Unpacking US Cyber Sanctions

HG shutterstock 1789803977

Takeaways

One of the authors of this brief, Allison Peters, has since departed Third Way. This brief was written and finalized prior to her departure.

Malicious cyber activity poses one of the greatest threats to America’s national, economic, and personal security. Yet, the perpetrators of these crimes largely operate with pure impunity and face little consequences for their actions. This is particularly the case for cybercriminals who cost the US economy anywhere from $57 billion to $109 billion in 2016 alone.1

Since 2015, the United States has imposed targeted sanctions (e.g., asset freezes, travel bans) on over 300 individuals and entities in response to malicious cyber activity.2 Many of these sanctions were issued under the cyber-related sanctions program administered by the Department of Treasury and established by a series of Executive Orders under Presidents Obama and Trump and bills passed by Congress.3 Sanctions have largely been imposed on individuals with ties to Iran, Russia, and North Korea, and, in about half of these cases, sanctions have followed indictments. An overwhelming majority of these sanctions have targeted individuals with suspected links to government entities and, only recently, have cyber sanctions targeted cybercriminals.4

As targeted sanctions increasingly become a tool deployed by the US government to punish malicious cyber actors, it remains unclear whether they are having an impact in changing behavior. Research on the impact of sanctions more broadly indicates that sanctions can be an effective tool to impose consequences on bad actors and change their actions when employed multilaterally, as part of a coherent strategy, and effectively messaged.5 However, imposing sanctions on malicious cyber actors without continuously reassessing their impact and the expected reciprocal actions by the target(s), risks a number of potentially negative outcomes.

While Congress introduced legislation in the 116th Congress to impose new or codify existing cyber-related sanctions into law,6 it has not exercised the necessary oversight over the Executive Branch’s strategy in issuing cyber-related sanctions and determining their efficacy.

With other countries now following America’s lead in issuing these sanctions, the time is ripe for the new Congress to push for an inter-agency, holistic assessment of the impact of US cyber-related sanctions.7 And with cybercrime increasingly threatening all sectors of the US economy, Congress must call for an evaluation as to whether sanctions on non-state cybercriminals should increasingly be used.

This memo includes an explainer of cyber sanctions and recommendations for Congress to conduct more oversight in four sections:

  • A brief analysis of the nature of cyber activity committed against the United States;
  • An overview of the history of US cyber sanctions and an analysis of the actors they have targeted;
  • An assessment of existing research on sanctions as a tool of US foreign policy and the implications of this research on cyber-related sanctions; and
  • Recommendations for Congress to assess the impact of cyber-related sanctions and conduct proper oversight over the issuance of these sanctions.

Malicious cyber activity poses a direct threat to America’s national, economic, and human security, and sanctions have been deployed by the US government to impose consequences on the perpetrators.

Malicious cyber activity is surging in the United States, targeting its people, undermining its national security, and affecting nearly every sector of its economy. Nearly one in four American households have fallen victim to a cybercrime.8 Entire state and local governments have been held hostage by ransomware (a form of cybercrime), resulting in millions of dollars lost in recovery costs.9 And now, America’s hospitals and schools are being targeted in the midst of the COVID-19 pandemic.10 Foreign adversaries have also leveraged cybercrime tools and employed cybercriminals to steal America’s national security secrets and intellectual property.11

The economic losses resulting from cybercrime in the United States and globally are staggering. In 2016 alone, cybercriminals cost the US economy anywhere from $57 billion to $109 billion, according to the last White House Council on Economic Advisors assessment.12 Each year, the global impact also grows. In December 2020, the Center for Strategic and International Studies (CSIS) reported the cost of cybercrime reached over $1 trillion globally, which was a 50% increase from their 2018 assessment.13In particular, the economic losses from ransomware have continued to surge during the COVID-19 pandemic. One recent report found a 311% increase in 2020 from 2019 in cryptocurrency received by criminal addresses from ransomware for a total of just under $350 million.14

The perpetrators of malicious cyber activity range from state-sponsored or -enabled actors, organized criminal groups, and lone actors. One study found non-state cybercriminals conducted 57% of the largest cyber loss events in the world between 2015 and 2019. The other 43% of these attacks were perpetrated by state-sponsored or -enabled actors.15 Some US assessments indicate cybercriminals are generally more motivated by financial reasons, while nation-state actors tend to be more focused on stealing, destroying, or compromising victim data.16The line between nation-state actors and non-state cybercriminals, however, has blurred as states abet and directly employ non-state cybercriminals and/or their tools.17

Despite the proliferation of a wide spectrum of cyber activity against the United States, the state and non-state actors committing it rarely face consequences. But sanctions have emerged as a tool increasingly used to deter and/or compel a change in their behavior. Yet compared to the number of incidents, few actors who engage in malicious cyber activity are sanctioned. Of those that are, they are largely nation-state-connected actors residing in countries that are particularly difficult for US authorities to reach.

The number of sanctions for malicious cyber activity remains comparatively low to the overall number of sanctions issued and questions remain about their effectiveness.

As the number of malicious cyber incidents in the United States has grown, so too has the number of cyber sanctions.18 US policymakers have used economic pressure to advance foreign policy goals and respond to threats against the nation since the dawn of the Republic, and sanctions have now increasingly, albeit sparingly, become a tool of response to malicious cyber activity. In 2015, then-President Barack Obama issued the first executive order (EO) to institute a sanctions regime targeting the individuals and entities behind “significant cyber-enabled activities.”19 These cyber sanctions along with sanctions programs established to deal with particular countries and security threats of concern, including terrorism, have been used to target the individuals and entities behind cyberattacks and other cyber activity against the United States.     

The US government imposes sanctions broadly to alter the strategic decisions of state and non-state actors that threaten US interests or in response to particularly egregious behavior. A form of sanctions was first established in 1807 when Congress passed the “Embargo Act.”20 Over two centuries later, the globalization of economic markets and the desire for new tools to combat threats to national and global security has contributed to substantial innovation in the use of coercive economic measures such as sanctions. Sanctions programs have continued to grow in size and scope. They can either be comprehensive (i.e., restrictions on trade and commercial activity with an entire country) or targeted (i.e., restrictions on the activity of specific individuals and/or entities). Many federal government entities play a role in administering sanctions and tracking their implementation, including the Departments of Treasury (namely through its Office of Foreign Assets Control or OFAC), State, and Commerce.21 The Government Accountability Office (GAO) highlights that:

“Sanctions may place restrictions on a country’s entire economy, targeted sectors of the economy, or individuals or corporate entities. Reasons for sanctions range widely, including support for terrorism, narcotics trafficking, weapons proliferation, and human rights abuses. Economic restrictions can include, for example, denying a designated entity access to the U.S. financial system, freezing an entity’s assets under U.S. jurisdiction, or prohibiting the export of restricted items.”22

As of December 2020, the United States has nearly 8,000 sanctions in place on individuals, companies, or entire countries.23 Of those 8,000, a little more than 300 are for malicious cyber activity.24

Debate continues as to the effectiveness of sanctions overall and their impact. Critics argue that sanctions are poorly designed and rarely successful in changing a target’s conduct.25 And there is growing recognition that comprehensive sanctions on entire countries have contributed to a number of humanitarian crises and corruption.26 However, others have argued that sanctions have become more effective in recent years as they have become more targeted in nature.27 And some research has given sanctions credit, at least in part, for changing the behavior of governments in Libya and South Africa in the past.28

Broadly, the authorities for US sanctions programs may originate through executive or legislative action. Pursuant to the “International Emergency Economic Powers Act” (IEEPA, P.L. 95-223), the President, upon declaring a state of emergency, can institute sanctions by EO against countries or individuals in response to an “unusual and extraordinary” threat.29 Congress, for its part, may also pass legislation imposing new sanctions or modifying existing ones.       

Against this backdrop, the US government first started sanctioning actors accused of committing malicious cyber-enabled activity in 2012 under a number of different authorities.30 Subsequently, in 2015, then-President Obama issued EO 13694,31 later amended in 2016 to include election interference in EO 13757,32 establishing a dedicated sanctions program to respond to significant malicious cyber-enabled activities with asset freezes, travel restrictions, and property and interest blocks. Lawmakers codified portions of these EOs in 2017 with the passage of the “Countering America’s Adversaries Through Sanctions Act” (CAATSA, P.L. 115-44), which provides for sanctions against individuals or entities that engage in “significant activities undermining cybersecurity” on behalf of Russia.33 Further, in 2018, then-President Trump also issued EO 13848, imposing sanctions for election interference.34 These EOs and CAATSA covered several categories of activity, including foreign election interference, infiltration and/or disruption of computer networks, and misappropriation of trade secrets stolen via cyber-enabled means.35

Using these and other authorities, the US government has instituted targeted sanctions on a number of individuals and entities for their malicious cyber activity. According to research by the Carnegie Endowment for International Peace and with more recent additions added since that research was finalized, the United States had imposed sanctions 35 times, targeting over 300 people and entities, in response to malicious cyber activity under several different authorities, including the cyber-related sanctions program.36 (See Appendix 1) The sanctioned activity has ranged from cyber-enabled espionage, election interference, design and distribution of destructive malware, exchanging currency gained from ransomware attacks, business email compromise, and other cyber activity.37 Preceding or simultaneous to the issuance of these sanctions, the Department of Justice has also indicted about half of these same individuals and entities, indicating that indictments can serve as an important tool allowing the US federal government to lay out the case against these actors for follow-up action such as sanctions.

The US government has predominantly deployed cyber sanctions against nation-state-connected individuals or entities in three countries: Iran, North Korea, and Russia.38 Cyber sanctions have also been issued against individuals in other countries in a few select cases.39 Some organizations have criticized the United States for failing to sanction Chinese cyber actors despite the tremendous amount of malicious cyber activity emanating from China.40 As of December 2020, some entities with business in China have been sanctioned but for facilitating individuals’ evasion of US cyber sanctions.41Additionally, while the Department of Justice has indicted several Chinese citizens for malicious cyber activity,42 only two with no suspected ties to the Chinese government have been the target of sanctions for conducting malicious cyber activity.43 In response to malicious cyber activity emanating from China, the US government has largely pursued other actions, including diplomatic negotiations.44

Despite some estimates indicating non-state actors, mainly cybercriminals, accounted for over 50% of the largest cyber loss events in the world between 2015 and 2019,45 only 26 suspected non-state individuals or entities were sanctioned for cyber activity as of December 2020. (Though the increased blurring of the boundary between state and non-state actors, as states abetted and in some instances directly employed non-state cybercriminals and/or their tools to advance their objectives, makes such clear delineation difficult and should be kept in mind.)46 Research has shown that while sanctions on non-state actors may not change their calculus, they can have an impact on freezing these illicit actors out of legitimate financial systems in order to deny them resources.47 Sanctions can make it “costlier, riskier, [and] less efficient” for non-state actors to use and move funds.48 And they may also protect the integrity of the financial system.49

Overall, there is little to no publicly available information to indicate whether these cyber sanctions are or are not having an impact in achieving their goals. The objectives of sanctions go beyond just punishing a malicious actor and include disrupting the financing and recruiting efforts of would-be hackers and changing the long-term behavior of actors in cyberspace.50 There are no publicly available assessments to indicate whether these sanctions are meeting these objectives. Further, the 2018 National Cyber Strategy makes little mention of how economic sanctions fit into the US government’s broader strategic approach to dealing with malicious cyber actors.51 This Strategy also did not establish a framework as to how decisions are being made and which actors US cyber sanctions will target, leading to concerns over inconsistent applications.52 In a March 2020 hearing before a House Appropriations subcommittee, then-Treasury Secretary Steven Mnuchin did not directly answer a question as to whether cyber sanctions have been effective. Mnuchin responded, “I do think our sanctions programs work, and I do think we’re sanctioning the right people, and I do believe we have proper resources.”53

Five years after President Obama issued his first EO to establish an American cyber-related sanctions program, other countries are now following suit. Both the European Union (EU) and the United Kingdom (UK) have adopted cyber sanctions regimes closely mirroring that of the United States, though there are some noted differences.54 In July 2020, the EU imposed cyber sanctions for the first time on six individuals and three entities from North Korea, Russia, and China, who are suspected to be responsible for a number of different cyberattacks and cyber espionage.55 In October 2020, the Group of Seven (G7), a forum of the world’s seven leading industrial nations, stated it would explore opportunities to impose more coordinated, targeted financial sanctions in response to malicious cyber activity.56

As the US government works to advocate for other countries to establish cyber sanctions regimes and coordinates multilaterally to impose sanctions, it is critical that it can demonstrate the impact of these efforts. Research on sanctions broadly can offer some important insights.

It remains unclear whether cyber sanctions are having an impact in changing target behavior but research on sanctions broadly can offer some key insights.

Research on sanctions broadly as a US foreign policy tool indicates that these measures can have an impact when certain conditions are met. As the relevant federal entities work to determine whether sanctions should increasingly be used against malicious cyber actors, including non-state cybercriminals, this research can help guide a strategic approach for how to proceed. 

The US government is using sanctions more than ever before.57 According to the GAO, there are now 20 country-based sanctions programs. Additional programs target individuals or entities regardless of their geographic location for their involvement in security threats like terrorism, narcotics trafficking, and malicious cyber activity.58 Even as more sanctions are imposed, and foreign governments adopt their own measures, however, assessing the effectiveness of these actions remains a difficult process. GAO found that may be, in part, because US government entities are not required to determine whether sanctions “work.”59In October 2019, GAO reported that the Departments of Treasury, State, and Commerce conduct assessments on sanctions’ impact on specific targets, but not their overall effectiveness in meeting US policy goals.60

Sanctions research sheds light on when these measures overall can be most effective. The US Cyberspace Solarium Commission rightfully highlighted in its final report that the “efficacy of sanctions depends heavily on a number of factors, including their target and timeline, the degree of international coordination, and the path to lifting them.”61 Some research has suggested that economic sanctions have resulted in some meaningful change in the sanctioned country about 40% of the time.62 However, scholars debate whether there is an actual causal relationship between sanctions and these behavioral changes in a number of cases. For example, some see South Africa’s repeal of the legal framework for apartheid as a direct result of sanctions. Others maintain it was unrelated.63 Libya’s decision to abandon its weapons of mass destruction programs and support for terrorism in 2003 has been held as a model for an effective sanctions regime, but others question whether other issues and actions had a greater influence on this decision.64

Against state actors, sanctions have proved effective when implemented multilaterally, effectively messaged, and as part of a coherent strategy. GAO found that sanctions were successful in changing behavior when they were implemented in concert with other countries and “when targeted countries had some existing dependency on or relationship with the United States,” such as foreign aid or military support.65 GAO also found “strong evidence that the economic impact of sanctions has generally been greater when they were more comprehensive in scope or severity.”66 But there is also evidence to suggest that when sanctions are effectively messaged (i.e., when the sanctioned state understands what behavior the sanctions are targeting and what behavior is necessary to achieve a lifting in sanctions) sanctioned states are more likely to change their behavior.67

Research on sanctions against non-state actors has focused primarily on their impact on terrorism.68 The studies find that sanctions are not particularly effective at changing terrorists’ ideology but can effectively disrupt their access to financial markets, thereby limiting their ability to conduct attacks.69 The application of national and international sanctions, coupled with close cooperation with foreign partners and the private sector, and enhancements in international financial transparency have made it harder for “terrorist groups to raise, move, store, and use funds.”70 In particular, al-Qaeda’s financial network has been undermined through the use of targeted financial measures, sustained engagement in key areas, and the development of innovative systems by which to collect financial intelligence.”71 In the post-9/11 period, scholars have noted the success of the international community in “significantly hobbling terrorist groups by restricting access to legitimate financial channels.”72 Disrupting these sources has been a core component of the fight to destroy terrorist groups73 and could be similarly successful against transnational criminal organizations that rely on cybercrime for resources.

Lessons learned from this research indicate that coordinating cyber sanctions with foreign partners and the private sector and quickly identifying and seizing financial assets is essential when dealing with non-state cybercriminals. Cybercriminals with no ties to nation-states may have fewer links to the global financial system, which may mean targeted sanctions could be effective against these actors though they have been rarely used against them.74 This research also suggests effectively messaging what behavior the sanctions are targeting and what can be done by the targeted actor to reduce those sanctions may deter future cybercrime.75

However, the imposition of sanctions can have drawbacks. First, over time, international compliance with sanctions can diminish, particularly when the sanctioned activity has passed.76 Second, too many sanctions may limit the potency of sanctions in the future. Banks are subject to liability if they maintain accounts for illicit actors, even if they did not willfully violate sanctions regimes.77 To avoid incurring stiff penalties, they will often not open accounts with respect to certain activities. 78 Additionally, legitimate entities and people may seek out alternative financial systems to avoid liability concerns, driving them away from the US financial system. This may include the increased use of cryptocurrency.79 Paradoxically, this limits the reach of US sanctioning power by driving illicit activity to unregulated areas and pushing higher-risk clients to banks that may have fewer resources to detect illegal transactions.80 Finally, the overuse of sanctions may impugn the power of sanctions as a tool to advance US goals in the future if they do not result in the intended effect.81 A continual reassessment of how cyber sanctions fit into a broader strategic approach toward dealing with their targets and their impact is vital to mitigate these risks.

Nonetheless, sanctions can be a useful tool to impact a target’s behavior and impose consequences on those that may be out of reach for US law enforcement authorities. The US Cyberspace Solarium Commission found the use of sanctions as part of a layered deterrence strategy “will not eliminate state-sponsored cyber operations or cybercrime, but consistently enforced consequences and rewards can begin to erode the incentives for bad behavior.”82 Sanctions can also have other critical impacts such as cutting off financial flows, galvanizing global support for further actions against malicious cyber actors, and enforcing norms of responsible behavior in cyberspace. They may also serve an important signaling function by allowing the US government to detail the malicious cyber activity it is targeting in the public domain. This could, for example, signal to cybersecurity practitioners those actors they should be particularly focused on.83 Moving forward, Congress must now exercise its oversight role over US cyber-related sanctions to assess their impact.

Congress can play a key role in maintaining oversight of US cyber sanctions. As the 117th Congress and a new presidential administration begins, Members should prioritize pushing for assessments on the efficacy of existing sanctions and recommendations to ensure such sanctions are being issued in a strategic and coordinated manner across the US government. There are a number of actions Members can take to put this into action.

First, as Members of Congress conduct relevant hearings, the following questions are important for them to raise about cyber sanctions:

  1. What is the Administration’s view of how cyber sanctions fit into their overall strategic approach to dealing with malicious cyber threats?
  2. What role can these sanctions play in imposing consequences on cybercriminals, and should the US government increase the use of sanctions on these criminals? What impact might that have?
  3. Are the goals of the cyber sanctions issued so far clearly defined inside the US government?
  4. How are decisions being made as to when sanctions are issued against individuals and entities in different countries? What factors does the Administration consider when making those decisions?
  5. What are the criteria that will be used to determine whether any existing cyber sanctions should be lifted?
  6. How are intelligence assessments used in the process of issuing and reviewing the effectiveness of sanctions? How do these assessments factor into determinations of what any expected reciprocal actions might be and eventually whether they are having the intended impact?
  7. Is there a clear communication strategy about the precise behavior that cyber sanctions are targeting so the targets themselves understand what is being sought?
  8. How are cyber sanctions being coupled with other actions, including other forms of economic pressure, in order to develop a comprehensive and cohesive strategy toward the nation-states and/or organizations being targeted?
  9. What risks and rewards does the Executive Branch weigh in determining whether further sanctions on entities for malicious cyber activity are needed?
  10. What is the Administration’s strategy to expanding a more multilateral approach to the issuance of cyber sanctions? What have been the impediments to doing so?
  11. Do the Departments of Treasury, State, and Commerce have the adequate resources to meet the needs of the cyber-related sanctions programs and ensure these sanctions are being properly monitored and evaluated?

Second, Congress can push the Executive Branch to assess the impact of its approach to cyber-related sanctions to ensure they are issued strategically and consistently. To do so, Congress can require the Department of Treasury, in coordination with all relevant federal entities, including the Intelligence Community, to undertake an inter-agency assessment of the effectiveness of all existing cyber-related sanctions in halting or reducing malicious cyber activity. It has been over five years since President Obama issued the first Executive Order to establish a dedicated cyber sanctions regime in the United States. The time is ripe for an inter-agency, holistic assessment of the impact of such cyber-related sanctions. This assessment can be institutionalized every four years, in conjunction with the update of the State Department’s global cyber engagement strategy and the White House’s national cyber strategy. Recommendations on the specific components of this assessment can be found in Third Way’s “Roadmap to Strengthen US Cyber Enforcement.”84

Finally, Congress should provide support to the Departments of State and Treasury to boost resources to non-governmental research institutions that can conduct regular, independent assessments of the effectiveness of cyber sanctions and propose recommendations to improve the US’s cyber sanctions regime. As cyber sanctions have increasingly become a tool in America’s cyber diplomacy toolbox, agencies should invest resources in organizations outside of the government to study whether these sanctions are working and what impact they might be having on the US financial system.

Conclusion

In recent years, sanctions have emerged as a frequent tool of American foreign policy. Since the cyber-related sanctions program was formally established, these sanctions have increasingly, albeit sparingly, been used as a tool to impose consequences on malicious cyber actors. Yet, there is little publicly available data to assess whether these cyber sanctions have had an impact in changing their target(s) behavior or achieving other established goals. Research on sanctions broadly offers some guidance on how cyber sanctions can prove effective. Accounting for these insights, Congress should exercise its oversight function and raise a number of questions about the strategy and impact of cyber sanctions during budget and nomination hearings and meetings with the Executive Branch. This should include raising the question as to whether sanctions should be used more to target cybercriminals. Finally, Congress should push for a formal assessment on the impact of the US government’s cyber sanctions program and provide support for organizations to conduct independent research into these questions. 

Appendix 1

The following chart documents the sanctions that have been issued by the US government for malicious cyber activity under a number of authorities, including but not limited to the cyber-enabled sanctions program. It lists the country or non-state actor linked to the malicious cyber activity (though it should be noted that those listed as non-state actors may have some linkages to state entities), the number of individuals or entities sanctioned, the authority under which the sanctions were issued, and the date of issuance.85

Country

Target

Authority

Date

Iran

1 entity

Terrorism (EO 13224)

2/16/12

Iran

1 individual; 6 entities

Human Rights (EO 13606)

4/23/12

Iran

3 individuals; 6 entities

Iran (EO 13628)

11/8/12

Iran

1 individual; 4 entities

Iran Threat Reduction and Syrian Human Rights Act (P.L. 112-158)

2/6/13

Iran

2 entities

Iran (EO 13628)

5/31/13

Iran

2 entities

Iran (EO 13628), Human Rights (EO 13553)

12/30/14

Iran

7 individuals; 1 entity

Cyber (EO 13694)

9/14/17

Iran

3 entities

Iran (EO 13606, 13628)

1/12/2018

Iran

10 individuals; 1 entity

Cyber (EO 13694)

3/23/18

Iran

2 individuals; 1 entity

Iran (EO 13606, 13628)

5/30/18

Iran

6 individuals; 1 entity

Iran (EO 13606)

2/13/19

Iran

1 entity

Weapons of Mass Destruction (EO 13382)

3/22/19

Iran

45 individuals; 2 entities

Human Rights (EO 13553, 13572), Terrorism (EO 13224)

9/17/20

Iran

5 entities

Election Interference (EO 13848)

10/22/20

       

North Korea

10 individuals; 3 entities

North Korea (EO 13687)

1/2/15

North Korea

1 individual; 1 entity

North Korea (EO 13722)

9/6/18

North Korea

3 entities

North Korea (EO 13722)

9/13/19

       

Russia

4 individuals; 5 entities

Cyber (EO 13757)

12/29/16

Russia

19 individuals; 5 entities

Cyber (EO 13694), CAATSA

3/15/18

Russia

24 individuals, 14 entities

Ukraine (EO 13661, 13662), Syria (EO 13582), CAATSA

4/6/18

Russia

3 individuals; 5 entities

Cyber (EO 13694), CAATSA

6/11/18

Russia

2 individuals; 2 entities

Cyber (EO 13694), CAATSA

8/21/18

Russia

15 individuals; 4 entities

Cyber (EO 13694), CAATSA

12/19/18

Russia

7 individuals; 8 entities

Election Interference (EO 13848)

9/30/19

Russia

17 individuals; 4 entities

Cyber (EO 13694), CAATSA

12/5/19

Russia

4 individuals

Cyber (EO 13694), Election Interference (EO 13848)

9/10/20

Russia

8 individuals; 7 entities

Election Interference (EO 13848), Cyber (EO 13694), Ukraine (EO 13661)

9/23/20

Russia

1 entity

CAATSA

10/23/20

       

Non-state

2 individuals

Cyber (EO 13694)

12/29/16

Non-state

2 individuals; 2 entities

Transnational Criminal Organizations (EO 13581)

7/18/17

Non-state

2 individuals

Cyber (EO 13694)

11/28/18

Non-state

2 individuals

Cyber (EO 13694)

3/2/20

Non-state

6 individuals

Cyber (EO 13694)

6/16/20

Non-state

3 individuals, 5 entities

Cyber (EO 13694)

7/15/20

Non-state

2 individuals

Cyber (EO 13694, 13757)

9/16/20

 

 

Topics
  • Cybersecurity95

Endnotes

  1. US White House, The Council of Economic Advisers. The Cost of Malicious Cyber Activity to the U.S. Economy. February 2018, p. 36. https://www.hsdl.org/?view&did=808776. Accessed 28 Dec. 2020.

  2. Thompson, Natalie, “Countering Malicious Cyber Activity: Targeted Financial Sanctions” Carnegie Endowment for International Peace, Oct. 2020, pp. 11-13. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021.

  3. See April 2015 Executive Order 13694 and December 2016 Executive Order 13757; cyber sanctions contained in the International Emergency Economic Powers Act (IEEPA, 50 USC §§ 1701-1706), National Emergencies Act (NEW, 50 USC §§ 1601-1651), and the “Countering America’s Adversaries Through Sanctions Act” (P.L. 115-44) (CAATSA); and country-specific sanctions regimes such as those for North Korea, Iran, Syria, and Ukraine-/Russia-related activities. US Department of State. “Cyber Sanctions.” www.state.gov/cyber-sanctions/. Accessed 28 Dec. 2020; US Department of the Treasury. “Sanctions Programs and Country Information.” home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information. Accessed 28 Dec. 2020.

  4. Thompson, Natalie, “Countering Malicious Cyber Activity: Targeted Financial Sanctions” Carnegie Endowment for International Peace, Oct. 2020, pp. 11-13. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021; “Treasury Sanctions Nigerian Cyber Actors for Targeting U.S. Businesses and Individuals.” Press Release, US Department of the Treasury, 16 June 2020, home.treasury.gov/news/press-releases/sm1034. Accessed 28 Dec. 2020; “Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware,” Press Release, US Department of Treasury, 23 Oct. 2020, https://home.treasury.gov/news/press-releases/sm1162. Accessed 28 Dec. 2020.

  5. David Mortlock & Brian O’Toole. “US sanctions: Using a coercive and economic tool effectively.” The Atlantic Council, 8 Nov. 2018, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/us-sanctions-using-a-coercive-and-economic-tool-effectively/. Accessed 03 Nov. 2020.

  6. For example, the “Cyber Deterrence and Response Act of 2019” was introduced in the House and Senate, which would establish a process to identify and impose sanctions against foreign persons and countries responsible for state-sponsored cyberattacks and require the Executive to periodically brief Congress on state-sponsored cyber activities against the United States. US Congress, 116th Congress, https://www.congress.gov/bill/116th-congress/house-bill/1493?q=%7B%22search%22%3A%5B%22H. R. 3941%22%5D%7D. The “Defending American Security from Kremlin Aggression Act” was introduced in the Senate, which would require the President to impose additional sanctions on Russian entities and individuals for malicious cyber activity. US Congress, 116th Congress, https://www.congress.gov/bill/116th-congress/senate-bill/482/text.

  7. Botek, Adam. “European Union establishes a sanction regime for cyber-attacks.” NATO Cooperative Cyber Defence Centre of Excellenceccdcoe.org/library/publications/european-union-establishes-a-sanction-regime-for-cyber-attacks/. Accessed 28 Dec. 2020; “UK Cyber Sanctions,” UK.gov, 18 June 2020, www.gov.uk/government/collections/uk-cyber-sanctions. Accessed 28 Dec. 2020. 

  8. Reinhart, RJ. “One in Four Americans Have Experienced Cybercrime.” Gallup, 11 Dec. 2018,  news.gallup.com/poll/245336/one-four-americans-experienced-cybercrime.aspx. Accessed 30 Nov. 2020.

  9. Newman, Lily Hay. “Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare.” Wired, 23 Apr. 2018, https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/. Accessed 30 Dec. 2020.; Lauren Frias. “Louisiana’s governor declared a state of emergency after a cybersecurity attack on government servers.”  Business Insider, 22 Nov. 2019, https://www.businessinsider.com/louisiana-declares-state-of-emergency-after-cybersecurity-attack-2019-11. Accessed 30 Nov. 2020; Fernandez, Manny, et al. “Ransomware Attacks Hits 22 Texas Towns, Authorities Say.” The New York Times, 20 Aug. 2019, www.nytimes.com/2019/08/20/us/texas-ransomware.html. Accessed 28 Dec. 2020.

  10. Joint cybersecurity advisory coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). “Ransomware Activity Targeting the Healthcare and Public Health Sector.” 29 Oct. 2020, https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf. Accessed 28 Dec. 2020; Bergal, Jenni. “Cybercriminals Strike Schools Amid Pandemic,” Pew, 22 Sep. 2020, https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2020/09/22/cybercriminals-strike-schools-amid-pandemic. Accessed 28 Dec. 2020.

  11. US Department of Homeland Security. “Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar.” 2019, www.dhs.gov/sites/default/files/publications/ia/ia_geopolitical-impact-cyber-threats-nation-state-actors.pdf. Accessed 28 Dec. 2020.

  12. US White House, The Council of Economic Advisers. The Cost of Malicious Cyber Activity to the U.S. Economy. February 2018, p. 36. https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf. Accessed 28 Dec. 2020.

  13. Lewis, James and Smith, Zhanna. “The Hidden Costs of Cybercrime,” Center for Strategic and International Studies, 9 Dec. 2020, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf. Accessed 28 Dec. 2020.

  14. Chain Analysis, “Crypto Crime Summarized: Scams and Darknet Markets Dominated 2020 by Revenue, But Ransomware Is the Bigger Story.” 19 Jan. 2021. https://blog.chainalysis.com/reports/2021-crypto-crime-report-intro-ransomware-scams-darknet-markets. Accessed 21 January 2021.

  15. Cyentia Institute, “Information Risk Insight Study 20/20, Extreme, Analyzing the 100 largest cyber loss events of the last five years.” 2020, pp. 23. https://www.cyentia.com/wp-content/uploads/IRIS2020-Xtreme.pdf. Accessed 28 Dec. 2020.

  16. Ablon, Lillian. “Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data.” Rand, Testimony presented before the House Financial Services Committee, Subcommittee on Terrorism and Illicit Finance, 15 Mar. 2018, www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490.pdf. Accessed 30 Nov. 2020.

  17. US Department of Homeland Security. “Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar.” 2019, pp. 4-5. www.dhs.gov/sites/default/files/publications/ia/ia_geopolitical-impact-cyber-threats-nation-state-actors.pdf. Accessed 28 Dec. 2020; Healey, Jason. “Beyond Attribution: Seeking National Responsibility for Cyber Attacks.” The Atlantic Council, 22 Feb. 2012, www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF. Accessed 28 Dec. 2020.

  18. “2019 Year-End Sanctions Update.” Gibson Dunn, 23 Jan. 2020. https://www.gibsondunn.com/wp-content/uploads/2020/01/2019-year-end-sanctions-update.pdf. Accessed 28 Dec. 2020.

  19. President Barack Obama White House. “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Executive Order, 1 Apr. 2015, https://obamawhitehouse.archives.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m. Accessed 28 Dec. 2020.

  20. Jeffrey Frankel. “The 1807-1809 Embargo of Britain,.” Journal of Economic History, Vol. 42:2, June 1982, pp. 291–308. https://doi.org/10.1017/S0022050700027443. Accessed 30 Nov. 2020.

  21. US Government Accountability Office. “Economic Sanctions: Agencies Assess Impacts on Targets, and Studies Suggest Several Factors Contribute to Sanctions' Effectiveness.” 2 Oct. 2019, www.gao.gov/products/GAO-20-145. Accessed 30 Nov. 2020.

  22. Ibid, pp. 1.

  23. Gilsan, Kathy. “A Boom Time for U.S. Sanctions.” The Atlantic, 3 May 2019, https://www.theatlantic.com/politics/archive/2019/05/why-united-states-uses-sanctions-so-much/588625/. Accessed 30 Dec. 2020; US Department of Treasury. “Consolidated Sanctions List Data Files.” 14 Dec. 2020, https://home.treasury.gov/policy-issues/financial-sanctions/consolidated-sanctions-list-data-files. Accessed 28 Dec. 2020.

  24. Thompson, Natalie, “Countering Malicious Cyber Activity: Targeted Financial Sanctions” Carnegie Endowment for International Peace, Oct. 2020, pp. 11-13. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021.

  25. Fishman, Edward. “How to Fix America’s Failing Sanctions Policy.” Lawfare, 4 June 2020, https://www.lawfareblog.com/how-fix-americas-failing-sanctions-policy. Accessed 30 Nov. 2020.

  26. Omar, Ilhan. “Sanctions are part of a failed foreign policy playbook. Stop relying on them.” The Washington Post, 23 Oct. 2019, https://www.washingtonpost.com/opinions/ilhan-omar-sanctions-are-part-of-a-failed-foreign-policy-playbook-stop-relying-on-them/2019/10/23/b7cbb1ca-f510-11e9-a285-882a8e386a96_story.html. Accessed 30 Nov. 2020; Albert, Eleanor. “What to Know About Sanctions on North Korea.” The Council on Foreign Relations, 16 July 2019, https://www.cfr.org/backgrounder/what-know-about-sanctions-north-korea. Accessed 01 Dec. 2020; Haas, Richard. “Economic Sanctions: Too Much of a Bad Thing.” Brookings Institute, 1 June 1998, https://www.brookings.edu/research/economic-sanctions-too-much-of-a-bad-thing/. Accessed 30 Nov. 2020.

  27. Hufbauer, Gary. “Sanctions Sometimes Succeed: But No All-Purpose Cure.” Cato Unbound, 7 Nov. 2014, https://www.cato-unbound.org/2014/11/07/gary-clyde-hufbauer/sanctions-sometimes-succeed-no-all-purpose-cure. Accessed 30 Nov. 2020; Lorber, Eric & Schneider, Jacquelyn. “Sanctioning to Deter: Implications for Cyberspace, Russia, and Beyond.” War on the Rocks, 14 Apr. 2015, https://warontherocks.com/2015/04/sanctioning-to-deter-implications-for-cyberspace-russia-and-beyond/. Accessed 30 Nov. 2020.

  28. Nephew, Richard. “Libya: Sanctions Removal Done Right? A Review of The Libyan Sanctions Experience, 1980–2006.” Mar. 2018, https://energypolicy.columbia.edu/sites/default/files/pictures/Libya%20Sanctions%20Removal_CGEP_Report_031918.pdf. Accessed 01 Dec. 2020; Jordan, Joseph. “Sanctions Were Crucial to the Defeat of Apartheid.” The New York Times, 19 Nov. 2013, https://www.nytimes.com/roomfordebate/2013/11/19/sanctions-successes-and-failures/sanctions-were-crucial-to-the-defeat-of-apartheid. Accessed 01 Dec. 2020.

  29. United States, Congress. International Emergency Economic Powers Act (IEEPA). Congress.gov, https://uscode.house.gov/view.xhtml?path=/[email protected]/chapter35&edition=prelim, 95th Congress. Pub.L. 95–223, title II, §202, 91 Stat. 1626, passed Dec. 28, 1977. Accessed 01 Dec. 2020.

  30. Thompson, Natalie, “Countering Malicious Cyber Activity: Targeted Financial Sanctions” Carnegie Endowment for International Peace, Oct. 2020, pp. 9. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021.

  31. “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” EO 13694. 01 Apr. 2015, https://obamawhitehouse.archives.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m. Accessed 14 Jan. 2021; Office of the Press Secretary, “FACTSHEET: Executive Order Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” White House, 1 Apr. 2015. https://obamawhitehouse.archives.gov/the-press-office/2015/04/01/fact-sheet-executive-order-blocking-property-certain-persons-engaging-si. Accessed 30 Nov. 2020.

  32. “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” EO 13757. 28 Dec. 2016, https://home.treasury.gov/system/files/126/cyber2_eo.pdf. Accessed 01 Dec. 2020.

  33. Countering America’s Adversaries Through Sanctions Act of 2017, Public Law 115-44, U.S. Statutes at Large (2017), https://www.treasury.gov/resource-center/sanctions/Programs/Documents/hr3364_pl115-44.pdf. Accessed 28 Dec. 2020.

  34. “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election” EO 13848. 12 Sept. 2019, https://www.gpo.gov/fdsys/pkg/FR-2018-09-14/pdf/2018-20203.pdf. Accessed 23 Jan. 2021.

  35. “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities” EO 13757. 28 Dec. 2016, https://home.treasury.gov/system/files/126/cyber2_eo.pdf. Accessed 01 Dec. 2020.

  36. Thompson, Natalie, “Countering Malicious Cyber Activity: Targeted Financial Sanctions” Carnegie Endowment for International Peace, Oct. 2020, pp. 3. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021.

  37. Ibid.

  38. Ibid.

  39. US Department of Treasury. “Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group.” 2 Mar. 2020, https://home.treasury.gov/news/press-releases/sm924. Accessed 30 Nov. 2020; US Department of the Treasury, “Treasury Sanctions Nigerian Cyber Actors for Targeting U.S. Businesses and Individuals.” 16 June 2020, home.treasury.gov/news/press-releases/sm1034. Accessed 28 Dec. 2020.

  40. Logan, Trevor. “Washington Uses Sanctions and Indictments Inconsistently When Combating Malicious Cyber Activity.” Foundation for Defense of Democracies, 20 Apr. 2020, https://www.fdd.org/analysis/2020/04/15/washington-uses-sanctions-and-indictments-inconsistently-when-combating-malicious-cyber-activity/. Accessed 28 Dec. 2020; Goldsmith, Jack & Williams, Robert. “The Failure of the United States’ Chinese-Hacking Indictment Strategy.” Lawfare, 28 Dec. 2018, https://www.lawfareblog.com/failure-united-states-chinese-hacking-indictment-strategy. Accessed 28 Dec. 2020.

  41. See for example, US Department of Treasury. “Treasury Targets Financier’s Illicit Sanctions Evasion Activity.” 15 Jul. 2020, https://home.treasury.gov/news/press-releases/sm1058. Accessed 14 Jan. 2021.

  42. See, for example, US Department of Justice. “Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research.” 21 Jul. 2020, https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion. Accessed 14 Jan. 2021.

  43. US Department of Treasury. “Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group.” 2 Mar. 2020, https://home.treasury.gov/news/press-releases/sm924. Accessed 30 Nov. 2020.

  44. “FACT SHEET: President Xi Jinping’s State Visit to the United States”. White House. 25 Sept. 2015. https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states. Accessed 29 Dec. 2020; Goldsmith, Jack & Williams, Robert. “The Failure of the United States’ Chinese-Hacking Indictment Strategy.” Lawfare, 28 Dec. 2018, https://www.lawfareblog.com/failure-united-states-chinese-hacking-indictment-strategy. Accessed 28 Dec. 2020.

  45. Cyentia Institute, “Information Risk Insight Study 20/20, Extreme, Analyzing the 100 largest cyber loss events of the last five years.” 2020, pp. 23. https://www.cyentia.com/wp-content/uploads/IRIS2020-Xtreme.pdf. Accessed 28 Dec. 2020.

  46. Public-Private Analytic Exchange Program, “Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar.” 2019, pp. 4–5. https://www.dhs.gov/sites/default/files/publications/ia/ia_geopolitical-impact-cyber-threats-nation-state-actors.pdf. Accessed 23 Jan. 2021; Healey, Jason. “Beyond Attribution: Seeking National Responsibility for Cyber Attacks.” The Atlantic Council, Jan. 2012. https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF. Accessed 23 Jan. 2021.

  47. Rosenberg, Elizabeth, Goldman, Zachary, Drezner, Daniel, & Solomon-Strauss, Julia. “The New Tools of Economic Warfare, Effects and Effectiveness of Contemporary U.S. Financial Sanctions.” Center for a New American Security, 15 Apr. 2016, pp. 28-32. https://s3.us-east-1.amazonaws.com/files.cnas.org/documents/CNASReport-EconomicWarfare-160408v02.pdf?mtime=20161010171125&focal=none. Accessed 30 Dec. 2020.

  48. Daniel L. Glaser, Assistant Secretary for Terrorist Financing, U.S. Department of the Treasury, Statement to the Subcommittee on Crime and Terrorism, Committee on the Judiciary, U.S. Senate, 21 Sept. 2011, https://www.gpo.gov/fdsys/pkg/CHRG-112shrg73840/html/CHRG-112shrg73840.htm. Accessed 30 Dec. 2020.

  49. Financial Action Task Force (FATF), “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF Recommendations.” Feb. 2012, https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/fatf%20recommendations%202012.pdf. Accessed 30 Dec. 2020.

  50. Thompson, Natalie, “Countering Malicious Cyber Activity: Targeted Financial Sanctions” Carnegie Endowment for International Peace, Oct. 2020, pp. 13-14. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021.

  51. National Cyber Strategy of the United States of America, Sept. 2018 https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF. Accessed 30 Dec. 2020; see also US Cyberspace Solarium Commission. “United States of America Cyberspace Solarium Commission Report.” March 2020, p. 52. drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view. Accessed 30 Dec. 2020.

  52. Logan, Trevor. “Washington Uses Sanctions and Indictments Inconsistently When Combating Malicious Cyber Activity.” Foundation for Defense of Democracies, 20 Apr. 2020, https://www.fdd.org/analysis/2020/04/15/washington-uses-sanctions-and-indictments-inconsistently-when-combating-malicious-cyber-activity/. Accessed 28 Dec. 2020.

  53. House Appropriations Subcommittee Hearing with Treasury Secretary Steven Mnuchin, 4 Mar. 2021, https://appropriations.house.gov/events/hearings/department-of-the-treasury-budget-request-for-fy2021. Accessed 30 Dec. 2020.

  54. Thompson, Natalie, “Targeted Financial Sanctions and Countering Malicious Cyber Activity,” Carnegie Endowment for International Peace, forthcoming; “UK cyber sanctions.” gov.uk, 18 June 2020,  https://www.gov.uk/government/collections/uk-cyber-sanctions. Accessed 30 Dec. 2020.

  55. Council Implementing Regulation (EU) 2020/1125 of July 30, 2020, O.J. (246) 4, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2020.246.01.0004.01.ENG&toc=OJ:L:2020:246:TOC. Accessed 30 Dec. 2020.

  56. Ransomware Annex to G7 Statement, 13, Oct 2020, pp. 3 https://home.treasury.gov/system/files/136/G7-Ransomware-Annex-10132020_Final.pdf. Accessed 30 Nov. 2020.

  57. Gilsan, Kathy. “A Boom Time for U.S. Sanctions.” The Atlantic, 3 May 2019, https://www.theatlantic.com/politics/archive/2019/05/why-united-states-uses-sanctions-so-much/588625/. Accessed 30 Dec. 2020.

  58. US Government Accountability Office. “Economic Sanctions: Agencies Assess Impacts on Targets, and Studies Suggest Several Factors Contribute to Sanctions' Effectiveness.” 2 Oct. 2019, https://www.gao.gov/products/GAO-20-145. Accessed 19 Oct. 2020.

  59. US Government Accountability Office. “Economic Sanctions: Agencies Assess Impacts on Targets, and Studies Suggest Several Factors Contribute to Sanctions' Effectiveness.” 2 Oct. 2019, https://www.gao.gov/products/GAO-20-145. Accessed 30 Dec. 2020.

  60. US Government Accountability Office. “Economic Sanctions: Agencies Assess Impacts on Targets, and Studies Suggest Several Factors Contribute to Sanctions' Effectiveness.” 2 Oct. 2019, p.18. https://www.gao.gov/products/GAO-20-145. Accessed 30 Dec. 2020.

  61. US Cyberspace Solarium Commission. “United States of America Cyberspace Solarium Commission Report.” March 2020, p. 52. drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view. Accessed 30 Dec. 2020.

  62. Peksen, Dursun. “When do Economic Sanctions Work Best?” Center for a New American Security, 10 June 2019, https://www.cnas.org/publications/commentary/when-do-economic-sanctions-work-best. Accessed 30 Dec. 2020.

  63. Levy, Philip, “Sanctions on South Africa: What Did They Do?” Feb. 1999, http://www.econ.yale.edu/growth_pdf/cdp796.pdf; Jordan, Joseph. “Sanctions Were Crucial to the Defeat of Apartheid.” The New York Times, 19 Nov. 2013, https://www.nytimes.com/roomfordebate/2013/11/19/sanctions-successes-and-failures/sanctions-were-crucial-to-the-defeat-of-apartheid. Accessed 01 Dec. 2020.

  64. Nephew, Richard. “Libya: Sanctions Removal Done Right? A Review of The Libyan Sanctions Experience, 1980–2006.” Mar 2018, https://energypolicy.columbia.edu/sites/default/files/pictures/Libya%20Sanctions%20Removal_CGEP_Report_031918.pdf. Accessed 01 Dec. 2020.

  65. US Government Accountability Office. “Economic Sanctions: Agencies Assess Impacts on Targets, and Studies Suggest Several Factors Contribute to Sanctions' Effectiveness.” 2 Oct. 2019, https://www.gao.gov/products/GAO-20-145. Accessed 30 Dec. 2020.

  66. Ibid. pp. 19.

  67. Mortlock, David and O’Toole, Brian. “US sanctions: using a coercive and economic tool effectively.” The Atlantic Council, 8 Nov. 2018, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/us-sanctions-using-a-coercive-and-economic-tool-effectively/. Accessed 30 Dec. 2020.

  68. Rosenberg, Elizabeth, et al. “The New Tools of Economic Warfare, Effects and Effectiveness of Contemporary U.S. Financial Sanctions.” Center for a New American Security, 15 Apr. 2016, pp. 29. https://s3.us-east-1.amazonaws.com/files.cnas.org/documents/CNASReport-EconomicWarfare-160408v02.pdf?mtime=20161010171125&focal=none. Accessed 30 Dec. 2020.

  69. Zarate, Juan. Treasury’s War: The Unleashing of a New Era of Financial Warfare. (New York: Public Affairs, 2013); Glaser, Daniel, Assistant Secretary for Terrorist Financing, U.S. Department of the Treasury, Statement to the Subcommittee on Crime and Terrorism, Committee on the Judiciary, U.S. Senate, 21 Sept. 2011, https://www.govinfo.gov/content/pkg/CHRG-112shrg73840/html/CHRG-112shrg73840.htm. Accessed 30 Dec. 2020.

  70. US Department of the Treasury. “Remarks of Under Secretary for Terrorism and Financial Intelligence David S. Cohen at The Carnegie Endowment For International Peace, ‘Attacking ISIL’s Financial Foundation’.” 23 Oct. 2014, https://www.treasury.gov/press-center/press-releases/Pages/jl2672.aspx.

  71. US Department of the Treasury. “Written Testimony of Treasury Assistant Secretary Daniel L. Glaser before the House Financial Services Subcommittee on Oversight and Investigations.” 6 Sept. 2011, https://www.treasury.gov/press-center/press-releases/Pages/tg1287.aspx.

  72. “The Global Regime for Terrorism.” The Council on Foreign Relations, 31 Aug. 2011, https://www.cfr.org/report/global-regime-terrorism. Accessed 30 Dec. 2020.

  73. US Department of State. “Joint Statement Issued by Partners at the Counter-ISIL Coalition Ministerial Meeting.” 3 Dec. 2014, https://2009-2017.state.gov/r/pa/prs/ps/2014/12/234627.htm. Accessed 30 Dec. 2020.

  74. Zarate, Juan. Treasury’s War: The Unleashing of a New Era of Financial Warfare. (New York: Public Affairs, 2013).

  75. Rosenberg, Elizabeth and Tama, Jordan. “Strengthening the Economic Arsenal.” Center for a New American Institute, 16 Dec. 2019, https://www.cnas.org/publications/reports/strengthening-the-economic-arsenal. Accessed 23 Jan. 2021.

  76. Haas, Richard. “Economic Sanctions: Too Much of a Bad Thing.” Brookings Institute, 1 June 1998, https://www.brookings.edu/research/economic-sanctions-too-much-of-a-bad-thing/. Accessed 30 Nov. 2020.

  77. Saperstein, Lanier and Sant, Geoffrey. “Account Closed: How Bank ‘De-Risking’ Hurts Legitimate Customers.” The Wall Street Journal, 12 Aug. 2015, https://www.wsj.com/articles/account-closed-how-bank-de-risking-hurts-legitimate-customers-1439419093. Accessed 14 Jan. 2021.

  78. McKendry, Ian. “Banks Face No-Win Scenario on AML‘De-Risking’.” American Banker, 17 Nov. 2014, https://www.americanbanker.com/news/banks-face-no-win-scenario-on-aml-de-risking. Accessed 14 Jan. 2021

  79. Myers, Adam et al. “Crypto-controls: Harnessing Cryptocurrency to Strengthen Sanctions.” 9 Dec. 2020. https://warontherocks.com/2020/12/crypto-controls-harnessing-cryptocurrency-to-strengthen-sanctions/. Accessed 23 Jan. 2021.

  80. McKendry, Ian. “Banks Face No-Win Scenario on AML‘De-Risking’.” American Banker, 17 Nov. 2014, https://www.americanbanker.com/news/banks-face-no-win-scenario-on-aml-de-risking. Accessed 14 Jan. 2021.

  81. Lowery, Clay and Ramachandran, Vijaya. “Unintended Consequences of Anti-Money Laundering Policies for Poor Countries.” Center for Global Development, 2015, p. 47, http://www.cgdev.org/sites/default/files/CGD-WG-Report-Unintended-Consequences-AML-Policies-2015.pdf. Accessed 14 Jan. 2021.

  82. US Cyberspace Solarium Commission. “United States of America Cyberspace Solarium Commission Report.” March 2020, p. 24. drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view. Accessed 30 Dec. 2020.

  83. This could include providing important threat information to key cybersecurity companies such as those that are members of the Cyber Threat Alliance: https://www.cyberthreatalliance.org/.

  84. Peters, Allison and Garcia, Michael. “A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?.” Third Way, 12 Nov. 2020. https://www.thirdway.org/report/a-roadmap-to-strengthen-us-cyber-enforcement-where-do-we-go-from-here.

  85. This data is primarily drawn from “Countering Malicious Cyber Activity: Targeted Financial Sanctions” by Natalie Thompson. It has been reorganized and brought up to date as of January 1, 2021.  See Thompson, Natalie. “Countering Malicious Cyber Activity: Targeted Financial Sanctions.” Carnegie Endowment for International Peace, Oct. 2020, p. 11-13. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3770816. Accessed 23 Jan. 2021.