In April 2015, President Barack Obama enacted an Executive Order (EO) “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” thereby initiating a policy of levying cyber sanctions against perpetrators of cyber acts hostile to the interests of the United States.
It is the first of its kind. These “cyber sanctions” are a non-violent initiative to stem the rampant intellectual property theft caused by cyberespionage activities that cost U.S. companies, according to McAfee, approximately $200-250 billion annually.
Prior to this new initiative, economic sanctions had been imposed only once against a government’s persons and organizations after a cyberattack, and had limited success. This calls into question whether cyber sanctions will be an effective deterrent against governments with robust cyberespionage capabilities, and (or if they will even be levied) particularly those whom the United States may need as partners in other global diplomatic efforts.
Previous economic sanctions have had more success in compelling nation-states to alter their behaviors, while not stopping their hostile activities. Cyberspace only further complicates this, since it is difficult to attributing hostile cyber acts. It is further complicated by hackers using non-state proxies, or who change their tactics, techniques, and procedures to cover their tracks.
Even if cyber sanctions are effective, it may also not be in the interest of the Unites States to levy them against states that have leverage over the sanctions, or that are needed to support other U.S. global policy interests.
As a result, cyber sanctions will not be an effective tool to deter the behavior of nation states, but judging from the recent no-hack agreement between China and the United States, they may be better used to compel offending states to change the way they operate in cyberspace.
The Executive Order
The U.S. Executive Order comes at a time when the United States has been actively trying to improve its cybersecurity posture in order to mitigate the volume of hostile activity directed against its private and public sectors. It reflects the severity with which the Administration views the cyber threat and its willingness to forge ahead.
The International Emergency Economic Powers Act authorizes the President to declare a national emergency in response to any extraordinary threat to U.S. interests. The Department of Treasury, after consulting with the U.S. Attorney General and Secretary of State, is also empowered to take necessary actions and levy sanctions to punish individuals and organizations.
Sanctions focus on two specific areas of cyber hostilities. The first is the purposeful harming or impeding of critical infrastructure functionality. It addresses the types of cyber attacks that would deliberately deny, degrade, destroy, or manipulate information systems or the information they hold. A White House fact sheet cites distributed denial-of-service (DDoS) attacks as one possible example, although incidents such as the widespread implementation of wiper malware against a network as in the Sony case would appear to fit those criteria as well.
The second focus is the theft of trade secrets. It concentrates on intellectual property theft by perpetrators, as well as those who benefit from their activities.
The most notable cyber incidents suffered by the United States have involved both of these activities. The ongoing theft of intellectual property is largely suspected of being conducted by Chinese state-affiliated actors, among others, and the 2012 and 2013 DDoS cyber attacks directed against several U.S. banks is believed to have been conducted by agents working on behalf of the Iranian government by several individuals.
Cyber sanctions therefore can be interpreted as sending a message to these respective governments, as well as others, that this type of activity will not go unpunished in the future and that involvement on any level in these activities will be subject to the same repercussions as those perpetrating them.
Benefits of Cyber Sanctions
Supporters see cyber sanctions as a necessary tool to deter future cyber theft of intellectual property, personal identifiable information, and/or money. The Department of Treasury is authorized to freeze the assets of those perpetrating hostile cyber-enabled activity as well as those assisting and/or benefiting from them, and barring any commercial transaction with said entities. At face value, imposing economic-based sanctions seems a more suitable alternative to “hacking back” for the committing of non-destructive cyber malfeasance.
The intent behind imposing sanctions is to encourage a change in a nation state’s behavior. Some of the more notable benefits of sanctions include: 1) bringing vital issues to the public light, generating exposure and support; 2) allowing the flexibility to impose and retract sanctions in response to the offending government’s compliance; 3) providing a peaceful and less expensive alternative to the implementation of force; and 4) encouraging multilateral collaboration in order to achieve maximum effectiveness.
To date, no cyber sanctions have been levied against a state government. The sanctions levied against North Korea after the Sony hack came before the EO was signed. In 2015, the U.S. government threatened to impose cyber sanctions against China. However, Washington backed off once it came to agreement with Beijing on not hacking for commercial gain.
But Have Economic Sanctions Historically Worked?
Sanctions’ effectiveness depends on how they are implemented and if their impact results in the intended punishment and/or deterrence. Cyber sanctions appear to be a combination of smart sanctions and economic sanctions.
Smart sanctions target individuals such as a government’s leaders rather than its economy as whole. Traditional economic sanctions, on the other hand, target the customary trade and financial relations for foreign and security policy purposes. Notably, governments have imposed economic sanctions to coerce, deter, or punish entities that endanger their interests or violate international norms of behavior.
The U.S. has exercised economic sanctions as a foreign policy tool with varying degrees of success. An Institute for International Economics study examined 35 U.S. sanctions programs in place since 1973 and estimated that only 23 percent have been successful. This ultimately calls into question how effective they will be in countering the online behavior of states and their proxies.
Economic sanctions are good alternatives to military action; however, they must be universally applied to be effective. Governments can ignore them or undercut them, thereby reducing their effectiveness. For example, since sanctions were initially imposed against Iran for its nuclear program, China – another U.S. adversary – became Iran’s largest trading partner. What’s more, there is less evidence that sanctions alter the behavior of larger states. For example, the jury is still out how economic sanctions have worked against Iran and Russia.
Economic sanctions seem more attune to influencing equal or smaller sized countries. The study “Economic Sanctions Reconsidered” reviewed 174 cases in the 20th Century and determined that sanctions were only partially successful in 34 percent of the cases based on the type of policy change that was pursued. The success rate significantly increases when trying to compel modest change. Where the objective is more aggressive like regime change or disrupting military activities, the success rate drops considerably.
Perhaps more importantly, sanctions that fail to influence their primary targets can hurt populations. For example, according to the White House in 2014, sanctions imposed on the Ivory Coast, Democratic Republic of the Congo, and Sudan put a significant portion of their populations on the ragged edge of survival.
Challenges for Cyber Sanctions
Cyber sanction success will be measured by how they are able to alter a target government’s behavior. However, effectively implementing cyber sanctions against the right recipient will be an ongoing challenge. There are a few assumptions that must be made prior to imposing cyber sanctions:
1. The associated costs will impact the target government significantly enough to actually influence a behavior modification.
2. Once sanctioned, the target government is willing to modify its behavior.
These assumptions are grounded on the fact that there is satisfactory attribution prior to imposition. And therein lies the first obstacle for the cyber sanctions program as determining attribution remains a difficult and contested endeavor among security professionals and government.
While 100 percent attribution may not be required (as might be required for a “hack back” or kinetic strike retaliation), assigning a confident level of responsibility is. Mistakenly imposing sanctions could potentially cause serious consequences with foreign governments.
More importantly, the victimized government will have to provide evidence for how the determination was made. This will be important to inform the global community that sanctions were not imposed carelessly. It will also give warning to future perpetrators of the types of activities that will receive a similar response in the future.
Some believe that attribution will be a futile effort, despite some opinions from U.S. officials to the contrary. Jeffrey Carr believes that unless actors are incompetent, being able to identify them will be nearly impossible. Thomas Rid and Ben Buchanan concur with this assessment noting that attribution is difficult in cyberspace. Cybercriminals often cover their tracks and use several technologies to achieve this end. Foreign governments can easily send operatives to other countries, using foreign language malware, and typing on foreign language keyboards to hide their true identities to thwart technical analysis.
The convergence of criminal and espionage cyber activity further muddies the waters. “As-a-Service” offerings in the criminal underground include tools and operations that have been used by both types of actor sets. Given these realities, it’s easy to see why traditional technical analysis alone is not enough to assign guilt in hacking incidents. This is why some like the Atlantic Council are in favor of assigning levels of state responsibility instead.
Lack of Definitions Leads to Lack of Understanding
One major shortcoming for the EO is that it doesn’t define what constitutes hostile cyber-enabled activity. Currently written, hostile cyber-enabled activities would have to be harmful to national security, economic health, or foreign policy to warrant sanctions. The glaring problem here is that the EO offers little insight into how such conclusions will be made, or what they will be weighed against. The Department of Treasury (DoT) provides a little more fidelity into this on its website, providing examples of typical breach activities. However, quantifying what constitutes “harm” remains elusive, and left to be determined on a case-by-case basis.
Keeping this nebulous may be part of the overall strategy. Actors unsure of thresholds may well be deterred to engage in activity that would result in sanctions. Yet, the opposite holds true as well. Undefined red lines could result in increased activity from nation state actors in seeking to test boundaries. Imposing harsh sanctions for events that do not meet a transparent set of criteria risks sending the wrong message to a foreign power, and may inadvertently welcome reprisals and escalation.
North Korea–Can Cyber Sanctions Influence a Rogue State?
On January 2, 2015, the U.S. Government levied additional sanctions against North Korea in response to North Korea’s alleged hacking against Sony Pictures. This round of sanctions designated three North Korea entities–the Reconnaissance General Bureau, the Korea Mining Trading Corp., and the defense-industry focused Korea Tangun Trading Corp – in addition to 10 government officials for further sanctions. While these round of sanctions occurred prior to the recent EO, and the targeted individuals/organizations were not implicated in the Sony attack, they do provide some insight into how cyber sanctions could be applied against a government.
The U.S. government believed it had enough evidence to implicate North Korea and presented technical evidence as proof of culpability. However, this was met by resistance from some in the security community who provided counter narratives based on their own investigations. Alternative hypotheses by two private sector security specialists surfaced in which findings pointed to a former Sony employee, and Russian hackers, respectively. The fact that alternative possibilities weren’t even considered by the U.S. government proved equally frustrating, given the known difficulties of attributing cyber attacks, particularly from advanced actors.
Sanction imposition was largely seen as a symbolic gesture. Franklin Foer notes that as a rule, sanctions have better success against important trading partners than with self-isolated countries. Sanctions levied against North Korea have failed to influence the government’s nuclear tests as well as its illicit transfers of North Korea-related conventional weapons, goods, and technologies. Therefore it makes sense that cyber sanctions would follow a similar trajectory – more statement than results driven.
Cyber sanctions gain little ground with a country like North Korea that stands to lose little. It can be argued that since imposition of the January 2015 sanctions, North Korea has not engaged in a hostile cyber act against U.S. interests. However, that may be more the result of the lack of inciting socio-political catalysts than because sanctions are “hurting” the regime.
Most of the suspected North Korea cyber activity such as the 2014 Sony hack, the 2013 South Korea wiper malware incident, and the 2009 DDoS attacks against South Korea and the United States, were brought about by events perceived as threatening to North Korean interests, rather than the government’s involvement in pervasive cyber espionage. So to infer that sanctions have successfully deterred further North Korean cyber activities against the United States is misleading.
The United States has never been a frequent target of these suspected activities in the first place. It will be telling if the increased March 2016 sanctions will elicit a cyber response from North Korea. But based on past history, direct threats to North Korea’s sovereignty (e.g., joint military exercises with South Korea as observed in the 2013 incident cited above) and not economic sanctions have solicited this kind of non-kinetic response.
Will China Eventually End Up on the Sanctions List?
China is suspected of being in a longstanding cyber espionage campaign against the United States, as well as other nations. In order to avoid cyber sanctions, in September 2015 China and the United States agreed that neither country would knowingly support hacking for commercial competitive advantage. Shortly thereafter, China arrested hackers identified by the United States as a demonstration of its commitment to helping preserve a safe and stable cyberspace.
Many do not believe that China will live up to its part of the agreement. The U.S. Director of National Intelligence for one has expressed skepticism, and one security vendor purportedly detected Chinese espionage activity after the pact was signed. Nevertheless, Washington has adopted a “wait-and-see” attitude and will have to ultimately determine if the imposition of cyber spying of greater importance than other geopolitical interests.
Even if cyber sanctions are effective, there may be times when the United States chooses not to leverage in them in favor of getting other concessions.
As noted by Bonnie Glasser, a senior fellow at the Center for Strategic and International Studies, the U.S. has a vested interest in preserving stability in the U.S.-China relationship. Continuing to secure Beijing’s cooperation on an expanding list of regional and global issues and more tightly integrate China into the prevailing international system is in the United States’ security interests.
Pressing international issues that Washington seeks Beijing’s assistance with include influencing the behavior of states like Iran and North Korea, soliciting Beijing support on climate change, and addressing maritime disputes in the East and South China Seas.
When the United States indicted the five PLA officers for cyber espionage, Beijing’s first reaction was to immediately remove itself from cyber security talks between the two governments. In June 2016, the two sides met for the first time since signing the no-hack agreement to discuss cyber security, among other topics. Given other geopolitical needs and interests, the United States must carefully consider if the benefits of implementing cyber sanctions outweigh other policy options with regards to China.
Prior to Chinese Communist Party leader Xi Jinping’s 2015 state visit, the threat of sanction imposition prompted a meeting between senior officials of both governments to reach a consensus that resulted in their historic no-hack agreement. In this regard, the threat of sanctions may be better served to compel nation states to alter behavior rather than deter it.
Regardless that past history has demonstrated that economic sanctions are at best marginally effective, the question remains: what can be expected to happen if cyber sanctions are indeed successful?
While sanctions may influence the reduction of some of the volume of cyber espionage activity, it is doubtful that they will stop it all, particularly if it is supporting national level objectives and priority collection requirements.
An unintended result of the successful implementation of cyber sanctions is forcing adversaries to change previously known methods of operation in order to circumvent monitoring. A possible explanation as to why some of the cyber espionage activity appears “brazen” may simply be because there is no reason not to be. Successful cyber sanctions may change that, and in turn, defenders may have to resort from starting over in identifying and tracking the threat.
Furthermore, cyber sanctions do not take into consideration “as-a-service” business models proliferating in the underground. Some may be working on behalf of a foreign government on a contractual basis but what about those that do not? The case of Su Bin is one such incident of an espionage group stealing information and looking for a buyer rather than being directed by a customer.
It is uncertain how a determination will be made as to whether or not a state or non-state entity benefited from cyber theft. Attribution in cyberspace is notoriously difficult, and if nation states continue to distance themselves from such acts via complicit or an unwitting series of cut-outs and proxies, the U.S. government and others that may follow suit will have to come up with a strategy to address these considerations.
A Dynamic Landscape
This is not to say cyber sanctions are doomed to fail. On the surface they seem to be a viable alternative to other more aggressive forms of deterrence such as hack-backs, or kinetic world options.
But until there is a successful example of how they can be implemented questions remain. How will sanctions work against those actors causing major breaches like Heartland Payment Systems, Target, or Home Depot that caused significant economic impacts? Or will significant incidents like these be overlooked in favor of other more provocative acts of cyber malfeasance?
Furthermore, cyber sanctions will face the challenge of being meted out with consistency. Failing to do so can result in misinterpretation, and if not administered on a recipient that may be friendlier to the United States, can undermine the legitimacy of sanctions as an instrument of punishment/deterrence, and worse, potentially damage the credibility of the government.
The U.S. government appears to rely on sanctions as its preferred method of deterrence and influence. As economic sanctions have yielded limited success, cyber sanctions may be best served not as a deterrent, but as a means of coercing state behavior. Even though it did not admit to conducting cyber espionage (the five PLA officers arrested were considered a criminal matter), the 2015 no-hack pact made Beijing acknowledge that cyber theft for commercial competitive advantage was not acceptable state behavior.
The dynamic landscape of cyberspace has always historically favored the attacker over defender. As hostile cyber actors learn to circumvent being tied to questionable activity in the first place through proxy use, better operational security practices, operating out of third party countries, U.S. use of cyber sanctions, may ultimately be an example of going to the well once too often.