What Is the Role of Unilateral Cyber Sanctions in the Context of the Global Cybersecurity Law-Making?

Cybersecurity is part and parcel of the modern concept of national security. The growing incidence and severity of cyber-attacks attest to the veracity of this statement. Moreover, the development and deployment of new technologies embed significant cybersecurity risks. For example, the rollout of 5G puts cybersecurity threats at the forefront of the pertinent discussions on whether some suppliers are high-risk vendors.

Notwithstanding the growing importance of cybersecurity, global rules regulating responsible conduct in cyberspace do not exist. This unfortunate outcome persists despite the efforts made at the UN as well as at regional organizations to set rules for responsible behaviour in cyberspace. For instance, Russia is not a party to the Budapest Convention on Cybercrime – probably the most important cybercrime treaty to date. Similarly, initiatives led by the private sector, such as those undertaken by Microsoft, did not materialize in global binding norms. The academic community’s efforts that led to the formulation of the Tallinn Manual and the Tallinn Manual 2.0 also remain of limited practical value as they are non-binding documents regardless of their gravitas.

This legal vacuum paved the way for unilateral responses. Apart from diplomatic statements condemning malicious cyber-enabled actions, states have started adopting regulations allowing the imposition of unilateral economic sanctions (non-UN sanctions) against foreign nationals, legal entities and even government bodies involved in detrimental cyber activities. These sanctions have been dubbed “cyber sanctions”. This development not only reinvigorates the long-lasting debate on the legality of unilateral economic sanctions and their relationship with WTO law but also sheds light on what types of malicious cyber activities are of particular concern for states. The latter aspect of cyber sanctions is discussed in this blog post.

Defining Unilateral Cyber Sanctions

Cyber sanctions are unilateral economic restrictions imposed according to the domestic laws of individual states and aimed at deterring as well as punishing actors responsible for malicious cyber-enabled behaviour. In 2015, the United States (US), confirming its status as a global standard-setter in the imposition of economic sanctions, introduced the first cyber-specific sanctions program. A year later, this sanctions program was expanded to include cyber-enabled election interference to the list of sanctionable conduct. On 15 April 2021, a new executive order was adopted authorizing, among others, sanctions to counter Russia’s facilitation of malicious cyber activities against the US and its allies. The European Union (EU) issued the relevant regulation in 2019 with its first designations being effective since 2020. The United Kingdom (UK) followed the pattern and adopted its cyber sanctions regulation in 2020. In December 2021, the Australian parliament voted in favour of the thematic sanctions bill, which among other sanctions programmes authorizes sanctions in response to significant malicious cyber activity.

As we have argued elsewhere, cyber sanctions may violate various obligations under international law, including WTO commitments and obligations under international investment agreements (IIAs). To be justified as legal countermeasures – i.e., self-help measures, the use of which is permitted under customary international law of state responsibility as it is reflected in the Articles on Responsibility of States for Internationally Wrongful Acts, cyber sanctions should be imposed in response to a prior violation of international law, which should be attributed to a particular state, which is sanctioned as a result. The absence of a legally binding international obligation on responsible state behaviour in cyberspace reinforced by the formidable problem of attributing a cyber-attack to a particular state makes any efforts to label cyber sanctions as countermeasures futile. Furthermore, it is also debatable if national security exceptions enshrined in the WTO Agreements and the IIAs can justify such measures. In particular, the WTO national security exception, which is often incorporated in the IIAs, requires that actions necessary for the protection of essential security interests are taken “in time of war or other emergency in international relations”. For a cyber-attack to meet the threshold of being “other emergency in international relations”, as it is interpreted in the relevant case law, it should engender a significant disruption of government functions for an affected state and be carried out by another state, and not by a non-state actor.

Commentators took note of the states’ willingness to use instruments of economic pressure to deter and punish malicious cyber-enabled conduct. At the same time, they have defined obstacles preventing states and regional organizations from deploying cyber sanctions more frequently and more efficiently: for example, rules and practices on the attribution of responsibility for cyber-attacks are incoherent among the EU member states, thus causing delays and undermining the EU’s coordinated response to harmful incidents in cyberspace.

Despite their questioned legality, the formulation and use of cyber sanctions warrant further discussion. Specifically, state practice regarding the formulation of relevant cyber sanctions frameworks as well as their use can exemplify what actions could constitute malicious cyber behaviour or even criminal offences in cyberspace. Against this background, we discuss what types of malicious cyber conduct warrant designation under cyber sanctions.

What Actions Constitute Sanctionable Conduct under the Existing Cyber Sanctions Frameworks?

The US cyber sanctions framework applies to “malicious cyber activities”. This concept is left undefined in Executive Order 14024 regarding ‘Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation’. However, previous Executive orders shed light on what the concept of malicious cyber activities may entail, namely:

(i) malicious attacks on computers/computer networks supporting critical infrastructure sectors, or causing significant disruptions,

(ii) cyber theft and trade secrets misappropriation through cyber-enabled means, and

(iii) misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

Furthermore, pursuant to the US cyber sanctions framework, in particular the Executive Order 13694, sanctions can be imposed against “any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State” on the grounds of being responsible for or complicit in, or for having “engaged in, directly or indirectly” in malicious cyber-enabled activities. Additionally, the US framework allows for the imposition of cyber sanctions against persons that have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” malicious cyber-enabled activities. Moreover, the US cyber sanctions apply to the legal entities that are “owned or controlled” by the sanctioned individuals and entities and to anyone who has “acted or purported to act for or on behalf of, directly or indirectly,” sanctioned individuals and entities. Furthermore, anyone who has attempted to engage in any of the abovementioned activities could also be sanctioned.

In line with these statutory powers, the US has sanctioned persons responsible for the distribution of malware, ransomware, and phishing. Other illustrative examples of cyber sanctions’ use are sanctions imposed in response to interference with electoral processes by means of false information and hacking as well as sanctions punishing the cyber espionage activities that were part of the notorious SolarWinds cyber-attack. The recent wave of US cyber sanctions includes sanctions targeting the facilitation of ransom payments and cryptocurrency exchanges.

The EU cyber sanctions framework allows the imposition of sanctions – restrictive measures in the EU’s terminology – to deter and punish cyber-attacks that have a significant effect and constitute an external threat to the Union or its member states. Under certain circumstances, the EU cyber sanctions can also be imposed if malicious cyber activities injured third states or international organizations and if such attacks have had a significant effect. The relevant regulations define cyber-attacks as:

(i) access to information systems;

(ii) information system interference;

(iii) data interference; or

(iv) data interception,

where such actions are not duly authorized by the owner or by another right holder of the system or data or part of it or are not permitted under the law of the Union or of the member state concerned. Like the US regulations, data interference also covers theft of data, funds, economic resources, or intellectual property.

The EU imposed cyber sanctions to punish actors responsible for the attempted cyber-attack against the Organization for the Prohibition of Chemical Weapons and the other attacks known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’. Later, in October 2020, two Russian intelligence officers and a unit of the Russian military intelligence services (GRU) were sanctioned for their involvement in the hacking German parliament in 2015.

The UK cyber sanction regulations contain the definition of cyber sanctions and the categories of sanctionable malign cyber activities similar to the EU regulations. According to a new Australian Autonomous Sanctions Amendment Bill, sanctions can be imposed for ‘malicious cyber activity’. Neither the Bill nor the explanatory memorandum provides any clarity regarding the ambit of the concept ‘malicious cyber activity’, thus leaving it open to interpretation.

What Does the Future Hold for the Regulation of Cyberspace?

There can be several pathways to how norms regulating responsible state and non-state behaviour in cyberspace can emerge. The first and the preferred way to create new norms for the regulation of behaviour in cyberspace is to agree on certain principles and rules and enshrine them in an international treaty. In this context, it should be noted that the UN Members have begun negotiations towards a new Cybercrime Treaty earlier this year. It remains to be seen whether they will be fruitful or reflect the existing tensions between the UN Member states as they have become apparent in the numerous discussions under the auspices of the UN.

As international negotiations on the cybercrime treaty continue, the pertinent practice of states in applying cyber sanctions can provide important insights into what types of cyber activities have been deemed to constitute malicious conduct or even cybercrime. This can help to clarify, for instance, whether cybercrime also covers cyber-enabled crime, such as the criminalization of content-related conduct. This aspect is highly debatable due to possible human rights repercussions.

Given the complexity of agreeing to foundational definitions of cybercrime in a multilateral context, this blog post has offered a review of the current practices of the US, EU, UK and Australia on sanctioning malicious cyber conduct. The authors reckon that if the situation of the lack of international norms regulating conduct in cyberspace persists, the use of cyber sanctions in response to malign actions in cyberspace could intensify. This is even more likely given the current global security considerations and the growing role of economic sanctions. Such increased use of cyber sanctions may signal the emergence of customary international law regarding what types of wrongful conduct in cyberspace should trigger punishment. This is what we call the “normative value” of cyber sanctions.