24 Jan Unilateral Cyber Sanctions and Global Cybersecurity Law-Making
[María Vásquez Callo-Müller is a post-doctoral researcher at the University of Lucerne, working for the Trade Law 4.0 project (Trade Law for a Data-Driven Economy). Iryna Bogdanova is a Fellow at the World Trade Institute (WTI), University of Bern. She holds a Ph.D. degree (2020) from the WTI.]
Since recently, cyber sanctions – unilateral economic restrictions punishing actors responsible for malicious cyber-enabled behavior – have become an important but often overlooked mechanism for defining and flagging malign behavior in cyberspace, which otherwise remains unregulated under international law. First the United States (US), then the European Union (EU) and the United Kingdom (UK) have introduced laws authorizing use of cyber sanctions. In early December 2021, Australia followed the pattern and the law that allows use of sanctions in response to significant malicious cyber activity was passed.
The emergence of this type of economic sanctions is rooted in the long-lasting but unsuccessful efforts to regulate malign conduct in cyberspace, which instigated states to explore unilateral policy options. However, it appears that the tide has begun to turn: the negotiations towards a new (though controversial) International Cybercrime Treaty under auspices of the UN, were expected to start as soon as this month. Though such negotiations have been just recently delayed due to the Covid pandemic, it might be beneficial to explore the use of cyber sanctions as a reflection of the state practice on what actions could constitute malicious cyber behavior (or even criminal offenses) in cyberspace. Aside from being timely, this inquiry is also worthwhile as the only proposal on the draft text of a future International Cybercrime Treaty was submitted by the Russian Federation, which itself has been blamed for destructive cyber-attacks and targeted by unilateral cyber sanctions.
This contribution proceeds in three parts. First, cyber sanctions are defined and their scope under the existing domestic cyber sanctions frameworks are analysed. Second, a succinct overview of how cyber sanctions have been used so far is presented. Finally, we explore what a future International Cybercrime Treaty may mean for the legality of cyber sanctions, both under international law as well as under WTO and investment law.
What are Cyber Sanctions?
The existing regulatory frameworks for cyber sanctions authorize designation of the foreign nationals, legal entities, and government bodies for various types of malicious cyber-enabled activities, including cyber-attacks, although the precise definition of such concepts and the criteria for its application, in some cases, remains ambiguous.
Under the US cyber sanction framework there are three main categories of malicious cyber-enabled activities: (i) malicious attacks on computers/computer networks supporting critical infrastructure sectors, or causing significant disruptions, (ii) cyber theft and trade secrets misappropriation through cyber-enabled means, and (iii) misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. Other Executive Orders, which pursue objectives of detecting and deterring malicious cyber-enabled activities, have been recently enacted. Rules prescribed by these regulations relate to the importation and exportation of the information and communications technology and services to and from the US and thus, they are not cyber sanctions as we define them here.
The EU cyber sanctions framework defines cyber-attacks as: (i) access to information systems; (ii) information system interference; (iii) data interference; or (iv) data interception, where such actions are not duly authorized by the owner or by another right holder of the system or data or part of it, or are not permitted under the law of the union or of the member state concerned. Like the US regulations, data interference also covers theft of data, funds, economic resources, or intellectual property. To be sanctionable, the abovementioned actions need to have a significant effect and constitute an external threat to the union or its member states. The EU cyber sanctions can also be imposed if malicious cyber activities targeted the third states or international organizations and if such attacks have had a significant effect.
In the case of the UK cyber sanction framework – Cyber Sanctions Regulations – the definition of cyber sanctions and categories of sanctionable malign cyber activities closely follow the EU regulations. Finally, according to the new Australian Autonomous Sanctions Amendment Bill, sanctions can be imposed for ‘malicious cyber activity‘.
In addition to the all-encompassing concept of malicious cyber activities and cyber-attacks, cyber sanctions frameworks have broad personal scope of application. In general, US, EU and UK cyber sanctions can be imposed against natural or legal persons, entities or bodies. For example, pursuant to the US cyber sanctions framework, in particular Executive Order 13694, sanctions can be imposed against “any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State” on the grounds of being responsible for or complicit in, or for having “engaged in, directly or indirectly” in malicious cyber-enabled activities. Apart from this, the US framework contemplates cyber sanctions against persons that have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” malicious cyber-enabled activities. Moreover, the US cyber sanctions apply to the legal entities that are “owned or controlled” by the sanctioned individuals and entities and to anyone who “have acted or purported to act for or on behalf of, directly or indirectly,” of sanctioned individuals and entities. What is more, anyone who has attempted to engage in any of the abovementioned activities could also be sanctioned.
How Cyber Sanctions Have Been Used so Far?
Thus far, the US has imposed more cyber sanctions compared to the EU and the UK. Some commentators have even gone as far as to argue that the EU cyber sanctions framework might be dead, although not because the number of cyber-attacks has decreased but mainly because of the flawed process of intelligence gathering and sharing among the EU’s member states. Despite this, the relevance of cyber sanctions grows as the number and types of malicious cyber conduct increases.
So, how has the US imposed cyber sanctions? Over the past few years, the Office of Foreign Assets Control (OFAC) has designated numerous persons and entities as well as government bodies and officials under its cyber-related sanctions framework, with the most designations occurring in 2020. As a rule, sanctioned persons include hackers, while among the sanctioned entities there are troll farms, international cybercriminal organizations, and (mostly Russian) government agencies. Moreover, new entities that may be designated encompass ransomware operators and virtual currency exchanges. Most of these designations involve persons or entities residing in or related to Russia, Iran and North Korea.
As for the types of malicious cyber conduct, sanctions have been imposed for distribution of malware, ransomware, and phishing. But the most noticeable examples are sanctions imposed against interference with electoral processes through the false information or hacking and against the cyber espionage activities in the SolarWinds incident, as well as recent sanctions against the facilitation of ransom payments and cryptocurrency exchanges. Sanctions for the theft of trade secrets have also been imposed, however under different sanctions frameworks.
What Implications a Prospective International Cybercrime Treaty May Have for Cyber Sanctions?
In a recent paper, we have argued that cyber sanctions may be incompatible with international law on several fronts. They may violate customary international law of state immunity when sanctions entail freezing of assets of government bodies. Furthermore, they can encroach on different human rights, in particular, due process rights and right to property. Given this, states in order to justify their actions may contend that such restrictive measures are countermeasures, i.e. self-help measures recognized in international law. Yet, the possibility to justify cyber sanctions as countermeasures is hindered by a number of substantive and procedural hurdles. Prominently, the two main grounds are the lack of internationally agreed obligations regulating behavior in cyberspace and the attribution of malicious cyber-enabled conduct to a particular state under the rules of state responsibility enshrined in the Draft Articles on Responsibility of States for Internationally Wrongful Acts.
Let’s imagine that the UN members will eventually negotiate a new International Cybercrime Treaty and as a result of this development, one of the main hurdles preventing the characterization of unilateral cyber sanctions as legitimate countermeasures – the existence of international obligations regarding state responsibility in cyberspace – may be overcome. This could mean that states could, in the future, and if the problem regarding attribution is solved, increasingly employ cyber sanctions to punish and deter malign conduct in cyberspace.
Application of cyber sanctions may potentially violate various obligations under WTO law. Broad prohibitions on economic relations with sanctioned entities prescribed by cyber sanctions entail restrictions on import and export of goods from and to sanctioned entities. This may infringe Article I:1 (Most-Favoured-Nation Treatment) of the GATT 1994. Furthermore, prohibitions on import and export of goods from and to sanctioned entities are inconsistent with Article XI:1 (General Elimination of Quantitative Restrictions) of the GATT 1994. In addition, market access commitments under the GATS could also be breached.
The WTO is a self-contained regime and hence, violations of WTO commitments could only be justified under the exceptions embedded in the relevant WTO Agreements. The most plausible justification that can be used in this context is the national security exception (Article XXI of the GATT 1994 and Article XIV bis of the GATS). According to the interpretations developed by the panel in Russia – Traffic in Transit report, WTO members have considerable flexibility in invoking the WTO national security clause. In a nutshell, the WTO adjudicators’ right to review the invocation of this exception is confined to a determination if an objective element – “taken in time of war or other emergency in international relations”, is fulfilled; whether a WTO member communicated “essential security interests” in good faith and if there is a minimum degree of plausibility between imposed trade restrictions and declared national security interests. The wording “emergency in international relations” was defined as “a situation of armed conflict, or of latent armed conflict, or of heightened tension or crisis, or of general instability engulfing or surrounding a state.” It is debatable whether cyber sanctions can meet this standard, or whether obligations contained in a prospective International Cybercrime Treaty could play a role in a WTO member’s ability to justify its use of cyber sanctions.
In our recent paper, we have also argued that cyber sanctions could violate standards of treatment incorporated in the international investment agreements (IIAs). Restrictions on the use of an investor’s property and restrictions on transactions with sanctioned parties could give rise to the investors’ claims of a violation of the Fair and Equitable Treatment and other standards of treatment prescribed by the IIAs. States can arguably justify cyber sanctions under public security exceptions and international peace and security clauses enshrined in the IIAs. Contrary to WTO law, violations of obligations under the IIAs can be justified if such actions constitute legitimate countermeasures. Thus, an existence of an International Cybercrime Treaty would mean that states could argue that cyber sanctions are countermeasures, and hence they do not infringe their IIAs obligations.
The starting of the negotiations towards an International Cybercrime Treaty, though controversial, is a new development in making of international norms to curb malign and criminal behavior in cyberspace. In crafting these rules, the current practice of states with cyber sanctions can provide important elements to be included in a future treaty. Cyber sanctions emerged as a tool to address extraterritorial nature of cyber-attacks. While unilateral in nature, their use can signal red lines in cyber space and thus make evident an emerging state practice in this regard. For this reason, paying more attention to the current use of cyber sanctions should be complementary to the efforts undertaken at the UN level.