Washington Uses Sanctions and Indictments Inconsistently When Combating Malicious Cyber Activity

Over the past decade, the United States has relied heavily on sanctions and indictments to combat malicious cyber activity that originated in China, Russia, North Korea, or Iran. An analysis (see “Data Visualization,” above) of the frequency with which the United States has employed sanctions and indictments, however, reveals inconsistencies in their application against these four adversaries. This uneven approach may lessen Washington’s ability to deter hostile cyber actors who do not face consistent consequences for their behavior.

Since 2013, the United States has issued cyber-related sanctions or indictments against more than 190 individuals and entities. The Treasury Department has used a range of authorities, including but not limited to the cyber executive order of April 1, 2015, the Countering America’s Adversaries Through Sanctions Act (which mainly targets Russian actors associated with interference in the 2016 presidential election), and specific regional executive orders, such as those targeting the government of North Korea and entities that use technology to violate the human rights of the Iranian people. Justice Department indictments against malicious cyber actors generally focus on the alleged use of “fraud and related activity in connection with computers,” and/or on “conspiracy to commit offense or to defraud the United States.”

An analysis of the data reveals that the Trump administration has employed these tools more aggressively than its predecessor has. Between 2013 and 2016, the Obama administration issued 28 indictments and five sanctions against malicious actors from Russia, China, Iran, and North Korea. In contrast, between 2017 and 2020, the Trump administration significantly increased the number of indictments and sanctions to 106 and 110, respectively.

There also appear to be discrepancies in the frequency with which the United States uses these tools against actors from different foreign countries. For example, cyber actors working on behalf of the North Korean regime are often considered more innovative and capable than their Iranian counterparts; North Korean operations, including Wannacry and the Bangladesh bank heist, far outweigh Iran’s largest attacks, known as Shamoon and Shamoon 2, in terms of sophistication and impact. Yet the six sanctions and indictments levied against actors from the DPRK pale in comparison to the 30 such actions targeting actors from Iran. This difference may reflect a matter of policy, or it may simply reflect the fact that there are fewer North Korean individuals to target, because North Korean operatives are primarily working as part of Advanced Persistent Threat (APT) groups, such as the Lazarus group. In contrast, Iranian operatives tend to be semi-professional actors who may not have allegiance to one particular APT group. While it is difficult to ascertain the exact cause for the numerical differences between the sanctions and indictments levied against the two groups, the numbers do point to greater room for collaboration between Treasury and the Justice Department.

The greatest disparity in Washington’s use of sanctions and indictments against different adversaries is the infrequency with which the United States employs sanctions to combat Chinese hackers. By the numbers, Washington has sanctioned the majority of Iranian, North Korean, and Russian individuals and entities indicted for cyber-related crimes. In contrast, the Treasury Department has used sanctions against only two Chinese actors, who allegedly engaged in money laundering for the Lazarus Group. In short, while the Justice Department has accused 38 Chinese individuals and entities of conducting cyber-enabled economic and political espionage against the U.S. government and private companies, 36 of these operatives have escaped financial sanctions.

This discrepancy does not reflect a lack of authorities to punish Chinese cyber-enabled economic warfare. The April 2015 cyber executive order authorizes the Treasury Department to issue sanctions to disrupt the operations of entities engaged in “the receipt or use for commercial or competitive advantage … of trade secrets [of U.S. companies] misappropriated through cyber-enabled means.” Instead, it may indicate that the United States is reluctant to issue sanctions against malicious Chinese actors due to the fear of escalation or economic retaliation against American companies. In contrast, the relative weakness of the Iranian, North Korean, and Russian economies means that Washington can act more freely without fear of blowback.

Sanctioning all indicted cyber operatives is unlikely to end malicious activities from these nation-states. However, by constraining access to financial resources and changing the aggressor’s cost/benefit dynamics, sanctions likely would help establish a stronger deterrence posture. Published last month, the final report from the congressionally mandated Cyberspace Solarium Commission advocates a strategy of “layered deterrence,” which entails a whole-of-government effort to mobilize all available instruments of state power. The Solarium report acknowledges that a layered deterrence strategy “will not eliminate state-sponsored cyber operations or cybercrime, but consistently enforced consequences and rewards can begin to erode the incentives for bad behavior.”

An enforcement regime applied consistently to all foreign actors would signal to adversaries what the United States considers acceptable behavior in cyberspace. Without a clear deterrent from the United States, foreign hackers likely will continue to feel emboldened as they attack the United States while enjoying safe harbor in their home countries. Until Washington develops a coordinated response to such threats, the U.S. economy, along with America’s national security and international footing, will continue to suffer.

Trevor Logan is a cyber research analyst at the Foundation for Defense of Democracies (FDD), where Pavak Patel is an intern. They both contribute to FDD’s Center on Cyber and Technology Innovation (CCTI) and Center on Economic and Financial Power (CEFP). For more analysis from Trevor, Pavak, CCTI, and CEFP, please subscribe HERE. Follow Trevor and Pavak on Twitter @TrevorLoganFDD and @PavakPatel. Follow FDD on Twitter @FDD and @FDD_CCTI and @FDD_CEFP. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.