October 01, 2015

The Right Way to Sanction Cyber Threats

By Peter Harrell

As cybersecurity was a major topic for President Obama’s summit with Chinese Premier Xi Jinping, the Obama Administration has a clear opportunity to use U.S. economic sanctions to strike back against the hackers who undermine U.S. business and threaten our key civilian computer networks. Deployed correctly, a targeted, tough economic sanctions program can inflict costs on hackers and others who threaten us online and begin to establish a powerful deterrent tool to use against foreign companies that seek to exploit stolen American information. Deployed poorly, however cyber sanctions risk simply irritating China and other foreign governments without having a meaningful impact—and could invite retaliation against U.S. tech companies around the world. The U.S. needs to get cyber sanctions right.

First, the Obama Administration needs to draw a clear distinction between cyber attacks against the U.S. private sector and against U.S. civilian infrastructure on the one hand and espionage against the U.S. government and military on the other. Governments have always spied on each other and sanctions are not an appropriate response to activities that are essentially traditional espionage using new means. Sanctions targeting espionage against U.S. government networks could set an unfortunate precedent for a foreign government to impose sanctions on a U.S. technology or other company alleged to be cooperating with U.S. intelligence. As the recent hack on the U.S. Office of Personnel Management shows, the U.S government needs to harden its defenses against intrusions, and should use the full range of diplomatic tools to express our anger—but sanctions are not an appropriate tool to retaliate for all cyber threats.

Corporate espionage, such as the theft of American trade secrets, and attacks designed to disable U.S. civilian networks and infrastructure, are entirely different. The U.S. has traditionally refrained from industrial espionage, and has never given foreign trade secrets to U.S. companies to provide American business with an unfair advantage. Attacks that threaten to disable civilian infrastructure are well outside the bounds of traditional espionage. Sanctions on these kinds of activities, and the organized cyber crime that costs U.S. business billions of dollars every year, can inflict long-overdue costs on those responsible for one of our top national security threats.

Second, cyber sanctions should not only be about China. Chinese-backed hacking presents a major challenge that must be addressed, but the simple fact is that U.S. companies are under daily assault from cyber attacks by Russia, terrorist groups in the Middle East, organized criminals in Europe, and rogue actors who need little more than a laptop and an internet connection to start their attacks. The U.S. government should impose sanctions on a set of these different hackers to send a clear message that we will take action against the full range of cyber threats, and not give some countries a free pass while singling out others.            

Third, U.S. sanctions should hit economically important targets, and should have real economic bite. It may be tempting to simply target low-level operatives who have little business in the U.S. as a way to “send a message” while minimizing the diplomatic repercussions will come from sanctioning businesses higher up the food chain. But this approach will not effectively deter the government ministries and companies that seek to benefit from stolen American secrets. Sanctions should hit groups and companies that will feel the pain of assets being frozen and getting cut off from the U.S. economy.  

Fourth, the U.S. needs a defensive plan ready to go before sanctions are imposed. With a little luck, given recent global market turmoil, foreign leaders will avoid taking retaliatory steps, like imposing counter-sanctions on U.S. companies, that would spook international businesses operating in their country. But the U.S. needs to be ready to respond to retaliatory measures, whether counter-sanctions on U.S. companies or retaliatory cyber attacks on U.S. networks.

Finally, cyber sanctions will require the U.S. Treasury Department Office of Foreign Assets Control (OFAC), which administers U.S. sanctions, to get smarter about the tech sector. OFAC has traditionally administered sanctions on the financial sector, and has deep banking expertise. Cyber sanctions will raise a host of questions and compliance issues for tech companies—for example, is a network infrastructure company obliged to take action to prevent a sanctioned cyber actor from accessing its networks? Treasury needs the expertise to engage with the U.S. tech community and work through the implementation challenges that will inevitably arise.

Over the past decade, economic sanctions have become one of the principal tools in the U.S. foreign policy toolkit and have achieved important successes against Iran, Russia, and other rogue actors. Used well, they also have real potential to help the U.S. combat the cyber threats that are one of today’s top national security challenges—but the U.S. needs to get them right.

  • Commentary
    • Space News
    • May 13, 2020
    What the government should or should not do to help space industry

    The COVID-19 economic slowdown will have lasting implications on the new space sector. Yet the United States cannot afford another lost decade of commercial space innovation. ...

    By Mikhail Grinberg

  • Commentary
    • April 23, 2020
    U.S. Sanctions and COVID-19

    On April 17, the CNAS Energy, Economics, and Security (EES) program held a live discussion on U.S. sanctions policy and the COVID-19 pandemic. EES Program Director and Senior ...

    By Abigail Eineman

  • Commentary
    • April 16, 2020
    COVID-19 and Illicit Finance in the Cyber Domain

    The COVID-19 pandemic has caused major economic disruptions and forced large amounts of financial activity online. Illicit actors are likely to take advantage of the rapid shi...

    By Yaya J. Fanusie & Sam Dorshimer

  • Commentary
    • The Washington Examiner
    • April 5, 2020
    Time for the US to declare independence from China

    Americans now know they can’t rely on China or even our allies to produce the goods we need during a pandemic. That’s why it’s time for the United States government to do what...

    By Anthony Vinci & Dr. Nadia Schadlow

View All Reports View All Articles & Multimedia