Sanctions have long been an important means through which governments pursue their political, economic and diplomatic goals. These measures can target nation states, organizations or individuals for a variety of purposes, including prohibiting certain activities, forcing behavioral change or simply sending a political message.
Notably, sanctions have formed a major component of the West’s response to Russia’s ongoing invasion of Ukraine. These sanctions aim to hinder and limit the financial capabilities of the Russian government and high-ranking individuals, as well as sending a strong message of condemnation for the Kremlin’s actions.
Recent years have seen an extension of this approach in the form of cyber sanctions; rules specifically designed to penalize cyber threat actors.
Speaking to Infosecurity, Theresa Payton, CEO and president of Fortalice Solutions and former White House chief information officer, explained the aims of these measures: “The primary purpose or message of cyber sanctions issued by national governments in recent years is to deter malicious cyber operatives that threaten national security, economic stability and democratic processes.
“By imposing sanctions on individuals, entities or countries responsible for cyber-attacks or cyber espionage, governments seek to hold those actors accountable for their actions and demonstrate that there are consequences for engaging in such activities.”
Often, individuals and groups suspected of cyber-criminal activities are physically beyond the arm of law enforcement, especially when the suspects reside in so-called ‘safe havens’ like Russia and China.
Sanctions therefore offer a viable alternative to arrest and imprisonment in targeting threat actors.
A Brief History of Cyber Sanctions
The US issued its first cyber sanctions in 2015, in the form of President Obama’s Executive Order 13694, subsequently revised in 2016. This “authorized the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the US.”
The penalties include the freezing of any assets the relevant organizations or individuals have in the US and travel restrictions to the region.
In 2020, the EU entered the world of cyber sanctions by issuing a range of penalties, including travel bans and the freezing of assets, against six individuals and three entities from Russia, China and North Korea who were “involved in significant cyber-attacks or attempted cyber-attacks against the EU or its Member States.”
The use of cyber sanctions moved further into the spotlight in February 2023 when the US and UK governments announced joint measures against seven Russian cyber-criminals who are members of the notorious Trickbot malware gang. The group, which has links to Russia’s Intelligence Services, was blamed for developing ransomware strains targeting critical services in the US and UK.
Cyber sanctions are now a common mechanism by which governments can respond to cyber-threats to public services and critical infrastructure, but it is important to ascertain whether they have a meaningful impact on disrupting and deterring cybercrime.
Real-World Impact
Attribution for cyber-attacks is notoriously difficult compared to traditional forms of crime, given the lack of geographical boundaries and relative anonymity afforded to perpetrators.
“The challenge with sanctions for malicious cyber activity is often the unnamed individuals to impose sanctions on,” acknowledged Payton.
However, authorities and organizations are becoming increasingly adept at identifying those responsible, even if it can take a long time.
Discussing the recent US and UK joint sanctions, Robert Hannigan, chairman, international business at BlueVoyant and former director at the UK’s intelligence agency, GCHQ, noted: “Deciding which individuals to sanction requires a great deal of careful investigation and attribution work. The very detailed documents issued by the FBI, the US Treasury and Department of Justice illustrate how much material has been collected and how much is known about these groups.”
Nevertheless, even when the perpetrators of specific attacks have been identified and sanctions issued, there is understandably skepticism that such measures will limit the ability to launch attacks in any way, especially against people residing in countries like Russia. In fact, issuing sanctions on groups and individuals may even provoke further attacks against that country.
As a result, it can be tempting to view cyber sanctions as little more than political posturing, with limited practical benefit.
“Sanctions make it harder for cyber-criminals to launder money and ‘cash out’ the profits of cybercrime”
“The direct impact of sanctions against individuals based in Russia, who are beyond the reach of law enforcement, is inevitably limited,” admitted Hannigan.
Yet, experts highlight the indirect impact of such sanctions on cyber-criminal groups’ increasingly sophisticated business models. Economic sanctions, such as freezing assets, makes it more difficult for threat actors to move and access their illicit gains in the regions they have been sanctioned in.
“Sanctions make it harder for cyber-criminals to launder money and ‘cash out’ the profits of cybercrime,” observed Hannigan.
Ultimately, this creates more financial risk for those groups.
Impact on Ransomware
Governments hope that cyber sanctions can have a particular impact in the fight against ransomware, which has had a devastating societal impact in recent years. As cyber sanctions prohibit individuals or financial institutions from engaging in transactions with designated individuals, they essentially criminalize extortion payments to them. This is a de facto way of making ransomware payments illegal, placing an onus on the victims to decide whether they want to risk punishment from their government for acquiescing to a demand from sanctioned groups and individuals.
Brian Honan, CEO of BH Consulting, explained: “In the case of a ransomware attack, if there are sanctions in place against those involved in the gang or the countries where those criminals are suspected of being located, then an organization paying the ransom could be fined or punished by its own national government.”
On one hand, this may not necessarily deter ransomware actors from launching attacks as it is ultimately for the victim organization to decide whether to pay up, he said.
However, the imposition of sanctions will hopefully “force organizations and cyber insurance companies who may have as part of their response plan to a ransomware attack the option to pay the ransom, to rethink that strategy and maybe invest more in ensuring their business is more resilient to a cyber-attack,” commented Honan.
Another potential, albeit rarer, consequence of cyber sanctions, is that they give law enforcement the power to make quick arrests should targeted individuals attempt travel to a region they are banned from.
Hannigan noted: “Occasionally, individual cyber-criminals have been arrested and prosecuted by the FBI when travelling to third countries.”
Additionally, the psychological effect of cyber sanctions should not be underestimated, according to Honan. “Imposing sanctions has the effect of highlighting the individuals and organizations that are behind cybercrime. It sends a message to them that the authorities know who they, that the authorities are taking action against them, and given the opportunity, will take further actions, such as arrests, against them.
“In effect, sanctions make the life of a cyber-criminal that bit more difficult as their lifestyle is impacted and the risk of being arrested increases should they travel to certain countries,” he added.
The Future Role of Cyber Sanctions
Sanctions are now viewed as an important weapon in the fight against cybercrime by governments and law enforcement.
It is an approach that is likely to become more common as the threat landscape expands. Hannigan said: “We will see more of this as governments continue to look for a range of levers to disrupt the cyber-criminal business model, even when they can’t reach the individuals because they are protected by Russia or other countries.”
Yet, going forward, governments should look to use this approach in coordination with other international efforts to disrupt cyber-criminal activity rather than as an isolated policy, as is often currently the case. Honan argued that the rise of cyber sanctions is, in part, a symptom of the ineffectiveness of current international laws and treaties in fighting cybercrime.
“Many of the laws and treaties used to fight cybercrime are decades old and in many cases were in place before the Internet came into being. So, it is one of the few legal options governments have to place against individuals or groups. Particularly those that operate from jurisdictions that turn a blind eye to, or indeed are complicit in, their criminal enterprises,” he said.
Payton concurred and believes that like-minded nation-states should also be working together to improve and evolve cyber sanctions to enhance their effectiveness.
“I anticipate sanctions will increase towards country-specific sanctioning. The world’s leaders need to come together to establish treaties and protocols as cyber-related sanctions alone will not deter malicious operatives,” she outlined.
Sanctions cannot alone tackle cybercrime but should form a component of broader intergovernmental efforts to disrupt threat actors and make vectors like ransomware less profitable, ultimately making the digital world a safer place.