Cyber sanctions

Last updated

Cyber sanctions are defined as the economic and financial measures intended to change the behaviors of targets using malicious cyber activities and/or intrusions. Since cyber sanctions regimes are used by countries, these instruments are used predominantly by countries. [1] Thus, the units of analysis are the countries in the international system. In other words, countries, rather than the non-state actors including companies, are the main actors and decision-makers when it comes to the threat and/or use of cyber sanctions at the international level. The concept of cyber sanctions is relatively new area in the world politics. Today, we have few countries took measures and enacted legislation by involving cyber-related regulation to secure their information technology. On the other hand, there are many countries, including developed countries, have not updated their legislation according to this new security area, i.e., cyber-crimes.

Contents

Origins of the concept

Cyber sanctions can be considered as an extension of the economic sanctions’ regimes. Thus, although the use of cyber sanctions and its introduction in the international relations is relatively new, the historical background of the sanctions goes deeper in the historical trajectory. First economic sanctions were used during the times of Ancient Greece, which is known as the Megarian Decree issued by the Athenian for the undesired trade behaviors of the Megarians. Later on, the economic sanctions between these two city-states because of the Megarian Decree led to the Peloponnesian War, which was fought between the Athenians and Spartans. [2] Historical records show that economic power is important for the military power, and, thus, the influence of economic sanctions in world politics increased dramatically with the technological improvements since the industrial revolution that started in the 18th century. Especially with the dissolution of the Union of Soviet Socialist Republics (USSR), the use of economic sanctions increased exponentially and became the most important foreign policy instruments since the beginning of the 21st century. [3]

It is important to understand the concept of economic sanctions before examining cyber sanctions because cyber sanctions are the extension of economic sanctions, and the goal of the both instruments is to use economic/financial instruments to change the target state's undesired behaviors. According to David Baldwin, economic sanctions are the options that have dynamic nature, meaning that they can escalate to interstate wars or deescalate to diplomatic negotiations. [4] Thus, we can categorize economic sanctions as choice of options between the use military or negotiations. In the first category, the conflicting parties confront in the war theater, and in the second category the conflicting parties meet at the tables. However, when it comes to the economic sanctions, there is no need for the conflicting parties to meet with one another. These kinds of situations are seen when there are enduring rivalries between countries. For example, the relations between the USSR, later Russia, and the Western countries, especially the United States. Also, the relations between the US and North Korea can be another example for the use of economic sanctions for many decades. Scholars usually argue that economic sanctions are not effective when it comes to change the target state behaviors. [5] [6] [7] However some argue that economic sanctions work at the threatening stage rather than imposition. [8] Others argued that sanctions work when they are used selectively rather than comprehensively. [9] According to Peterson Institute's international economics scholar Hufbauer et al., the implications of the economic sanctions should not be underestimated because, given the results of their datasets, almost 30% of all economic sanctions economic sanctions cases since the Second World War worked successfully. [10] As can be seen from these arguments, we have no consensus on the effectiveness of economic sanctions in the scholarly world. [11]

Cyber sanctions

The experts have different ideas on the effectiveness of economic sanctions. This might be one of the main reasons why policymakers are skeptical for using economic sanctions for the issues related to malicious cyber activities. However, the trend shows that states are enacting some bills that consider the use of economic sanctions for cyber conflicts at the international level. The need for stability in the cyberspace requires regulations both at domestic and international levels. [1] We can consider the legal basis for the use of sanctions for cyber activities under the United Nations Charter's Article 2.4 where it is stated that:

“All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”

Under the light of the UN Charter, many actors in the international system, including the European Union as an international organization, and the major EU member countries, and the United States, have already taken steps using proactive and reactive financial and economic sanctions that can even escalate to the application of military options.

Case 1

The first cyber-related sanctions in the history was used the European Union in 2017 against six identified individuals who involved in malicious cyber actions against some EU institutions and especially against the Organization for the Prohibition of Chemical Weapons, which is an international organization founded in 1997. The EU's response included targeted sanctions, such as asset freezes and travel ban for these six individuals. [12]

Case 2

After detecting malign cyber activities, aiming to manipulate the U.S. industrial systems by using the Triton malware, of some Russian individuals and the relationship between these individuals and the Russian government, the United States Secretary of State released a press statement in October, 2020, that mentioned economic sanctions were imposed economic sanctions under the Section 224 of the Countering America's Adversaries Through Sanctions Act. [13]

Cyber sanctions by Countries

United States

Cyber sanctions

The developments on legalizing the cyber sanctions in the United States are promising that we might see enactment of more bills focusing on cyber issues at the international level. As of now, there are two executive orders (Executive Order 13694 [14] and Executive Order 13757 [15] ) that explains how malicious cyber activities will be replied with the use of economic sanctions and other measures. [16] The authority of the Treasury's Office of Foreign Assets Control (OFAC) is responsible for the initiation and outcomes of the economic sanctions related to cyber-related activities.

European Union

Cyber sanctions

The European Union Council has adopted several conclusions on the implementations of collective cyber security in the region. These conclusions also included detailed strategies envisioning the contingency plans and coordinating the responses against malicious cyber activities targeting the EU member countries. The EU Council's conclusions stress the inevitable cyber chaos that can diffuse all over the world if a collective action is not achieved in this regard. Moreover, the creation of a network of security operation centers in the EU served the goal of envisioning the possible signals of the cyber attacks against the EU. Currently, the EU Council is working on enhancing collective cyber response focusing on sanctioning the target by creating a new entity, which is called “cyber intelligence working group.” [17] [18] Although there are steps taken in using economic sanctions for cyber-related attacks against the EU, these measures are not completed yet, and the member countries have different opinions on the response strategies. The development of the events show that we will see a consensus on strategies for using economic sanctions in the near future.

The Joint Force Headquarters Cyber Emblem Joint-forces-headquarters-cyber air force.png
The Joint Force Headquarters Cyber Emblem

The future of cyber sanctions

Economic sanctions are flexible tools that can be used for many different purposes in many ways. These characteristics of economic sanctions make their use as a viable option for the increasing threats of malicious cyber activities both at intranational and international levels. The development of events show that developed countries, especially the United States and the European Union member countries, are taking serious measures that might enable use of economic sanctions unilaterally and internationally. Unilateral cyber-related sanction are sanctions episodes where the sanctioning state is only one state. Today, we have examples for unilateral cyber-related sanctions. However, it is very rare to see multilateral cyber-related sanctions, where the senders can be either more than one state; or else, there is an international organization, such as the UN or EU, imposing cyber-related sanctions. As can be seen from the European Union Council's conclusions on the common economic sanctions strategies against cyber-attacks, the consensus on using sanctions at the international level looks difficult to achieve. However, we might see that countries can be more willing to cooperate in the future because the level of cyber threats is increasing exponentially every day beyond the international borders. As a result, countries might begin to include cyber commands-as seen in the United States, within their military structures considering the increasing possibility that cyber-related sanctions can escalate to the use of military options.

Agencies

Further reading

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">National security</span> Security and defence of a nation state

National security, or national defence, is the security and defence of a sovereign state, including its citizens, economy, and institutions, which is regarded as a duty of government. Originally conceived as protection against military attack, national security is widely understood to include also non-military dimensions, such as the security from terrorism, minimization of crime, economic security, energy security, environmental security, food security, and cyber-security. Similarly, national security risks include, in addition to the actions of other nation states, action by violent non-state actors, by narcotic cartels, organized crime, by multinational corporations, and also the effects of natural disasters.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Economic sanctions</span> Financial penalties applied by nations

Economic sanctions are commercial and financial penalties applied by states or institutions against states, groups, or individuals. Economic sanctions are a form of coercion that attempts to get an actor to change its behavior through disruption in economic exchange. Sanctions can be intended to compel or deterrence.

<span class="mw-page-title-main">United States sanctions</span> Trade restrictions levied by the United States government

United States sanctions are financial and trade restrictions imposed against individuals, entities, and jurisdictions whose actions contradict U.S. foreign policy or national security goals. Financial sanctions are primarily administered by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), while export controls are primarily administered by the U.S. Department of Commerce's Bureau of Industry and Security (BIS).

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Supply chain security activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world's cargo and to "facilitate legitimate trade". Their objective is to combine traditional practices of supply-chain management with the security requirements driven by threats such as terrorism, piracy, and theft. A healthy and robust supply chain absent from security threats requires safeguarding against disturbances at all levels such as facilities, information flow, transportation of goods, and so on. A secure supply chain is critical for organizational performance.

<span class="mw-page-title-main">Russia–European Union relations</span> Bilateral relations

Russia–European Union relations are the international relations between the European Union (EU) and Russia. Russia borders five EU member states: Estonia, Finland, Latvia, Lithuania and Poland; the Russian exclave of Kaliningrad is surrounded by EU members. Until the radical breakdown of relations following the 2022 Russian invasion of Ukraine, the EU was Russia's largest trading partner and Russia had a significant role in the European energy sector. Due to that full-scale invasion, relations became very tense after the European Union imposed sanctions against Russia. Russia placed all member states of the European Union on a list of "unfriendly countries", along with Taiwan, South Korea, Japan, Singapore, the United States, NATO members, Canada, Australia, New Zealand, Norway, Switzerland, Micronesia and Ukraine.

<span class="mw-page-title-main">Marietje Schaake</span> Dutch politician

Maria Renske "Marietje" Schaake is a Dutch politician who served as Member of the European Parliament (MEP) from the Netherlands between 2009 and 2019. She is a member of Democrats 66, part of the Alliance of Liberals and Democrats for Europe Party.

The Obama Doctrine is used to describe one or several principles of the foreign policy of U.S. President Barack Obama. In 2015, during an interview with The New York Times, Obama said: "You asked about an Obama doctrine, the doctrine is we will engage, but we preserve all our capabilities".

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Sea transport accounts for most of the European Union's external and internal commerce. The EU is the world's third-largest importer of fisheries and aquaculture products and the fifth-largest producer. Maritime borders make up more than 70% of the Union's external borders, and hundreds of millions of travelers pass through European ports each year. The security of Europe's energy supply is heavily reliant on marine transit and infrastructure. The significant expansion of EU Member States' fleets, as well as suitable port infrastructure, contribute to a well-functioning energy market and supply security, and hence to European residents' and the European economy's overall well-being. The Arctic region is therefore a vital new area for the EU to work towards and a new strategy for the Arctic region that matches with the European Green deal was established in late 2021.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

A threat actor, bad actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. See Advanced persistent threats for a list of identified threat actors.

<span class="mw-page-title-main">Executive Order 13694</span> 2015 United States executive order

Executive Order 13694, signed on April 1, 2015 by U.S. President Barack Obama, is an Executive Order intended limit the proliferation of malicious cyber activities. The order seeks to accomplish this by limiting threats to U.S. national security through the use of economic sanctions via the Specially Designated Nationals and Blocked Persons List as maintained by the Department of the Treasury's Office of Foreign Assets Control.

<span class="mw-page-title-main">Global Commission on the Stability of Cyberspace</span> Commission developing diplomatic norms limiting cyber-offense

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.

Ghostwriter, also known as UNC1151 and Storm-0257 by Microsoft, is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. 1 2 Moret, Erica (2017). "The EU Cyber Diplomacy Toolbox: towards a cyber sanctions regime?" (PDF). European Union Institute for Security Studies (EUISS). JSTOR   resrep06815.
  2. McDonald, J. (1994). Supplementing Thucydides' Account of the Megarian Decree.
  3. Drezner, Daniel W.; Drezner, Daniel W.; Drezner, Professor of International Politics Daniel W.; W, Drezner Daniel (1999-08-26). The Sanctions Paradox: Economic Statecraft and International Relations. Cambridge University Press. ISBN   978-0-521-64415-0.
  4. Baldwin, David A. (2020-09-22). Economic Statecraft: New Edition. Princeton University Press. ISBN   978-0-691-20444-4.
  5. Pape, Robert (1997). "Why economic sanctions do not work". International Security. 22 (2): 90–136. doi:10.1162/isec.22.2.90. S2CID   57566126.
  6. Pape, Robert (1998). "Why economic sanctions still do not work". International Security. 23: 66–77. doi:10.1162/isec.23.1.66. S2CID   57565095.
  7. Jones, Lee (2015). Societies Under Siege: Exploring how International Economic Sanctions (do Not) Work. Oxford University Press. ISBN   978-0-19-874932-5.
  8. Drezner, Daniel W.; Drezner, Daniel W.; Drezner, Professor of International Politics Daniel W.; W, Drezner Daniel (1999-08-26). The Sanctions Paradox: Economic Statecraft and International Relations. Cambridge University Press. ISBN   978-0-521-64415-0.
  9. Cortright, David (2001). Smart sanctions: Restructuring UN policy in Iraq. Joan B. Kroc Institute.
  10. Hufbauer, Gary Clyde; Schott, Jeffrey J.; Elliott, Kimberly Ann; Economics (U.S.), Institute for International (1990). Economic Sanctions Reconsidered: History and Current Policy. Peterson Institute. ISBN   978-0-88132-136-4.
  11. Onder, Mehmet (2020). "Regime Type, Issue Type and Economic Sanctions: The Role of Domestic Players". Economies. 8 (1): 2. doi: 10.3390/economies8010002 . hdl: 10419/257052 .
  12. "EU imposes the first ever sanctions against cyber-attacks". www.consilium.europa.eu. Retrieved 2021-07-28.
  13. "United States Sanctions Russian Government Research Institution". United States Department of State. Retrieved 2021-07-28.
  14. "Executive Order -- "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities"". whitehouse.gov. 2015-04-01. Retrieved 2021-07-28.
  15. "Sanctions Programs and Country Information". U.S. Department of the Treasury. Retrieved 2021-07-28.
  16. "Cyber Sanctions". United States Department of State. Retrieved 2021-07-28.
  17. "Cybersecurity: Council adopts conclusions on the EU's cybersecurity strategy". www.consilium.europa.eu. Retrieved 2021-07-28.
  18. Council of the European Union (2021). Draft Council conclusions on the EU's Cybersecurity Strategy for the Digital Decade.