war on the rocks

Sanctioning to Deter: Implications for Cyberspace, Russia, and Beyond

April 14, 2015

President Obama recently announced a significant step in the effort to combat cyber-attacks on the United States and U.S. companies, granting the Secretary of the Treasury the authority to impose economic sanctions on foreign countries and companies that launch such attacks, target critical infrastructure, or steal commercially valuable information. Curiously, however, the president did not sanction any particular countries or companies, and at this point, U.S. officials simply possess this authority should they decide to use it.

While the administration’s decision not to target specific countries or companies with sanctions may seem strange, it actually reflects a significant shift in the administration’s thinking on how to employ sanctions. In the past few years, rather than viewing sanctions simply as tools for coercing rogue states and cutting off terrorist financing, the administration has begun to rely on them for deterrence. For example, the president’s 2015 National Security Strategy notes that “our use of targeted sanctions and other coercive measures are meant not only to uphold international norms, but to deter severe threats to stability and order at the regional level.”

Yet, while sanctions may be more effective at deterring countries from aggressive action than at coercing them into giving up hard won or dearly valued objectives, deterring with sanctions will present new and complicated challenges. Though not insurmountable, policymakers should carefully think through these potential obstacles to ensure that sanctions can effectively be used as a deterrent.

The Changing Face of Sanctions

Starting in the mid-2000s, U.S. policymakers began employing more sophisticated forms of economic sanctions to address intractable policy issues such as nuclear proliferation and terrorist financing. These tools — which often exploit the importance of the dollar in the world financial system, private firms’ concern with their business reputations, and the fact that the United States is the hub for many key technologies necessary for the development of industries in other countries — are increasingly becoming policymakers’ first choice for dealing with a wide range of challenges, including human rights abuses, public corruption and graft in foreign countries, and most recently, cyber-attacks and cyber theft.

Beyond expanding the use of sanctions as tools of first resort, U.S. policymakers are also expanding the objectives they believe these sanctions can achieve. During the later years of the Bush administration and the early years of the Obama administration, these sanctions were used to create coercive leverage and disrupt malicious financial activity. For example, the financial sanctions imposed against Iran were designed — in conjunction with other tools — to force Iran to come to the bargaining table to discuss its nuclear program. Likewise, sanctions imposed against Syria were intended to pressure Syrian President Bashar Al-Assad to cease employing violence against Syrian civilians and to begin a process of democratic reform.

More recently, however, the Obama administration has begun relying on sanctions to achieve a new objective: To deter aggressive actions towards the United States and its interests. In the case of Russia, now-former Undersecretary of the Treasury for Terrorism and Financial Intelligence David Cohen noted late last year that while “we may never know what additional Russian aggression the sanctions, and the threat of additional sanctions, may have deterred … [t]hese sanctions are intended to impede dangerous behavior and, above all, to influence Russian decision-making.” This language is mirrored by the National Security Strategy, which states that “we are enforcing tough sanctions on Russia to impose costs and deter future aggression.” Likewise and following the issuance of the executive order authorizing sanctions against countries and companies that engage in cyber-attacks, Michael Daniel, the White House cybersecurity coordinator and Special Assistant to President Obama, noted that these sanctions may “allow us to respond appropriately, proportionately, and effectively to malicious cyber-enabled activities, and to deter others from engaging in similar activities.”

In the administration’s eyes, this deterrent is two-fold: First, imposing sanctions on an aggressive state may deter that country from engaging in additional belligerent behavior; and second, imposing sanctions on that state may also signal to other countries that, should they engage in similar activities, they too will be subject to punishing economic penalties.

A Promising Tool … With Limits

In theory, using sanctions to effectively deter aggressive actions makes sense and may be more effective than relying on sanctions to coerce a country into giving up its nuclear program or relinquishing control of annexed territory. As behavioral economists and psychologists have acknowledged for decades, it is significantly harder to convince someone to give up something they already possess than to convince someone not to take a particular action that could result in achieving his or her objective. As applied to international politics, for example, threatening to punish Russia with sanctions if it attacks Eastern Ukraine would be more likely to succeed than threatening Russia with the same sanctions if it does not give up control of Crimea. In a cyberspace context, it could be easier to deter a state from seeking access to U.S. critical infrastructure networks than to convince the same state to abandon the access it has already achieved.

Not only do sanctions potentially make sense as a general tool of deterrence, but the new executive order helps tackle significant hurdles for U.S. cyberspace deterrence. First, the order delineates cyberspace actions the United States aims to deter, providing a perceptible signal to malicious actors about thresholds beyond which the United States may choose to punish. Second, the directive lays out who the United States will hold responsible for these malicious actions in cyberspace — including non-state actors and state sponsors of malicious activity. This has been a major challenge for U.S. deterrence in cyberspace; leveraging the weight of America’s military and diplomatic might against a wide range of cyber actors has proven difficult. Finally, in linking malicious cyber actions to potential sanctions, the United States introduces an additional, proportional tool for punishment within cyberspace, increasing the credibility of U.S. threat of punishment in cyberspace.

Still, policymakers should be cautious in relying on sanctions to deter countries from engaging in cyber-attacks or, for that matter, annexing territory. First, and most notably, the record on effectively using sanctions to deter aggressive actions is unclear at best. For example, the United States first imposed sanctions on Russia following the annexation of Crimea, and administration officials specifically noted that those sanctions were to be “very clear deterrents for actions that may be contemplated.” Despite employing these tools, those sanctions — and the threat of future sanctions — did not deter Russia from subsequently supporting separatists in Eastern Ukraine with both arms and direct military action. And while the threat of further punishment may have deterred Russia from engaging in further destabilizing action, it is difficult to draw such a conclusion at this point.

Second, while these new, sophisticated sanctions often cause medium- and long-term damage to a country’s economy, the prospect of such damage may not deter aggressive actors from taking immediate actions contrary to U.S. interests. For example, in the case of Russia, while the sanctions have certainly taken a toll, the Russian economy, when supported by capital reserves, is sufficiently resilient to put off the worst impacts of the sanctions for a few years. In the short-term, however, Russia has been able to annex Crimea and exercise significant influence in rebel-controlled areas deep in Eastern Ukraine. Thus, while the prospect of economic damage may loom down the road, this risk may be insufficient to deter an aggressive actor from pursuing short-term benefits. This may be especially true in cyberspace, where malicious actors have a low barrier for entry, may not have long-term aspirations, or, as in the case of Anonymous, no particular pressure points which sanctions could effectively target.

Third, effective deterrence requires that the threat to impose the sanctions be credible. This will be hard to ensure, particularly when using sanctions to combat cyber-attacks and other forms of malicious cyber activity. As noted by both the United States government and private U.S. companies, federal agencies, banks, and other commercial U.S enterprises are attacked millions of times every day by a wide range of cyber actors. If the United States responds to only a small fraction of these attacks by sanctioning particular actors and entities, other hostile countries, companies, and individuals may conclude that their actions do not rise to a level sufficient to justify a response. If many of these actors do not believe that the United States will target them, then they are unlikely to be deterred. Yet given the sheer number of attacks, it is highly unlikely that the United States will be able to respond to all but a very small number of such strikes. Further, the language of the directive is ambiguous in scope, leaving the administration significant room to maneuver but certainly not binding its hands in order to optimize deterrence success.

Likewise and in the Russia context, given the discord among European Union member states about how to respond to additional Russian aggression, Russia may not believe that the United States and the European Union will impose additional, extremely painful sanctions on the country, and therefore may not be deterred from engaging in additional destabilizing action in Ukraine.

Increasing The Chances For Success

While effectively using sanctions for deterrence may be difficult, policymakers in Washington can take a number of steps to increase the likelihood of success. First — as with all deterrence attempts — accurately understanding the aggressive actor’s intentions and motivations will be critical. If Russian President Vladimir Putin’s concern about Russia’s medium- and long-term economic prospects is outweighed by his desire to secure influence in Ukraine in the near-term, then sanctions that damage Russia in the longer term are unlikely to be effective in deterring aggressive action. Policymakers in Washington need to do better than conclude that “these sanctions will cause economic pain, therefore they will deter.” Rather, they must analyze whether the particular sanctions on the table will influence a malicious actor’s decision-making. And this will be particularly difficult in cyberspace, where the dynamic playing field may make it difficult to understand all key players’ motivations and intentions. This is why prioritizing who and what the U.S. intends to deter can help ensure deterrence success.

Second, and particularly in the cyber context, policymakers will need to be clear about the criteria they are using when deciding to sanction particular countries or companies — and they will need to be consistent in the application of such sanctions. For example, if the Treasury Department designates a Chinese company for engaging in malicious cyber activity against a U.S. defense contractor, Treasury Department officials will need to make it very clear why those activities were unacceptable — and why, if other companies or states engage in such activities, they too will be the subject of sanctions. Likewise, if the United States sanctions certain countries or companies but not others who commit similar acts, such uneven enforcement will diminish the credibility of the deterrent, making it less effective. While this approach may limit the president’s flexibility to sanction particular countries or companies, the drawing of clear boundaries will help deter a significant number of serious attacks.

Third, policymakers should recognize that there are real limits to what these sanctions can achieve. While powerful, sanctions — even sophisticated ones — are rarely effective alone, and must be used in conjunction with other tools of diplomacy (and sometimes military power) to have much chance of success. Over the past few years, many in Washington have come to believe that sophisticated sanctions provide decision-makers with a silver bullet, able to easily impose great costs on a target. But as the limits of these sanctions have come into focus, policymakers should not assume that these tools should be the default means for deterring aggressive activity. Rather, these tools should be integrated into a broader deterrence strategy. Clearly signaling across the range of U.S. diplomatic and military tools what the U.S. cares about in cyberspace, who it will hold accountable, and the punishments it is willing and legally prepared to impose will help make significant progress in achieving successful deterrence.

At the end of the day, in the same way that these new sanctions can be effective for coercion when used in conjunction with other tools of statecraft, so too can they be effective for deterrence. But improving the odds of successful deterrence may be difficult, and policymakers should understand the challenges they face.

 

Eric Lorber is an associate in the Washington, D.C. office of Gibson, Dunn & Crutcher. He primarily advises clients in the areas of international trade regulation, compliance, and anti-corruption, with particular emphasis and experience assisting clients in complying with the economic sanctions and embargo regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). His articles and commentary on sanctions and related issues have appeared in Foreign Affairs, Foreign Policy, The National Interest, Reuters, Cato Unbound, The Journal of Conflict Resolution, The Wall Street Journal, Bloomberg, and Middle East Policy, among others.

Jacquelyn Schneider is a PhD Candidate-in-Residence at the Institute for Security and Conflict Studies at George Washington University. Her research on technology and national security has appeared in The Journal of Conflict Resolution, Strategic Studies Quarterly, and The International Relations and Security Network.

 

Photo credit: epSos .de