Over the past few years, the UK, US and other Western states have become comfortable calling out the actions of and applying sanctions to both financially motivated or nation-state threat actors, but according to a report from the Royal United Services Institute (Rusi), the practical impact of the practice is highly uneven.
In the study, Rusi cyber sanctions taskforce: Countering state-backed cyber threats, Rusi research fellow Gonzalo Saiz said that cyber sanctions were not a universal panacea.
“Sanctions will not deter all malicious cyber activity,” he said. “What they can do is complicate operations, raise costs, disrupt enabling infrastructure and signal collective resolve.”
Saiz explained that sanctions can deter adversaries by imposing friction, restricting access to various resources – both financial and technical – and making threat actor networks publicly toxic, such as the UK’s National Crime Agency (NCA) did to LockBit with some success.
However, he warned, cyber sanctions do not deter every threat actor and their practical impact varies wildly. Such measures tend to be most effective when they form part of a wider diplomatic, intelligence or law enforcement-led campaign, rather than just a standalone measure, said Saiz.
The report has its basis in a recent meeting convened by Rusi’s Centre for Finance and Security and its Cyber and Tech team, which brought together sanctions experts, cyber researchers, and current and former government officials from the UK, US and European Union (EU).
Multilateral approach is key
At the meeting, UK officials advocated for a multilateral approach to cyber sanctions, saying that the effectiveness of such measures depends on working alongside partners, such as the US, to lean on additional reach and enforcement capacity.
The UK’s current policy is to position itself as a reliable partner willing to move quickly and in coordination to have maximum effect. Its cyber officials also try to make attributions and call-outs more impactful by being more detailed and including guidance for users to help understand the context of the alert, and take mitigating steps where appropriate.
British officials emphasised that this approach served not only to punish or restrict individuals – which they conceded was tough because the majority of threat actors have no assets in or travel plans to the UK – but shape a wider narrative that can potentially shape threat actor decisions, and those made by third parties, such as crypto exchanges or bulletproof hosting services.
The UK participants did, however, say that because the evidentiary threshold required by the Crown Prosecution Service (CPS) is so high, and arrests of individuals located in and or protected by often hostile states are unlikely, Britain’s ability to use criminal proceedings as a complement to sanctions is limited.
This is in contrast to the US, which has the systemic weight to issue indictments and even, sometimes, to extradite threat actors and bring them to justice.
Indeed, the US has developed the most extensive and sustained practice of cyber sanctions to date, with much of its sanctions framework rooted in an Obama-era executive order that can be, and has been, used against a wide spectrum of targets.
The US approach is characterised by issuing criminal indictments of, and naming and shaming, individuals rather than cyber gangs or espionage units. This is done on the basis that while groups can dissolve or rebrand themselves, individual identities are far more persistent and can be tracked. In particular, the designation of specific officers working for Russian and Chinese intelligence agencies has built a foundation for future actions, and increased the operational and reputational risks involved for them.
Like the British, the Americans have tended to operate on the principle that cyber sanctions work best when used as part of an integrated campaign incorporating public technical advisories and other measures such as diplomatic démarches.
The EU’s cyber sanctions regime, meanwhile, dates back to 2019, and like the UK approach, incorporates asset freezes and travel bans as a core mechanism. It is designed to be somewhat horizontal to enable the EU to act against both cyber criminals and cyber spies alike.
However, in practice, it has been used cautiously, in part because EU sanctions policymaking requires unanimous buy-in from 27 countries. This means that while some member states, such as Estonia, Germany and the Netherlands, do proactively push for action, others – most notably, Hungary – are obstructive, particularly on Russian issues.
EU representatives said the bloc tended to use cyber attributions and sanctions as a signalling tool rather than a disruptive mechanism, building narratives and providing a channel for member states to express their feelings without individually taking on political risk as the UK and US do.
Rusi’s report said that without a larger body of designations and more systematic and transparent enforcement, the EU’s impact on adversary behaviour will remain limited.
Recommendations
Summing up the discussions, the report makes four key recommendations going forward.
Rusi said governments needed to be more specific on their explicit goals to enable more precise targeting and clearer assessments of outcomes, adopt more cross-domain strategies, focus on the enablers of cyber threat activity in addition to the perpetrators, and improve transparency and data on the impact of sanctions.
“Cyber sanctions are an essential but imperfect component of modern deterrence,” wrote Saiz. “While they rarely stop operations outright, they can impose costs that make malicious activity riskier and less profitable.
“The research emphasises that effectiveness depends on coordination, attribution and clarity of purpose. The US experience shows the value of sequencing sanctions with other instruments to deliver cumulative impact; the EU’s experience highlights the need for transparency and data; and the UK’s approach demonstrates the importance of partnership and narrative shaping.”
