Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

Financial Sanctions and Penalties for Cybercrime

Ron Cheng
Wednesday, June 28, 2017, 3:00 PM

As cybercrime spreads in its many mutations, governments and regulators across the globe continue to develop a variety of solutions. One regulatory method that has gained in popularity and sophistication in recent years is the financial response to cybercrime. The United States in particular has explored financial sanctions at the “front end,” to deprive cybercriminals of access to financial channels, and financial penalties at the “back end,” particularly asset forfeiture, to recover the proceeds of criminal activity.

Published by The Lawfare Institute
in Cooperation With
Brookings

As cybercrime spreads in its many mutations, governments and regulators across the globe continue to develop a variety of solutions. One regulatory method that has gained in popularity and sophistication in recent years is the financial response to cybercrime. The United States in particular has explored financial sanctions at the “front end,” to deprive cybercriminals of access to financial channels, and financial penalties at the “back end,” particularly asset forfeiture, to recover the proceeds of criminal activity.

Financial Sanctions

On the “front end,” the U.S. government has sought to apply to cybercrime the financial sanctions that it has employed in the areas of terrorism finance and anti-nuclear proliferation. On April 1, 2015, then-President Obama issued Executive Order 13694 to block property in (or coming into) the U.S. that belongs to anyone designated by the government as being responsible for “cyber-enabled activities.” These activities cover significant compromises of a critical infrastructure sector, disruptions of computers or computer networks, or misappropriation of funds, trade secrets, or other information for commercial advantage.

On December 28, 2016, President Obama amended the order with Executive Order 13757, which added another category of cyber-enabled activities for tampering with, altering, or misappropriating information to interfere with electoral processes. This amendment was added in light of allegations that Russia had interfered with the U.S. presidential election. Executive Order 13757 included an annex identifying Russia’s Main Intelligence Directorate, Federal Security Service, and other entities and individuals.

The next day, December 29, 2016, the Department of the Treasury designated two other Russian individuals for theft of financial information and personal identifying information. To date, these are the only entities and individuals so designated under the Specially Designated Nationals and Blocked Persons List (SDN) under the “CYBER” program of the Treasury Department’s Office of Foreign Asset Control.

These designations send a strong message that large-scale cybercrime must be defeated by the same tools brought to bear on the war on terror. This message was reiterated in the recent Senate bill amendment codifying these executive orders and imposing additional cybersecurity sanctions against Russia. The broad scope of all these sanctions—which could apply to overseas organizations subject to U.S. jurisdiction—could have a crippling effect on a target that depends on the world financial system.

Application to China?

Commentators have suggested that these sanctions could be applied to actors in China that perhaps might be associated with the government. For example, as described in a Congressional Research Service report, there have been suggestions that the breaches of Office of Personnel Management data could be attributable to China state actors.

A number of factors could explain why the list isn’t longer. The nature of cybercrime lends itself to anonymity and the proliferation of unending identities and vehicles for attack. Recent transnational malware and ransomware attacks suggest the ease with which cybercriminals are able to conceal their identity and co-opt third parties to transmit their attacks. Difficulties regarding attribution may also create some reluctance to oblige the numerous financial institutions and other actors subject to sanctions compliance to block an individual or entity that is difficult to identify.

Even if those actors can be identified, there may be foreign policy and political considerations before a state entity or state-affiliated organization can be placed on the SDN list. There may also be concerns that financial sanctions may have little effect on certain cybercriminals who commit their crimes without any sort of financial motive but for more murky “hacktivist” principles.

In the case of suspected cyber-enabled activities from China, however, it may be more likely that the U.S. government believes there is value in pursuing bilateral or multilateral official discussions, such as the U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues (or its future iteration as the bilateral Law Enforcement and Cybersecurity Dialogue), or individual criminal prosecutions, which perhaps are believed to send an adequate statement of U.S. dissatisfaction with state-sponsored activities.

Financial Penalties

These criminal prosecutions, along with individual asset forfeiture actions, provide another means of addressing cybercrime: the financial penalties designed to deprive wrongdoers of the financial benefits of their crime. In one recent case, the U.S. Department of Justice brought an in rem asset forfeiture action against bank accounts overseas that contained proceeds of a business email compromise scheme, in which the fraudsters impersonated a vendor to defraud a U.S. victim company. In another case, the U.S. sought to forfeit assets in foreign bank accounts that it claimed were the proceeds of a large-scale online website that unlawfully distributed copyrighted movie and television programming, music, and software (the individual claimants of the property are seeking Supreme Court review of this decision).

Unlike financial sanctions, this remedy requires proof that the assets represent the proceeds of unlawful activity or at least that these assets belong to the alleged cybercriminals. Moreover, if the assets are overseas, the country in which the assets are located must be willing to cooperate with the United States to seize or otherwise restrain those assets pending a U.S. court order. For countries such as China, even though there is a Mutual Legal Assistance Agreement that contemplates the freezing of assets, the use of that mechanism in this way remains for the most part untested.

***

Even with these limits, financial sanctions and penalties have proven to be powerful tools. The open nature of the U.S. economy and society provides the U.S. government with a unique lever to address cybercrime extraterritorially through international financial channels and its own international law enforcement-cooperative relationships.


Now a partner at O’Melveny and a leader in the White Collar and Data Privacy practices, Ron Cheng spent 20 years as a federal prosecutor, serving in a number of roles at the Department of Justice, most recently as a key member of the Cybercrime and Intellectual Property Crimes Section at the U.S. Attorney’s Office in Los Angeles, where he has focused on criminal activity arising out of the Asia-Pacific.

Subscribe to Lawfare