As cybersecurity was a major topic for President Obama’s summit with Chinese Premier Xi Jinping, the Obama Administration has a clear opportunity to use U.S. economic sanctions to strike back against the hackers who undermine U.S. business and threaten our key civilian computer networks. Deployed correctly, a targeted, tough economic sanctions program can inflict costs on hackers and others who threaten us online and begin to establish a powerful deterrent tool to use against foreign companies that seek to exploit stolen American information. Deployed poorly, however cyber sanctions risk simply irritating China and other foreign governments without having a meaningful impact—and could invite retaliation against U.S. tech companies around the world. The U.S. needs to get cyber sanctions right.
First, the Obama Administration needs to draw a clear distinction between cyber attacks against the U.S. private sector and against U.S. civilian infrastructure on the one hand and espionage against the U.S. government and military on the other. Governments have always spied on each other and sanctions are not an appropriate response to activities that are essentially traditional espionage using new means. Sanctions targeting espionage against U.S. government networks could set an unfortunate precedent for a foreign government to impose sanctions on a U.S. technology or other company alleged to be cooperating with U.S. intelligence. As the recent hack on the U.S. Office of Personnel Management shows, the U.S government needs to harden its defenses against intrusions, and should use the full range of diplomatic tools to express our anger—but sanctions are not an appropriate tool to retaliate for all cyber threats.
Corporate espionage, such as the theft of American trade secrets, and attacks designed to disable U.S. civilian networks and infrastructure, are entirely different. The U.S. has traditionally refrained from industrial espionage, and has never given foreign trade secrets to U.S. companies to provide American business with an unfair advantage. Attacks that threaten to disable civilian infrastructure are well outside the bounds of traditional espionage. Sanctions on these kinds of activities, and the organized cyber crime that costs U.S. business billions of dollars every year, can inflict long-overdue costs on those responsible for one of our top national security threats.
Second, cyber sanctions should not only be about China. Chinese-backed hacking presents a major challenge that must be addressed, but the simple fact is that U.S. companies are under daily assault from cyber attacks by Russia, terrorist groups in the Middle East, organized criminals in Europe, and rogue actors who need little more than a laptop and an internet connection to start their attacks. The U.S. government should impose sanctions on a set of these different hackers to send a clear message that we will take action against the full range of cyber threats, and not give some countries a free pass while singling out others.
Third, U.S. sanctions should hit economically important targets, and should have real economic bite. It may be tempting to simply target low-level operatives who have little business in the U.S. as a way to “send a message” while minimizing the diplomatic repercussions will come from sanctioning businesses higher up the food chain. But this approach will not effectively deter the government ministries and companies that seek to benefit from stolen American secrets. Sanctions should hit groups and companies that will feel the pain of assets being frozen and getting cut off from the U.S. economy.
Fourth, the U.S. needs a defensive plan ready to go before sanctions are imposed. With a little luck, given recent global market turmoil, foreign leaders will avoid taking retaliatory steps, like imposing counter-sanctions on U.S. companies, that would spook international businesses operating in their country. But the U.S. needs to be ready to respond to retaliatory measures, whether counter-sanctions on U.S. companies or retaliatory cyber attacks on U.S. networks.
Finally, cyber sanctions will require the U.S. Treasury Department Office of Foreign Assets Control (OFAC), which administers U.S. sanctions, to get smarter about the tech sector. OFAC has traditionally administered sanctions on the financial sector, and has deep banking expertise. Cyber sanctions will raise a host of questions and compliance issues for tech companies—for example, is a network infrastructure company obliged to take action to prevent a sanctioned cyber actor from accessing its networks? Treasury needs the expertise to engage with the U.S. tech community and work through the implementation challenges that will inevitably arise.
Over the past decade, economic sanctions have become one of the principal tools in the U.S. foreign policy toolkit and have achieved important successes against Iran, Russia, and other rogue actors. Used well, they also have real potential to help the U.S. combat the cyber threats that are one of today’s top national security challenges—but the U.S. needs to get them right.