Washington’s Secret Weapon Against Chinese Hackers

“The tide of war is receding,” U.S. President Barack Obama proclaimed in October 2011, announcing the impending conclusion of the war in Iraq. In the year and a half since, however, the tide of a new type of conflict has been rising -- one that takes place not on land, in the air, or at sea but in cyberspace. Indeed, in the past several months, the Obama administration has called a great deal of attention to the threat posed by cyberattacks and cybertheft, the most ominous source of which appears to be China. Early last month, the national security adviser, Tom Donilon, said that the cybertheft of confidential information and technology from American businesses has been “emanating from China on an unprecedented scale,” and General Keith Alexander, the director of the National Security Agency, has previously called such theft “the greatest transfer of wealth in history.”

If recent announcements are any indication, the Obama administration has heightened its focus on cybersecurity threats. In February, the White House published an executive order directed at improving the cybersecurity of the country’s critical infrastructure. That same month, it also unveiled a new strategy for preventing the theft of U.S. trade secrets. One potentially crucial tool, however, has been largely absent from the discussion of how the United States should address cyberthreats: targeted financial sanctions. Given the success of targeted financial sanctions in other contexts -- namely, counterterrorism and efforts to stem nuclear proliferation -- the Obama administration should establish a process for imposing them on individuals and entities that engage in pernicious cyberactivity.

For a number of reasons, targeted sanctions are particularly well suited to address the threats posed by cyberattacks and cybertheft, and they could form an important part of a larger strategy to mitigate the problem. First, for attacks undertaken by states or their proxies, sanctions could serve as a deterrent against future illicit behavior. This is because states, concerned for their reputations, have an interest in preventing their unlawful activity from being exposed publicly. Late last year, for example, both Beijing and the Chinese company Huawei Technologies strongly objected to a report published by the U.S. House Permanent Select Committee on Intelligence that accused Huawei and another Chinese company of posing a significant cyberthreat to U.S. national security interests. Huawei went so far as to label the report "an exercise in China-bashing.”

Targeted financial sanctions are also well suited to address illicit cyberactivities perpetrated by nonstate actors. For such actors, public sanctions would not only serve as a deterrent; they would limit their access to the U.S. financial system. The Obama administration has imposed targeted financial sanctions against similar nonstate criminal groups in the past -- such as the Yakuza in Japan, Los Zetas in Mexico, and the Camorra in Italy -- as part of its strategy to combat transnational organized crime. Targeted financial sanctions have also played a major role in weakening al Qaeda over the last several years.

A second reason that targeted financial sanctions would work well in the cyber context is that, unlike reciprocal attacks in cyberspace or the use of military force, they are proportionate in scale to cyberinfiltrations, such as the discreet theft of intellectual property from U.S. businesses, and can be carefully calibrated to produce their desired effect. Sanctions could therefore act as a brake on escalation and add leverage to diplomatic negotiations on cyber issues, which the United States and China both appear to welcome. Finally, if Washington imposed targeted financial sanctions on cybercriminals, the effect of the sanctions would likely reverberate beyond U.S. borders, because financial institutions around the world often refuse to do business with sanctioned entities.

THE NUTS AND BOLTS OF BITS AND BYTES

When the U.S. government uses targeted financial sanctions, it identifies actors engaged in illicit activity, freezes their U.S. assets, and prohibits American people and entities from doing business with them. The government’s power to do this is rooted in statutes such as the International Emergency Economic Powers Act of 1977, which permits the president to declare a national emergency with respect to threats that originate “in whole or substantial part outside the United States” and to impose certain economic restrictions on the source of those threats. Unlike older types of sanctions programs like the embargo against Cuba, targeted financial sanctions are directed only at people and entities that the U.S. government knows are involved in illicit activity. Washington can impose such sanctions on individuals or corporations, including front and shell companies, whether or not they are linked to a state.

The United States has not hesitated to use sanctions against Chinese entities in the past. In July 2012, for example, the U.S. government sanctioned China’s Kunlun Bank for providing financial services to Iranian banks with connections to the country’s WMD programs and sponsorship of international terrorism. Sanctions in the cyber context would, of course, extend beyond Chinese entities, embracing the full range of state and nonstate actors that U.S. intelligence officials have publicly described as posing a cyberthreat to the United States.

To develop a cybersanctions program, the president would issue an executive order and declare a national emergency with respect to certain cyberthreats, and specify the persons or entities engaged in the proscribed conduct. Banks would then take that list of individuals or organizations, freeze their assets, and block their intended transactions. The Obama administration would also establish a legal process to ensure that the intended targets of the sanctions had in fact engaged in prohibited conduct. As with other sanctions programs, designated individuals could challenge the legal basis for the sanctions imposed on them before a judge.

As with all targeted sanctions programs, the government needs accurate information about who exactly has engaged in illicit conduct. This challenge is particularly salient in the realm of cybersecurity, since the government must surmount the additional hurdle of attribution -- the process of determining the true perpetrator of a cyber operation. This process is made more difficult by the fact that cyberattacks and cybertheft often make use of intermediate computer systems, many of which do not realize they are being hijacked in the course of an illicit cyber operation.

Although the problem of attribution poses a significant obstacle to identifying and sanctioning cybercrime, the U.S. government and the private sector have recently made progress in refining their ability to classify and identify the sources of threats. Last October, then Secretary of Defense Leon Panetta declared, “Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.” Improved analytical methodologies are enabling public and private sector cybersecurity professionals to synthesize many small pieces of information collected over time to develop comprehensive pictures of cyberattackers. The more data the authorities and victims have about computer intrusions, the more they can compare the characteristics of individual attacks and accurately pinpoint their origins. In a prominent example of this dynamic, the computer security firm Mandiant recently published a report in which it demonstrated that one specific Chinese military unit was responsible for a number of cyberattacks on U.S. entities. It based its assessment on an investigation of hundreds of incidents, employing data-driven analytical techniques.

To be sure, the problem of attribution has not been fully resolved, but the progress that has been made on this front would enable targeted financial measures to achieve a number of important objectives. For starters, the establishment of a sanctions process would publicly identify those individuals and entities involved in illicit cyberactivities. Each time the government imposes sanctions on a person or an organization, it must publish a public statement that details the offender’s identity and describes the illicit activities. This information has traditionally served two purposes: it permits the financial institutions that are freezing assets and blocking transactions to ensure that they are penalizing the correct target, and it fulfills due process requirements designed to ensure that the entity has sufficient information about the reasons it is being sanctioned.

In the cybersecurity context, such public statements would serve another important purpose. By disclosing as much information as possible (consistent with the protection of intelligence sources and methods), the government would reveal a great deal about the ways in which cybercriminals conduct their operations. The government could even go so far as to include digital appendices with its public statements that include threat signatures -- the exact type of malicious computer code used to perpetrate cyberattacks and cybertheft. Companies in vulnerable industries could utilize such public information to improve their own defenses.

What is more, the establishment of a sanctions process for cyberattacks and cybertheft could help catalyze a global coalition to take action against the perpetrators of such activity. This is because banks all over the world, many of which are not legally obligated to enforce U.S. sanctions, often do so anyway because they are afraid of the reputational risks involved in conducting business with U.S.-sanctioned entities. The worldwide reach and power of the U.S. financial system mean that entities sanctioned under such a program could be effectively shut out of global finance.

Finally, the most important effects of a process for sanctioning cybertheft may not come directly from the sanctions imposed on illicit actors but, rather, from the incentives that such a program would establish for foreign governments that do not want to be known for tolerating cybercrime within their borders. By employing targeted sanctions to address certain kinds of illicit cyberactivities, the United States and other countries could begin the painstaking work of building international consensus around clear rules and expectations for appropriate behavior in cyberspace. Sanctioning nonstate actors from countries that take insufficient action against cybercriminals would call negative attention to their governments and, over time, identify their behavior as lying outside an international norm. Sanctions could play a major role in setting guidelines for what constitutes acceptable behavior in cyberspace.

Establishing a sanctions program to combat illicit cyberactivities would be a direct and proportionate way to address the growing threats that emanate from cyberspace. Although cybersanctions would need to be combined with diplomacy and other measures to be most effective, they should be implemented without delay. It is high time for illicit cyber actors to face serious consequences for their actions.