On April 15, 2021, the White House and the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced a package of economic sanctions targeting Russia, including expansive new legal authorities that would allow for the imposition of additional future sanctions on Russia in the technology sector and on Russian government bodies.  OFAC has also issued expanded restrictions on participation in the primary market for Russian sovereign debt, and lending to the Russian government, by US financial institutions.  In addition, OFAC blocked nearly 40 additional individuals and entities for “attempt[ing] to influence the 2020 [US] presidential election” and engaging in certain activities in Crimea.  At the same time, the US Department of State announced the expulsion of 10 Russian diplomats.

The centerpiece of the package is Executive Order (“E.O.”) 14024, which, according to an OFAC press release, “elevates the [US] government’s capacity to deploy strategic and economically impactful sanctions to deter and respond to Russia’s destabilizing behavior.”  As the first significant Russia sanctions action by the Biden Administration, E.O. 14024 appears to have been intended to send a strong signal to Russia, but without taking action at this stage that would be highly or disproportionately economically damaging.  In taking this approach, it appears that the Administration has left open the possibility of an improvement in relations with Russia.  Indeed, these sanctions were preceded by President Biden’s April 13th proposal of a possible summit with President Putin to “discuss the full range of issues facing the United States and Russia.”

Executive Order 14024

Executive Order 14024 authorizes the imposition of sanctions in response to the following types of activities linked with Russia, which were largely covered by pre-existing sanctions authorities but have been expanded and focused specifically on Russia in this E.O.:

  • Election interference and similar activities in the United States or partner countries;
  • Malicious cyber-enabled activities against the US or partner countries;
  • Transnational corruption;
  • Deceptive transactions designed to circumvent sanctions, including through the use of digital currencies;
  • Assassinating or harming US persons or nationals of partner countries;
  • Undermining regional security; and
  • Operating in the Russian defense sector.

Most notably, the E.O. authorizes for the first time sanctions on any party operating in the Russian technology sector.  OFAC explains in new FAQ 887 that this merely provides “notice” that persons operating in that sector are “exposed to sanctions risk[.]”  However, it “does not automatically block all persons operating in the sector.”  It is noteworthy that the only Russian tech companies actually sanctioned under this action were determined by the US government to “support the Russian Intelligence Services’ efforts to carry out malicious cyber activities against the United States.”

Similarly, OFAC states in new FAQ 887 that entities identified pursuant to E.O. 13662 as subject to sectoral sanction sunder Directive 3 for operating in the Russian defense sector are not automatically blocked pursuant E.O. 14024 – rather, they would need to be specifically sanctioned pursuant to E.O. 14024.

Directive 1 under E.O. 14024

In conjunction with E.O. 14024, OFAC issued Directive 1, which prohibits US financial institutions from participating in the primary market for ruble or non-ruble Russia sovereign debt issued after June 14, 2021 or lending ruble or non-ruble funds to certain Russian government entities.

Directive 1 defines “US financial institution” broadly, and includes branches and offices of foreign financial institutions that are located in the United States.

Directive 1 will have a limited impact, because it does not restrict participation in the secondary market for Russian sovereign debt and does not restrict non-US financial institution participation in the primary market.  Moreover, this is only an incremental expansion of previous sanctions.  OFAC explains in updated FAQ 675 and new FAQ 890 that, while US banks have already been prohibited from participating in the primary market for non-ruble bonds issued by the Russian sovereign and lending non-ruble funds to the Russian sovereign, pursuant to the CBW Act sanctions imposed under the Trump Administration (i.e., the Russia-Related Directive under E.O. 13883), the new prohibitions apply to bonds and loans denominated in rubles.

SolarWinds Response and Other US Government Actions

On April 15, the White House formally named the SVR as “the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform[.]”  In a stark warning about the risks associated with various types of links to Russia in the technology sector, it stated that the compromise of the SolarWinds software supply chain “highlights the risks posed by Russia’s efforts to target companies worldwide through supply chain exploitation. Those efforts should serve as a warning about the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia.  The US government is evaluating whether to take action under Executive Order 13873 to better protect our ICTS supply chain from further exploitation by Russia.”  While much of the media attention relating to the new ICTS supply chain regulations have focused on China, this action underscores that companies with software development or support (e.g., testing), data storage or other links to Russia’s tech sector that operate in the United States should be evaluating these risks carefully.

On the same day, the National Security Agency (“NSA”), the Cybersecurity & Infrastructure Security Agency (“CISA”), and the Federal Bureau of Investigation (“FBI”) issued a cybersecurity advisory, “Russian SVR Targets [US] and Allied Networks,” which lists five specific software vulnerabilities.  A circular issued by those agencies specifies certain mitigation steps.

Taking such action in response to what many would consider to be traditional foreign intelligence operations has attracted significant controversy regarding where the line should be drawn for acceptable state conduct in this arena.  The White House has distinguished this espionage operation from others primarily because of its scope, which it says gave the SVR “the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide,” and because of the unusual supply chain vector that it says now “places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.”

The White House further announced that it is “responding to the reports that Russia encouraged Taliban attacks against US and coalition personnel in Afghanistan” – however, the matter is “being handled through diplomatic, military and intelligence channels” due to its sensitivity.

Please contact the Steptoe International Trade and Regulatory Compliance team with any questions about these developments.