Both the US and the EU, in recognition of the increasing threat from third party cyberattacks and the potential impact on national security, have implemented cyber-related sanctions regimes (?Cyber Regimes?). This article considers the regimes at a high level and looks at future developments in this challenging area of the sanctions landscape.

US sanctions

In 2015 the US established a Cyber Regime. The first designations were in December 2016 when 11 parties were identified as being responsible for/involved in cyber-attacks which were intended to interfere with the 2016 US Presidential election.  Since then the US Cyber Regime has been active, with the current  Office of Foreign Assets Control (OFAC) Specially Designated Nationals And Blocked Persons List (SDN) containing 130 designations[1]; including parties involved in election interference, cyber related romance scams, business email compromise, the NotPetya attack and mass phishing campaigns. OFAC also recently published an advisory on potential sanctions risks for facilitating Ransomware payments[2].

The Cyber Regime is broadly focused upon five categories of persons, including:

1. those who engage in, are responsible for or who are complicit in cyberattacks which originate, or which were directed, from outside the US and which are likely to result in a ?significant threat to the national security, foreign policy or economic health or financial stability of the US? by: 

• harming/significantly compromising a critical infrastructure sector
• causing significant disruption to the availability of computers
• causing significant misappropriation of funds, economic resources, trade secrets etc for commercial/competitive advantage or private financial gain or
• interfering with or undermining election processes/institutions.

2. those responsible for, complicit in or otherwise engaged in receiving or using trade secrets for ?commercial or competitive advantage or private financial gain?

3. any person who has materially assisted, sponsored or provided financial, material or technological support, goods or services in support of such cyber-enabled activities

4. any person owned or controlled by any person in categories 1-3 above; and

5. any person who has attempted to engage in any of the activities in 1-4 above.

EU sanctions

In contrast, the EU's adoption of cyber related sanctions has been at a slower pace with a Cyber Regime not being imposed until May 2019[3].  It then was not until 30 July 2020 (almost three and a half years after the first US designations) that the EU issued its first cyber-related designations, relating to nine parties from North Korea, China and Russia believed to have been involved in various cyber-attacks dating back to 2017/2018.

The EU regime targets the following:

1. people responsible for cyberattacks or attempted cyberattacks
2. people that provide ?financial, technical or material support for or are otherwise involved in cyberattacks or attempted cyberattacks?, and
3. any person associated with a person in 1 or 2 above. 

The EU sanctions apply to cyberattacks which have a potentially significant effect, and which constitute an external threat to the EU or its member states.  In a similar fashion to the US, the EU regime states that a cyberattack constitutes a threat to a member state if it affects information relating to:

• critical infrastructure
• services necessary for the maintenance of essential social and/or economic activities, (e.g. banking, energy, health and transport)
• critical state functions such as defence, government election processes, diplomatic functions etc
• the storage/processing of classified information, or
• government emergency response teams.

The future

Whilst the US/EU Cyber Regimes broadly seek to achieve similar goals, the application differs as seen in the volume of designations. It is often the case that US and EU sanctions regimes differ both in content and in application. Whilst it is often arguable that regimes may drive more significant change if they were globally aligned, it is understandable that the Cyber Regimes differ given the focus is on cyber threats specific to the relevant jurisdictions. Where global cyber-attacks take place one would, however, expect a more aligned approach to have greater impact.

Cyber sanctions will continue to be an area of growth and focus. The main challenge seems to be for those responsible for imposing sanctions to ensure that they can keep up with the constantly evolving threat and to ensure the impact of the sanctions is felt by those which they target. 

The UK has indicated that it will continue to implement cyber-related sanctions through its own autonomous regime post-Brexit[4]. It will be interesting to see what stance the UK takes in this particular area and whether the UK authorities can keep pace with emerging threats.