The views expressed by contributors are their own and not the view of The Hill

Cyber sanctions after Sony

Sanctioning North Korea in response to last year’s hack of Sony was only, as the Obama administration has stated, a “first step.”   But utilizing sanctions much more broadly in response to cyber attacks could offer significantly more effective responses to the ever-increasing cyber industrial espionage threat facing the United States.

Working together, the administration and Congress could reshape the cyber battlefield by establishing a full-blown sanctions regime designed to impose real costs on cyber hackers and their governmental sponsors.  Cyber sanctions would be most effective if Congress established (1) new governmental authority to block imports of products containing stolen U.S. technology and freeze assets of firms and sponsors engaging in cyber espionage, and (2) civil remedies enabling victimized businesses to recover both costs and punitive damages as a deterrent to cyber industrial hacking. The United States has long utilized sanctions as a key element of national security policy in the counterterrorism and nonproliferation arenas. Expanded cyber sanctions could be used in a comparable fashion to both raise the cost to malicious hackers and send a strong geopolitical signal to countries that encourage or actively support malicious hacking.

{mosads}As Sony showed, governmental financial sanctions can already be implemented under existing law. In response to the Sony hack, the U.S. blocked certain North Korean organizations and individuals from accessing U.S. financial systems.  Congress likely will consider cyber legislation this year, but only if it creates significant new authorities for both the government and the private sector will they have the powers needed to effectively respond to cyber espionage.

For the government, the key additional element would be authority to block imports of products containing or similar to stolen U.S. technology or made or exported by a company that benefited from theft of such technology. Cyber sanctions legislation would be even more effective if it granted the government authority to freeze the assets of persons engaged in, or sponsoring, cyber hacking. 

Even more critically, Congress should authorize civil remedies to corporate victims of cyber espionage. Authorizing private entities to seek legal remedies against malicious hacking entities could be highly beneficial by substantially raising the costs of cyber espionage. Affected firms could even be authorized to collect punitive damages for circumstances in which the specific determination of compensatory damages would be difficult.

Congress has several options. For example, a federal civil cause of action could be created for economic espionage, including (1) treble damages for any losses arising out of economic espionage; and (2) a civil forfeiture provision. The availability of treble or statutory damages would encourage victimized corporations to sue violators, redounding to the nation’s benefit. A civil forfeiture provision would give the courts the authority to order the seizure of property of a company benefitting from the commission of the violation. Seizure of a foreign actor’s property offers a way to attack the economic base of cyber threat actors. A second enforcement mechanism would be to block imports of products benefitting from cyber espionage. This would provide relief in the competitive arena and also motivate the offending entity to change its practices and settle with the harmed party.

Effective cyber sanctions rely on accurate attribution of cyber attacks, and the government recently has been much more forthcoming concerning attribution.  In the Sony case, the U.S. very publicly identified North Korea as perpetrating the attack.  And previously, the U.S. indicted five members of People’s Liberation Army Unit 61398 on charges of hacking and economic espionage against half a dozen U.S. companies. Further, private sector entities have publically attributed numerous sophisticated cyberespionage campaigns to hacking groups backed by China, Iran, and others. 

Attribution would be a necessary element of any civil remedy. One way to enhance attribution would be to create an administrative proceeding in which government would both expedite and support private claims for loss/damage from cyber espionage and cyber attacks. Private and governmental efforts could be combined as is done in the government contracting context when a contractor initiates a bid protest challenging the propriety of a contract award.

To initiate a proceeding, a private entity would file its claim with an administrative body of the government, just as bid protests are filed with the Government Accountability Office. The government then would be responsible for reviewing all evidence (classified and unclassified) in its possession and preparing an unclassified “report” including such evidence with the government necessarily having discretion as to what to provide. After any further adjudication to resolve disputed issues, the record would be complete, and the administrative agency would issue a decision. If the agency determined that a foreign government or foreign actor was responsible for the cyber espionage or cyber attack, sanctions could be imposed on those entities. This would be new ground but given the magnitude of the cybersecurity problem, such an approach is both necessary and warranted.

Sanctions should not be looked on as a panacea but sanctions—both governmental and civil— would raise adversaries’ costs of engaging in cyber attacks and, could play a pivotal role in the effort to address the growing cyber threat.

Kramer is a distinguished fellow and board member of the Atlantic Council. Teplinsky serves on the Advisory Board for CrowdStrike, Inc.; as a founding columnist for the Christian Science Monitor’s Passcode; and as an adjunct professorial lecturer at American University’s Washington College of Law.  She previously counseled on cybersecurity while in private practice at Steptoe & Johnson LLP. 

Tags

Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..

 

Main Area Top ↴

Testing Homepage Widget

 

Main Area Middle ↴
Main Area Bottom ↴

Most Popular

Load more

Video

See all Video