In an intriguing and significant development in the deepening confusion around what’s permitted and forbidden to states in cyberspace, the White House yesterday issued sanctions against Russia via Executive Order 13694, ominously entitled “Taking Additional Steps to Address the National Emergency with respect to Significant Malicious Cyber-Enabled Activities.” The Order is being called the most severe imposition of US sanctions on Russia since the end of the Cold War.
In addition to the sanctions, which are imposed upon several Russian officials and security agencies such as the GRU and FSB, the State Department has expelled 35 Russian diplomatic representatives and their families from US territory, declaring them “persona non grata.” The aim of the Order is to isolate these individuals and organizations, curtailing their financial freedom of activity outside of Russia, and to send a clear message to Russia and other unfriendly actors in cyberspace that hostile cyber activities against the US and its democratic institutions – in particular, its electoral process — are unacceptable and will incur international repercussions. In turn, Russia has already publicly responded, vowing a ‘proportional response.”
This is not the first instance of the US imposing sanctions on another state in response to hostile actions in cyberspace. North Korea was similarly sanctioned in 2015, in the wake of that country’s alleged infiltration and leakage of Sony Pictures databases in anticipation and protest of the release of Sony’s movie “The Interview,” mocking North Korean leader Kim Jong-un. Likewise, in 2014 the Justice Department indicted five Chinese citizens, members of the People’s Liberation Army, on hacking charges, and in the following year threatened trade sanctions against China for that country’s alleged economic espionage. Yet the latest Executive Order adds financial sanctions relating specifically to a new phenomenon in cyberspace, the alleged Russian intervention in recent US national elections.
The Order itself declares a state of national emergency, effective immediately, “…with respect to significant malicious cyber-enabled activities…and in view of the increasing use of such activities to undermine democratic processes or institutions.” It comes as part of the promised US response to hostile Russian interference in the US presidential campaign and electoral process, widely covered and discussed in the media in recent weeks. The data breaches into the Democratic National Party’s databases and the subsequent exposures by Wikileaks, fabricated news articles, and exploitation of social media are some of the hostile activities allegedly initiated by Russia or Russian agents and “trolls.”
President Obama had stated that the US government would respond to cyber-enabled meddling with US elections with both overt and covert measures, and asked for a full investigation of such activities and their technical attribution. In the fall of 2016, and continuing up until the past few weeks, the FBI, Department of Homeland Security and other agencies, which dubbed the operations “Grizzly Steppe,” supplied the requisite evidence attributing to Russia.
The sanctions imposed by the Order include freezing the transfer of assets and property located in the United States of persons who are responsible for or complicit in cyber-enabled activities originating outside the US that are reasonably likely to result in a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. Not only those actually orchestrating these activities are subject to the freezing of financial property located in the US, but also those the hackers who carried out the cyber disruptions and anyone who funded or otherwise materially assisted such efforts. Hundreds, if not thousands of people are implicated, given the number of cyber interventions and the extended time period over which they occurred.
In practical terms, the list of hostile cyber activities subject to the imposition of sanctions is lengthy. It includes cyber disruptions that adversely affect critical infrastructure, such as electrical grids and water systems; intrusions into computer networks; and misappropriation of economic resources, trade secrets, and financial and personal data for commercial or competitive gain. Yet these are all general background to the real motivation for the Order, section E of which specifies the prohibited acts of “…tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.”
The broader context for the US undertaking such strident measures against Russian activity in cyberspace — although critics claim that these steps are belated and will in fact have little effect — is that of the current global debate around legal and policy norms restricting state activity in cyberspace. Leaving aside the internal US politics of President-elect Trump’s actual implementation of the sanctions, there remain difficult dilemmas around the legal issues that arise when countries intervene with hostile intent in each other’s critical national infrastructures, whether these are physical or virtual, such as data and databases critical to the electoral process.
A number of international legal and policy processes have been initiated to address the crucial questions around states’ intervention in each other’s affairs, including what constitutes a prohibited use of force in cyberspace, what a “cyber attack” constitutes, giving rise to a nation’s right to self-defence under international law. For example, the 2013 Tallinn Manual, published under the auspices of NATO’s Cooperative Cyber Defence Center of Excellence (CCDCOE), sets out 95 rules on these and other issues, with commentary on the international law relating to their application. Other initiatives include the ongoing efforts of the UN Secretary-General’s Group of Governmental Experts, the Organization for Security and Cooperation in Europe (OSCE) and the Group of Seven (G7). China and Russia have also used a regional organization of their own, the Shanghai Cooperation Organization, to propose a draft treaty on global cybersecurity norms.
States and international organizations are still in the process of calibrating which types of activity are permitted and which are forbidden under international law in cyberspace. Traditional understandings of legal boundaries and their communication through diplomatic means are changing.
This latest Executive Order is an example of this task of calibrating the appropriate responses to hostile activity in cyberspace. It brings us to a watershed moment for cyber diplomacy and deepens our understanding of the normative boundaries of international behavior that nation-states will tolerate from one another in cyberspace.
Adv. Deborah Housen-Couriel is an Israeli attorney specializing in cybersecurity law and regulation. She works with a Tel Aviv cybersecurity consulting firm, Konfidas Digital and with Zeichner, Ellman and Krause LLC in New York and Israel. Deborah is also a research fellow at the Law Faculty of Haifa University, Tel Aviv University’s Interdisciplinary Cyber Research Center and the Herzliya IDC’s International Institute for Counter-terrorism. She can be reached at www.cyberregstrategies.com.