Unilateral Economic Sanctions to Deter and Punish Cyber-Attacks: Are They Here to Stay?

In June 2021 during the Biden-Putin summit, President Biden stated that critical infrastructure should be “off-limits” to cyber-attacks and handed over a list of 16 areas of critical infrastructure that under no circumstance should be targeted by cyber-attacks. This took place after the SolarWinds cyber-attack that was described by SolarWinds Vice-President as “your worst nightmare”. The attack was followed by tough US unilateral sanctions – precisely, sovereign debt sanctions against Russia and sanctions targeting six Russian technology firms for their support of the Russian Intelligence Services’ cyber program.

This attack as well as many others (e.g., NotPetya or WannaCry) illustrate the current problem in international law: a lack of binding norms regulating conduct in cyberspace. As a result, states are left with only a few options of how to respond and prevent cyber-enabled malicious conduct. Among the available alternatives, unilateral cyber sanctions are gaining momentum. The relevant sanctions frameworks have already been introduced by the United States, the European Union, and the United Kingdom. On 2 December 2021, the Australian Parliament passed the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Bill 2021, which allows the imposition of sanctions in response to significant malicious cyber activity.

This post provides a short take on the use of unilateral cyber sanctions against the background of growing incidence and severity of cyber-attacks and failed international efforts to regulate malicious cyber-enabled conduct, their legality and potential normative value.

The growing incidence and severity of cyber-attacks

The news of a devastating SolarWinds cyberattack – dubbed as “a huge cyber espionage campaign” – broke in late December 2020. In a nutshell, a popular network management software program, Orion, provided by a Texas-based company SolarWinds, was hacked, and a malicious code was installed in its routine software update. The update was then run by thousands of the company’s customers without a second thought. The attack compromised private companies as well as the US federal agencies, including the Department of Justice and the Department of Treasury. Doing so, it revealed not only the cybersecurity vulnerabilities of major US information technology companies but also of certain US government agencies. Hackers were able to spy on them for many months. The aspect of the SolarWinds cyber-attack that causes the greatest concern is that “the same access that gives […] the ability to steal data could also allow […] to alter or destroy it.”

It was estimated that the attack was “likely Russian in origin” and it was carried out by more than 1,000 professional engineers. Russia has denied any responsibility for this attack.

Any attribution of a cyber-attack is not only technically burdensome but also politically and legally problematic. It is also time-consuming. In this regard, cybersecurity expert Robert Knake observes: “Assigning responsibility for a cyberattack to a specific organization or country is more of an art than a science”.

Apart from the SolarWinds, other cyber-attacks of note, occurring in the past few years, include WannaCry and NotPetya attacks in 2017 and the attack on a Ukrainian power grid in 2015. WannaCry cyber-attack was carried out by the use of a virus together with ransomware, which encrypted data on computers and demanded payment to restore access. It changed the history of ransomware attacks by being the first “ransomworm” known to the world. The NotPetya attack was at odds with other known ransomware attacks: the malware that spread from Ukraine while demanding payment to restore access to user’s files was “deliberately engineered to damage IT systems rather than extort funds”. The attack on the Ukrainian power grid was the first confirmed attack to take down a power grid. It affected more than 230,000 residents as well as made the control centers not fully operational for several months. It should be noted that Ukraine has long been embroiled in cyberwarfare, some even arguing that the country has become a “test bed for Russian cyberweaponry”.

The latest in line are cyber-attacks on health-related institutions. The COVID-19 pandemic spawned an influx of cyber-attacks against the healthcare systems, research institutions and “an epidemic of online misinformation”.  

International efforts to regulate malicious cyber-enabled conduct: is the glass half empty or half full?  

Notwithstanding detrimental effects and the growing prevalence of cyber-attacks, international norms regulating responsibility for state and non-state conduct in cyberspace are non-existent. While a brief snapshot is below, interested readers may wish to access a detailed analysis here.

Starting from 1999, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, and since 2018 the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE), have been the main inter-state forums for discussion of the use of information and communications technologies and global cyber norms. In 2018, as a symbol of the lingering tensions among GGE members (mainly the United States and the Russian Federation), an Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG) was established at the initiative of the Russian Federation. The main difference between the GGE and the OEWG is their composition. While the GGE allows the participation of 25 UN members, the OEWG counts with the participation of all interested UN members as well as inter-governmental and non-governmental organizations. As of this writing, the work of these groups did not result in any binding international commitments regulating behaviour in cyberspace. So far, the reports endorsed in 2021 by the GGE and OEWG for advancing peace and security in cyberspace are not binding.

Development of the norms regulating behaviour in cyberspace was also debated at the regional organizations such as the African Union and the ASEAN, yet their progress remains rather limited.

Despite the reinvigorated negotiations of a plurilateral trade agreement on e-commerce under the auspices of the WTO, the organization is an unlikely venue to discuss responsibility for state behaviour in cyberspace. This is buttressed by the WTO members’ submissions in this context, which do not address cybersecurity thoroughly. Also, relevant provisions in the multilateral and bilateral trade agreements are of narrow scope and cooperative nature only.  

The soft law instruments – the Tallinn Manual and the Tallinn Manual 2.0 – emerged as the most authoritative articulations of international law governing cyberspace, even though they are not binding.

Unilateral cyber sanctions: questioned legality and normative value

When international cooperation fails to take root, unilateralism blossoms – as we see in the field of cybersecurity. Unilateral cyber sanctions are restrictive economic measures of a temporary nature imposed against individuals, legal entities, government bodies and officials that conduct or facilitate cyber-attacks or engage in other malicious cyber activities. They are imposed without any prior authorization of a regional or an international organization, i.e., according to states’ domestic laws.

The 2014 cyber-attack on Sony Pictures Entertainment, as a result of which private data, including unreleased movies, was stolen and emails were hacked as well as thousands of confidential documents were leaked, paved the way for the US cyber sanctions targeting North Korea, thus adding pressure to one of the most sanctioned countries in the world. In the following years, the United States expanded its cyber sanctions framework and used it to sanction malicious actors as well as states sponsoring them.

The European Union introduced a new framework for cyber sanctions in 2019 and the first cyber sanctions were announced in July 2020. Several non-EU member states expressed their desire to align with the EU cyber sanctions. The United Kingdom closely follows the EU cyber sanctions and enacted the Cyber Sanctions Regulations, which came into force on the exit day.

Leaving aside the politically salient debate on the legality of unilateral economic sanctions, the next paragraphs are devoted to the analysis of international law obligations that unilateral cyber sanctions may breach. A more in-depth analysis can be found here.

The existing cyber sanctions target government bodies as well as senior government officials and thus may entail freezing of government bodies’ assets along with travel bans on senior government officials. Freezing of government bodies’ assets may in theory violate the customary international law of state immunity, yet it is debatable. In particular, whether state property benefits from the enforcement immunity irrespective of the existence of a court proceeding is unsettled. Travel bans preventing senior government officials from fulfilling their functions encroach on the immunities guaranteed to such officials under international law, but this immunity entitlement is only guaranteed to the officials who represent the government and hence travel to other states for that purpose.

The consistency of unilateral cyber sanctions with the minimum due process rights may be questioned. For example, persons targeted under the EU cyber sanctions regime are guaranteed the right to good administration, the right to an effective remedy and to a fair trial, which are enshrined in the Charter of Fundamental Rights of the European Union. These guarantees are frequently invoked in disputes questioning the EU economic sanctions. Besides due process rights, other possible grounds to question the legality of unilateral cyber sanctions are the right to property, the right for family and private life and a prohibition of attacks on honour and reputation that are guaranteed under various international human rights treaties as well as domestic laws.

Against this backdrop, states may advance an argument that cyber sanctions are justified as countermeasures. Indeed, states are allowed to impose countermeasures if certain preconditions are met. First and foremost, there should be a previous violation of international law, which is remedied by countermeasures. Second, such violation should be attributed to a state. Third, countermeasures should not affect obligations for the protection of fundamental human rights. Furthermore, countermeasures should be proportional, temporary and adopted only after the procedural prerequisites were fulfilled. Even a shallow analysis demonstrates that the possibility to justify cyber sanctions as countermeasures is hindered by two main hurdles: the lack of internationally agreed obligations regulating malicious behaviour in cyberspace and the attribution of cyberattacks to a state under the rules of state responsibility.

Unilateral cyber sanctions may also violate bilateral agreements of economic nature and WTO commitments. By imposing unilateral cyber sanctions that either entail a complete economic boycott of sanctioned persons, as it is the case with the US cyber sanctions, or prohibit the provision of funds and economic resources to sanctioned individuals and entities as the EU regulations prescribe, states are blatantly acting in contradiction to their professed WTO commitments. Whether such actions can be justified either under national security exceptions embedded in bilateral agreements or under the WTO national security clause is debatable. Moreover, cyber sanctions, such as freezing of assets, property and interests in property can result in legal claims of indirect expropriation, violation of the Fair and Equitable Treatment and other standards of treatment incorporated in international investment agreements.

On a normative value of cyber sanctions, they may signal “red lines” of unacceptable behaviour in cyberspace and in such a way contribute towards the formulation of rules on responsible behaviour in cyberspace.

Given the ever-growing digitalization of all aspects of life and a steadily increasing number of cyber-attacks, it is expected that states would increasingly rely upon unilateral cyber sanctions to deter and punish cyber-attacks as well as their perpetrators. In this context, one may ponder what role is left for multilateralism when society is faced with imminent threats and there is a lack of effective international cooperation and whether in such circumstances unilateralism should be discussed and explored more openly?