power under TWEA following the 1933 amendment). TWEA functioned as a “convenient statutory basis for vast peacetime exercises of exceptional economic authority which its authors clearly did not have in mind.”⁷⁸William E. Sheuerman, The Economic State of Emergency, 21 Cardozo L. Rev. 1869, 1878 (2000). 

By the mid-1970s, Congress began pushing back on executive discretion after a series of scandals involving the executive branch.⁷⁹IEEPA Origins, Evolution, and Use, supra note 77, at 6–8. The Senate formed the bipartisan “Senate Special Committee on the Termination of the National Emergency” in 1976 to re-evaluate delegations of emergency authority to the president.⁸⁰Subcomm. on Int’l Trade and Com. of the H. Comm. on Int’l Rels., 94th Cong., Trading with the Enemy: Legislative and Executive Documents Concerning Regulation of International Transactions in Time of Declared National Emergency (Comm. Print 1976) [hereinafter TWEA Report]. The Committee found that the United States had technically been in a state of emergency since March 9, 1933.⁸¹Harold Relyea, A Brief History of Emergency Powers in the United States (July 1974) (unnumbered working paper) (on file with the George Mason Law Review). During this period, over 740 emergency statutes delegated authority, usually limited to Congress, to the executive’s discretionary powers “which affect[ed] the lives of American citizens in a host of all-encompassing ways.”⁸²Id. The Committee’s central concern focused on “whether it was possible for [the American] democratic government . . . to exist under its present Constitution and system of three separate branches equal in power under a continued state of emergency.”⁸³TWEA Report, supra note 80. 

Concern over the executive’s broad emergency powers was not limited to the Senate. In 1977, during the House markup of a bill revising TWEA, Representative Jonathan Bingham, Chairperson of the House International Relations Committee’s Subcommittee on Economic Policy, described TWEA as conferring on the president “dictatorial powers that he could have used without any restraint by Congress.”⁸⁴H. Comm. on Int’l Rels., 95th Cong., Revision of the Trading with the Enemy Act: Markup Before the Committee on International Relations 5 (Comm. Print 1977). 

The House raised four primary concerns with TWEA: (1) it required no consultation or reports to Congress with regard to the use of powers or the declaration of a national emergency; (2) it set no time limits on a state of emergency and no mechanism for congressional review; (3) it stated no limits on the scope of TWEA’s economic powers and the circumstances under which such authority could be used; and (4) the actions taken under the authority of TWEA rarely related to the circumstances of the declared national emergency.⁸⁵H. Comm. on Int’l Rels., 95th Cong., Trading with the Enemy Act Reform Legislation, H.R. Rep. No. 95-459, at 10 (1977) (Conf. Rep.). Professor Harold G. Maier summarized the main criticisms of TWEA when testifying before the House Committee on International Relations: “Section 5(b)’s effect is no longer confined to ‘emergency situations’ in the sense of existing imminent danger. [Congress’s routine retroactive approvals] of broad executive interpretations of the scope of power which it confers has converted the section into a general grant of legislative authority to the President . . . .”⁸⁶Id. at 9. 

B.      IEEPA: A Statutory Limitation on the Executive’s Economic Emergency Powers 

Congress moved to remedy the expansion of executive power under TWEA in two steps. In step one, Congress enacted the National Emergencies Act of 1976 (“NEA”),⁸⁷Pub. L. No. 94-412, 90 Stat. 1255 (1976) (codified as amended at 50 U.S.C. § 1601). which placed new restrictions on both the declaration and duration of new states of emergency.⁸⁸Id. §§ 201, 202 (codified as amended at 50 U.S.C. §§ 1621, 1622). The statute further checked the executive’s emergency powers by (1) requiring that the president report to Congress whenever they declare a new state of emergency, and (2) allowing Congress to terminate states of emergency by concurrent resolution (“legislative veto”).⁸⁹Id. The NEA’s concurrent resolution provision, which required only a simple majority in either house to terminate a state of emergency, was later abrogated by the Supreme Court’s decision in INS v. Chadha, which held legislative vetoes unconstitutional. 462 U.S. 919, 959 (1983). In response, Congress amended the NEA to change “concurrent” resolution to “joint” resolution. Foreign Relations Authorization Act, Fiscal Years 1986 and 1987, Pub. L. No. 99-93, sec. 801, § 202(2), 99 Stat. 405, 448 (1985). 

In step two, Congress amended TWEA to apply only “in time of war,” as the original drafters intended.⁹⁰Act of Dec. 28, 1977, Pub L. No. 95-223, sec. 101, § 5(b)(1), 91 Stat. 1625 (1977) (codified as amended at 50 U.S.C. § 4305). Congress then wrote IEEPA to confer emergency powers “both more limited in scope than those of Section 5(b) [of TWEA] and subject to various procedural limitations, including those of [NEA].”⁹¹H. Comm. on Int’l Rels., 95th Cong., Trading with the Enemy Act Reform Legislation, H.R. Rep. No. 95-459, at 2 (1977) (Conf. Rep.). The Report of the House Committee on International Relations explained the nature of an “emergency” under IEEPA: 

The main [substantive restriction under IEEPA] stems from a recognition that emergencies are by their nature rare and brief, and are not to be equated with normal, ongoing problems. . . . The emergency should be terminated in a timely manner when the factual state of emergency is over and not continued in effect for use in other circumstances. A state of national emergency should not be a normal state of affairs.⁹²Id. at 10 (emphasis added). 

Against this backdrop, Congress drafted IEEPA to confer power in limited situations: 

[The powers under IEEPA] may be exercised to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States, if the President declares a national emergency with respect to such threat.⁹³50 U.S.C. § 1701(a) (emphasis added). 

IEEPA contains two substantive restrictions to protect against the issues that had arisen under its predecessor. First, the powers under IEEPA are limited by its text: they may be used only to deal with “unusual and extraordinary” foreign threats to the national security, foreign policy, and economy of the United States.⁹⁴Id. Second, the powers are restricted by the “nature” of the term “emergencies.” IEEPA is not “a general grant of legislative authority to the president” to deal with “normal ongoing problems,” but a limited grant of authority for “unusual and extraordinary” foreign threats. 

C.      Judicial Limits on the Executive’s Emergency Powers 

While the Supreme Court has rarely pushed back on the executive’s use of emergency powers, it has not suggested that such power is unlimited.⁹⁵See Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 585 (1952) (“The President’s power . . . must stem either from an act of Congress or from the Constitution itself.”); see also id. at 652 (Jackson, J., concurring) (“[E]mergency powers are consistent with free government only when their control is lodged elsewhere than in the Executive who exercises them.”). The Court addressed the issue in Youngstown Sheet & Tube Co. v. Sawyer.⁹⁶Id. at 582 (majority opinion). During the Korean conflict, a labor dispute broke out between steel mill owners and employees.⁹⁷Id. Fearing that a stoppage of steel production would result in a national catastrophe, President Truman ordered the Secretary of Commerce to take possession of the steel mills to continue their operation.⁹⁸Id. at 583. Shortly before this emergency, Congress passed the Taft-Hartley Act, which prescribed a more cooperative method for resolving labor disputes.⁹⁹Id. at 586; Labor Management Relations Act, 29 U.S.C. §§ 141, 171–80. Notably, Congress refused to adopt an amendment that authorized the seizure of factories during emergencies.¹⁰⁰Youngstown, 343 U.S. at 586; 93 Cong. Rec. 3637–45 (1947). The majority held that the president’s exercise of this emergency power was unconstitutional as its source could not be traced to either an act of Congress or the Constitution.¹⁰¹Youngstown, 343 U.S. at 589. 

In a concurring opinion, Justice Robert Jackson famously laid out a three-category framework for analyzing the constitutionality of executive action. In the first category, the president acts pursuant to an express or implied grant of Congress.¹⁰²Id. at 635–37 (Jackson, J., concurring). Presidential authority is at its “maximum” in these circumstances.¹⁰³Id. at 635. In the second, the president acts in the absence of either a congressional grant or denial of authority.¹⁰⁴Id. at 637. Here, the president’s authority is in a “zone of twilight” where congressional “inertia, indifference, or acquiescence” may invite presidential action.¹⁰⁵Id. Lastly, in the third category, the president’s actions are incompatible with the express or implied will of Congress. Presidential authority is at its “lowest ebb” in these situations as they can rely “only upon [their] own constitutional powers minus any constitutional powers of Congress over the matter.”¹⁰⁶Id. 

Justice Jackson ultimately concluded that the president’s actions fell within the third category as Congress neither authorized the seizure nor “left seizure of private property an open field.”¹⁰⁷Youngstown, 343 U.S. at 639–40. Accordingly, the president could not claim that his actions were “necessitated or invited by the failure of Congress to legislate upon the occasions.”¹⁰⁸Id. 

In Dames & Moore v. Regan,¹⁰⁹453 U.S. 654 (1981). the Court cited the Youngstown framework as it discussed the scope of the president’s powers under IEEPA.¹¹⁰Id. at 668–69. There, the petitioners challenged a series of actions taken by President Carter to implement the Algiers Accords, which the president entered into to end the hostage crisis in Iran.¹¹¹Id. at 662–68. Among other things, the president ordered the resolution of all claims against the Iranian government in U.S. courts.¹¹²Id. at 666; Exec. Order No. 12,283, 46 Fed. Reg. 7927, 7927 (Jan. 19, 1981). IEEPA explicitly authorized most of the president’s actions, including the nullification of prejudgment attachments and the transfer of property to Iran.¹¹³Dames, 453 U.S. at 674. However, the Court held that the terms of the IEEPA did not authorize the president’s suspension of claims.¹¹⁴Id. at 675. As an act of Congress also did not bar the action, the Court examined the constitutionality under Justice Jackson’s “zone of twilight” category: 

[T]he enactment of legislation closely related to the question of the President’s authority in a particular case which evinces legislative intent to accord the President broad discretion may be considered to invite measures of independent presidential responsibility. At least this is so where there is no contrary indication of legislative intent and when, as here, there is a history of congressional acquiescence in conduct of the sort engaged in by the President.¹¹⁵Id. at 678–79 (emphasis added) (internal citations omitted). 

The Court looked to a long history of “congressional acquiescence” in the president’s exercise of claim settlement authority and determined that it had “implicitly approved” of the practice.¹¹⁶Id. at 679–80. The “general tenor” of Congress’s legislation in the areas of emergencies and hostage negotiations evidenced Congress’s acquiescence to the president’s authority to issue claim settlement agreements.¹¹⁷Id. at 677–78. The president has broad discretion in matters of hostage settlements and emergencies, respectively. See 22 U.S.C. § 1732; 50 U.S.C. § 1702(a)(1). While neither statute specifically authorized the president to issue claim settlements, the Court determined that both statutes were “highly relevant in the looser sense of indicating congressional acceptance of a broad scope for executive action in circumstances such as those presented in this case.” Dames, 453 U.S. at 677. The Court also found persuasive that Congress drafted legislation on the assumption that the president had the authority to issue such agreements.¹¹⁸Dames, 453 U.S. at 680–81. For example, the International Claims Settlement Act of 1949 created a procedure for implementing future claim settlement agreements. International Claims Settlement Act of 1949, ch. 54, 64 Stat. 12 (1950) (codified as amended at 22 U.S.C. §§ 1621–27). The Court determined that the statute signified Congress’s “stamp of approval on such agreements.” Dames, 453 U.S. at 680. As the Court explained, a “long-continued practice, known to and acquiesced in by Congress, [raises] a presumption that the [action] had been [taken] in pursuance of its consent.”¹¹⁹Dames, 453 U.S. at 686 (second and third alteration in original) (quoting United States v. Midwest Oil Co., 263 U.S. 459, 474 (1915)). On these case-specific considerations, the Court held that President Carter’s claim settlement order was a proper exercise of executive power.¹²⁰Id. 

Dames & Moore illustrates the Court’s approach in determining the constitutionality of the executive’s emergency powers under Justice Jackson’s “zone of twilight” category: if a challenged action aligns with a history of “congressional acquiescence” to the president’s exercise of such power, it “may be treated as a gloss on ‘Executive Power’ vested in the President by § 1 of Art. II.”¹²¹Id. (quoting Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 610–11 (1952) (Frankfurter, J., concurring)). Absent such congressional acquiescence, the Court may not afford executive action with a presumption of constitutionality. 

III.      The Legal and Policy Concerns with OFAC’s Ransomware Policy 

OFAC’s threat of strict liability civil penalties is unlawful and problematic. Section A argues that OFAC’s policy is unconstitutional because neither a statute nor the Constitution authorized it. Section B argues that OFAC’s policy is problematic because it encourages victims to conceal, rather than share, information on ransomware attacks. For these reasons, OFAC should renounce its policy and defer to Congress’s measured judgment and the CIRCIA framework. 

A.      The Legal Concerns: OFAC’s Policy Is Unconstitutional Because It Is Not Authorized by an Act of Congress or the Constitution. 

Because OFAC’s policy cannot trace its power to a statute or the Constitution, it is unconstitutional. First, Subsection 1 argues that OFAC’s policy is not authorized by the IEEPA because it conflicts with the statute’s text, legislative intent, and central purpose. Subsection 2 argues that OFAC’s policy violates separation-of-powers principles as it conflicts with Congress’s mechanism for curbing ransomware attacks and does not otherwise fall within the “executive power.” 

1.      OFAC’s Policy Is Not Authorized by IEEPA Because It Conflicts with the Statute’s Text, Legislative Intent, and Central Purpose

OFAC’s ransomware policy is not authorized by IEEPA, the statute in which it claims authority. First, ransomware does not fit within the statute’s text because ransomware attacks are neither unusual nor extraordinary. Second, OFAC’s policy is inconsistent with the drafters’ understanding of “emergency” as ransomware attacks are a normal, ongoing problem rather than a rare and brief threat. Lastly, interpreting IEEPA broadly enough to authorize OFAC’s policy would undermine the statute’s central purpose of limiting the executive’s emergency powers. 

OFAC’s policy falls outside the scope of IEEPA’s text. The statute’s broad powers are limited by Section 1701: “[The powers under the IEEPA] may be exercised to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States.”¹²²50 U.S.C. § 1701 (emphasis added). But ransomware attacks are neither unusual nor extraordinary. While, in the days of Joseph Popp,¹²³See Waddell, supra note 10. it may have been a niche criminal activity, ransomware is now a part of daily life for many Americans. In the United States alone, an average of 4,000 ransomware attacks occur daily.¹²⁴DOJ Ransomware Advisory, supra note 15, at 2. Malicious actors regularly target organizations of all sizes and across all sectors.¹²⁵See Emsisoft Report, supra note 16; Coveware Report, supra note 17. According to the FBI, whose dataset experts describe as a “subset of a subset” with figures that are “incredibly low,”¹²⁶Culafi, supra note 33. nearly 2,500 businesses fell victim to ransomware attacks in 2020 alone.¹²⁷2020 FBI Crime Report, supra note 18, at 3. As the ransomware threat is far from unusual or extraordinary, OFAC’s policy is far from the scope of the IEEPA. 

Given the magnitude of costs associated with ransomware attacks,¹²⁸See NSI Report, supra note 19. one could argue that in the modern economy, the threat of ransomware is “unusual and extraordinary.” But this interpretation would lead to a TWEA-like expansion of executive power. As discussed in Part I, Section B, the proliferation of ransomware attacks (and therefore, the rise in ransomware costs) is largely due to the government’s failure to identify bad actors, hold such actors accountable, and incentivize victims to cooperate. If such challenges qualify as “unusual and extraordinary,” the executive could assume legislative authority whenever it struggled to enforce the law. The magnitude of costs represents a need for legislation to aid law enforcement efforts, not “an unusual and extraordinary threat” triggering IEEPA’s vast powers. 

OFAC’s policy also contradicts the IEEPA drafters’ understanding of “emergency.” As explained by the House Committee on International Relations, the main substantive restriction under IEEPA “stems from a recognition that emergencies are by their nature rare and brief, and are not to be equated with normal ongoing problems.”¹²⁹IEEPA Origins, Evolution, and Use, supra note 77, at 11 (emphasis added). 

Ransomware attacks are now a normal ongoing problem. First, given the frequency of attacks and breadth of targets, it cannot be said that ransomware attacks are rare. It would strain the meaning of the word itself to suggest that an event occurring over 4,000 times daily and impacting roughly 2,500 businesses yearly qualifies as “rare.”¹³⁰See DOJ Ransomware Advisory, supra note 15; 2020 FBI Crime Report, supra note 18, at 14. Second, ransomware attacks are not a “brief” issue expected to be resolved anytime in the near future. To the contrary, experts expect that the annual cost of ransomware will increase tenfold over the next ten years, growing from $20 billion in 2021 to $265 billion in 2031.¹³¹Braue, supra note 21. Nothing in the available data suggests that ransomware attacks fit within this understanding of an emergency. 

On top of conflicting with IEEPA’s terms and legislative intent, OFAC’s policy undermines the statute’s central purpose: reining in executive emergency power. To interpret IEEPA broadly enough to authorize OFAC’s policy would ignore Congress’s concerns and revive the issues that arose under its predecessor, TWEA. 

The purpose of IEEPA informs the scope of its powers. TWEA, a statute intended for use during wartime, was later amended for use during peacetime.¹³²Act of Mar. 9, 1933, ch. 1, sec. 2, § 5(b), 48 Stat. 1. Over the next half century, the statute devolved into a “general grant of legislative authority to the President”¹³³H. Comm. on Int’l Rels., 95th Cong., Trading with the Enemy Act Reform Legislation, H.R. Rep. No. 95-459, at 9 (1977) (Conf. Rep.). and conferred “dictatorial powers that [the President] could have used without any restraint by Congress.”¹³⁴H. Comm. on Int’l Rels., 95th Cong., Revision of the Trading with the Enemy Act: Markup Before the Committee on International Relations 5 (Comm. Print 1977). Among the TWEA revisionists’ primary concerns was its failure to state limits on the scope of its economic powers and the circumstances dictating their use.¹³⁵H. Comm. on Int’l Rels., 95th Cong., Trading with the Enemy Act Reform Legislation, H.R. Rep. No. 95-459, at 10 (1977) (Conf. Rep.). To address these issues, Congress drafted the IEEPA to confer powers “more limited in scope than those in Section 5(b) [of TWEA] and subject to various procedural limitations.”¹³⁶Id. at 2. 

Interpreting IEEPA as conferring powers to address the threat of ransomware would undermine the careful deliberations of Congress and the central reason for the statute’s existence. Congress drafted IEEPA with the express purpose of conferring powers “more limited in scope” than those in TWEA. If ransomware attacks—a daily, ongoing issue for thousands of U.S. organizations—were interpreted as “unusual and extraordinary” or “rare and brief,” the scope of powers under the IEEPA would match the vastness of those under TWEA. IEEPA, like its predecessor, would devolve into a “general grant of legislative authority to the President.”¹³⁷Id. at 9. Because OFAC’s policy conflicts with IEEPA’s central purpose, it cannot fall within its scope. 

2.      OFAC’s Policy Is Incompatible with Congress’s Prescribed Mechanism for Combatting Ransomware Attacks

OFAC’s policy is at the “lowest ebb” of authority as it conflicts with Congress’s mechanism for combatting ransomware attacks. Because CIRCIA specifically addresses the issue of ransomware payments, OFAC is not free to take inconsistent measures based on Congress’s failure to legislate. 

As explained in Justice Jackson’s Youngstown concurrence, executive action may be at its “lowest ebb” of authority when it is incompatible with the expressed or implied will of Congress.¹³⁸Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 637 (1952) (Jackson, J., concurring). In these circumstances, the executive is entitled only to “[its] own constitutional powers minus any constitutional powers of Congress over the matter.”¹³⁹Id. If Congress passes legislation addressing an issue, the executive cannot take “different and inconsistent” measures and claim that the action was “necessitated or invited by failure of Congress to legislate upon the occasions.”¹⁴⁰Id. at 639. For example, in Youngstown, Congress specifically prescribed a mechanism for settling labor disputes and rejected an amendment that would have allowed the president to seize property during emergencies.¹⁴¹Id. at 585–89 (majority opinion). Because the president’s actions contradicted the method Congress prescribed and lacked authorization by the Constitution, the Court held his actions unconstitutional.¹⁴²Id. at 588–89. 

OFAC’s policy, like the president’s seizure in Youngstown, contradicts the express will of Congress. In Youngstown, the president was not free to take any measures to resolve labor disputes—Congress specifically prescribed a mechanism for doing so in the Taft-Hartley Act.¹⁴³Id. at 585–89. In this case, Congress prescribed a mechanism for curbing ransomware attacks in CIRCIA: a mandatory reporting scheme paired with comprehensive liability protections.¹⁴⁴Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, §§ 2242(a), 2245(b)–(e), 136 Stat. 1038, 1042–43, 1053–54 (codified at 6 U.S.C. §§ 681b, 681e). Thus, OFAC cannot take inconsistent measures by imposing strict liability on victims and claim that the policy is “necessitated or invited by failure of Congress to legislate upon the occasion.”¹⁴⁵Youngstown, 343 U.S. at 639 (Jackson, J., concurring). 

While, unlike the situation in Youngstown, Congress did not specifically reject OFAC’s policy, it nevertheless considered four different cyber incident reporting bills before passing CIRCIA.¹⁴⁶Proposed Incident Reporting Bills, supra note 35. It is, therefore, substantially unlikely that Congress failed to consider the possibility of imposing strict liability civil penalties for ransomware payments; it is more likely that Congress simply found it unwise to do so. 

3.      OFAC’s Policy Is Not Implicitly Authorized By Congress: There Is No History of Congressional Acquiescence to the Executive’s Authority to Issue Such a Policy

Congress did not implicitly authorize OFAC’s policy as it is unsupported by congressional “inertia, indifference, or acquiescence.” Congress’s passage of CIRCIA signifies its refusal to acquiesce in the executive’s authority to impose strict liability penalties on ransomware victims. 

In Justice Jackson’s second Youngstown category, executive action resides in a “zone of twilight” when Congress has neither authorized nor prohibited an action.¹⁴⁷Youngstown, 343 U.S. at 637 (Jackson, J., concurring). In these situations, congressional “inertia, indifference, or acquiescence” may invite executive action.¹⁴⁸Id. The Court applied this principle in Dames & Moore as it considered whether the president had the authority to issue claim settlement agreements.¹⁴⁹Dames & Moore v. Regan, 453 U.S. 654, 679, 684 (1981). The Court looked to a long history of congressional acquiescence to the executive’s authority to issue such agreements and held that the action was authorized as Congress implicitly approved of the practice.¹⁵⁰Id. at 686–90. Specifically, the Court found persuasive that Congress conferred broad discretionary power to the executive in the areas of emergencies and hostage negotiation and drafted legislation on the assumption that the president could issue such agreements.¹⁵¹Id. at 686. As the Court explained, “A long-continued practice, known to and acquiesced in by Congress, . . . raise[s] a presumption that the [action] had been [taken] in pursuance of is consent.”¹⁵²Id. at 686 (second and third alteration in original) (quoting United States v. Midwest Oil Co., 263 U.S. 459, 474 (1915)). 

But Congress has not implicitly authorized the executive to impose strict liability penalties on ransomware victims. As an initial matter, there is no “long-continued practice” of executive agencies imposing such penalties on ransomware victims in which Congress could acquiesce. Moreover, since Congress passed CIRCIA within two years of OFAC first announcing its policy,¹⁵³Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, 136 Stat. 1038 (codified at 6 U.S.C. §§ 681–681g); OFAC Advisory, supra note 1. CIRCIA signifies Congress’s refusal to acknowledge the executive’s authority to issue such a policy. In Dames, congressional action implicitly recognized the executive’s authority to issue claim settlement agreements.¹⁵⁴Dames, 453 U.S. at 686. Here, congressional action implicitly rejects the executive’s authority to impose strict liability penalties for ransomware payments. Thus, even if IEEPA granted the executive with broad discretionary powers in the field of ransomware, CIRCIA represents the revocation of that authority. 

OFAC cannot claim that congressional “inertia, indifference, or acquiescence” implicitly authorizes its policy. Far from expressing apathy over the ransomware issue, Congress researched the problem, considered potential solutions, and prescribed a mechanism for solving the issue. OFAC should follow Congress’s lead. 

4.      OFAC’s Policy Is Not Authorized by the Constitution Because, Following the Implementation of CIRCIA, It Will Only Tenuously Relate to National Security

Defenders of OFAC’s policy might argue that combatting ransomware attacks is a matter of national security and therefore falls within the executive’s Article II powers. This argument ignores the reality of OFAC’s policy and the entities subject to enforcement. CIRCIA provides “covered entities” with liability protections from government enforcement actions.¹⁵⁵Cyber Incident Reporting for Critical Infrastructure Act of 2022 § 2240(5). “Covered entities” are organizations within sixteen critical infrastructure sectors “vital to . . . the Nation’s safety, prosperity, and wellbeing.”¹⁵⁶Presidential Policy Directive, supra note 41. Under CIRCIA’s mandatory reporting scheme, these organizations will be effectively immune from OFAC’s policy so long as they comply with the statute’s reporting requirements. By default, then, OFAC’s policy will apply almost exclusively to organizations in non-critical infrastructure sectors, or organizations not “vital to the Nation’s safety.” The executive’s national security authority cannot authorize OFAC’s policy when it will apply only to organizations deemed insignificant to national security. 

As Justice Black explained in Youngstown, the executive’s power, if any, to take an action “must stem either from an act of Congress or from the Constitution itself.”¹⁵⁷Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 585 (1952). OFAC’s policy stems from neither. The policy is not authorized by IEEPA as it conflicts with the statute’s text, legislative intent, and central purpose. The policy is at the “lowest ebb” of authority as it contradicts Congress’s mechanism for curbing ransomware payments, as expressed in CIRCIA. The policy is not implicitly authorized by Congress as there is no history of congressional acquiescence to the executive’s authority to issue such a policy. Lastly, the policy is not authorized by the Constitution as it only tenuously relates to national security interests. 

B.      The Policy Concerns: OFAC’s Policy Incentivizes Victims to Cover Up Their Attacks 

In addition to the legal issues discussed above, OFAC’s policy has a fundamental flaw: it disincentivizes victims from sharing information on ransomware attacks with the government. OFAC’s policy discourages information sharing in two steps. First, as discussed in Subsection 1, OFAC’s policy does not meaningfully deter ransom payments as the cost of not paying a ransom often outweighs the risk of OFAC penalties. Second, as discussed in Subsection 2, once a victim has made a ransom payment, OFAC’s policy discourages information sharing through its strict liability threat. With this incentive structure, OFAC’s policy serves only to worsen the lack of information sharing between ransomware victims and the government. 

1.      OFAC’s Policy Does Not Have a Significant Deterrent Effect on Ransom Payments

While OFAC’s policy threatens to punish ransomware victims for ransom payments, it does not significantly deter them from doing so. Because the cost of refusing to pay a ransom is often exponentially higher than the ransom itself, and the likelihood of OFAC penalties is significantly low, many organizations may rationally choose to pay the ransom. 

First, OFAC’s policy underestimates the cost of refusing to pay attackers’ ransom demands. While ransomware demands have increased over recent years,¹⁵⁸NSI Report, supra note 19; Coveware Report, supra note 17. the cost of operational downtime may exceed fifty times the ransom itself.¹⁵⁹Datto Report, supra note 20. In many situations, refusal to pay may result in substantial, real-life harm to both the victim organization and its clients, patients, or shareholders. For example, for the lawyer in the opening hypothetical, refusal to pay the ransom could result in the disclosure of clients’ confidential information or missed filing deadlines. While there is no guarantee that a ransom payment will result in decryption, in these situations and many others, paying a ransom may be the best option to avoid harm to the victim organization and downstream parties. 

Second, a victim could reasonably infer that the likelihood of an OFAC penalty for a ransom payment is extremely low. For OFAC to penalize a ransomware victim for a payment, (1) the attacker must be on the SDN List, and (2) OFAC must discover the payment.¹⁶⁰OFAC Advisory, supra note 1, at 3–4. However, it is unlikely that a victim’s attacker would be on OFAC’s SDN List as cybercriminals routinely re-brand to evade sanctions.¹⁶¹See, e.g., Muncaster, supra note 56. Further, it is unlikely that OFAC would discover the payment given the lack of government access to ransomware information.¹⁶²Senate Report, supra note 4, at 5. As the government is combatting ransomware in the dark, a victim’s payment is unlikely to come to light. Lastly, if there were any remaining doubts as to the likelihood of an OFAC penalty, the victim could simply look to OFAC’s track record under this policy: OFAC has yet to fine an organization for a ransom payment to an attacker on its SDN List.¹⁶³Timothy O’Toole, Christopher Stagg, FeiFei Ren, Caroline Watson, Manuel Levitt & Samuel Cutler, Practical Issues in Cyber-Related Sanctions, Glob. Investigations Rev. (Sept. 29, 2023), https://perma.cc/T4ER-XEVM. From these observations, a victim could easily and reasonably deduce that OFAC’s policy is an empty threat. 

2.      OFAC’s Threat of Strict Liability Discourages Any Victim Who Paid a Ransom from Sharing Information with the Government

By threatening victims with strict liability, OFAC’s policy discourages victims who paid a ransom from sharing information with the government. Because victims are at the mercy of OFAC’s discretion to reduce penalties, victims are incentivized to cover up their ransom payments. 

Unlike the reporting framework in CIRCIA, OFAC’s policy starts with a presumption of liability for payments made to attackers on its SDN List.¹⁶⁴OFAC Advisory, supra note 1, at 3–4. Once OFAC discovers of a payment, liability can be reduced only if the victim presents mitigating factors that OFAC finds sufficient.¹⁶⁵Id. at 5. OFAC has suggested that a penalty may be reduced if a victim organization has adequate cybersecurity hygiene and complies with law enforcement.¹⁶⁶Id. Ultimately, however, the amount of a given fine is up to the discretion of OFAC’s director.¹⁶⁷Id. 

Because OFAC’s policy is based on strict liability, any ransomware victim who pays a ransom may rationally decide to cover up an attack. Given that ransomware attacks are typically anonymous, it would be difficult, if not impossible, to discover whether an attacker is on OFAC’s SDN List.¹⁶⁸Westbrook, supra note 3, at 415–17. Thus, unless victims can confirm the identity of their attacker, there remains a possibility that their payment violated OFAC’s policy. 

A victim who paid a ransom has two options: report the information to the government or cover up the attack. If a victim discloses the payment to the government and the attacker happens to be on OFAC’s list, the victim would be presumed liable. While OFAC would likely consider voluntary disclosure as a mitigating factor, the victim would ultimately fall to the mercy of OFAC’s discretion in determining the penalty.¹⁶⁹OFAC Advisory, supra note 1, at 5. OFAC could, for instance, determine that the victim did not practice adequate cyber hygiene and is therefore deserving of punishment. On the other hand, for the reasons highlighted above, it may be substantially unlikely that OFAC would discover the payment if a victim covered up the attack. Without concrete liability protections and only discretionary mitigating factors, covering up may be the best option. 

Defenders of OFAC’s policy may claim that, although it may not incentivize information sharing, the primary purpose of the policy is to reduce the profitability of ransomware attacks for cybercriminals. While this may be a legitimate goal, it underestimates the importance of information for ransomware law enforcement. As the government knows of only approximately 25% of ransomware attacks, law enforcement is handcuffed in combatting the ransomware threat.¹⁷⁰Senate Report, supra note 4, at 5. The urgent need for ransomware information is evident in CIRCIA’s framework: by mandating reporting and providing victims with liability protection, Congress signaled that information is the top priority in ransomware regulation. 

Conclusion 

OFAC’s threat of strict liability civil penalties for ransomware payments is both unlawful and a bad idea. From a legal perspective, the policy lacks authority from either an act of Congress or the Constitution. From a policy perspective, it discourages victims from sharing ransomware information with the government. The rise in ransomware attacks is not a simple problem to solve, and this Comment does not attempt to do so. As with solving any difficult problem, however, information is key. By passing CIRCIA, Congress recognizes as much. If OFAC renounces its policy and defers to the judgment of Congress, it may take one step towards bringing the ransomware issue to light.