Why It Could Be Challenging to Sanction Chinese Companies for Cybercrimes

It looks increasingly likely that the White House will move to impose economic sanctions against Chinese companies and individuals who have perpetrated or benefited from cybertheft (meaning theft of information through cyber-enabled means) of U.S. trade secrets within the next several days. The sanctioning of these entities would be the first to come as a result of President Obama’s new cyber sanctions Executive Order, which he signed in April. If released this week, the sanctions will come shortly before Chinese President Xi Jinping’s visit to the United States and may make for an awkward diplomatic moment. However, they would also send a strong signal that the U.S. government means business when it comes to cybercrime and is a true ally to U.S. business interests who have, for years, protested the cyber intrusions that result in huge theft of their intellectual property to the benefit of the Chinese economy.

The Executive Order gave the Treasury Department fairly broad authority to use economic sanctions against cyber hackers (and those who benefit from their misdeeds) if they have harmed national security, or economic or foreign policy. Conventional wisdom is that the purpose of these new sanctions will be to address cybertheft coming from China, but the Executive Order itself focuses not on countries or regions, but on a broader range of activity, including harm to critical infrastructure; disruptions to the availability of computer networks; and theft of personal information or funds wherever it is significant. The U.S. government typically imposes sanctions on entities ( individuals, companies, or governments) for national security or human rights reasons, and the cyber Executive Order marks an extremely rare occurrence of the U.S. using its sanctions power to address the “economic health or financial stability of the United States.”

There are significant questions around this first set of cyber sanctions designations, including how broadly the U.S. government will go in designating entities under the Executive Order. The Executive Order not only freezes the U.S. assets of the designated entity, but also effectively prevents U.S. companies from engaging in any business relationship or transaction with that entity. Sanctions policy is most effective when used to target entities that have the most to lose from restrictions on their access to trading partners and major financial institutions. While U.S. individuals and companies are clearly forbidden from entering into a commercial transaction with sanctioned entities, U.S. sanctions policy also reverberates internationally, since non-U.S. multinational companies often feel pressure to comply with U.S. government policy.

The list of entities to be announced in the coming days will give the first indication of the potential breadth of the Executive Order. It seems likely that the sanctioned entities will include those individuals who have already been indicted for cyber-related crimes. It also seems probable that the list will include individuals whom the U.S. government can demonstrate are behind certain crimes or attacks. What is less clear is whether the list will include those large, multinational Chinese companies that have benefitted from stolen trade secrets. Sanctioning these companies could prove very effective, since they would no longer be able to get access to U.S. financial institutions and markets as a result of these sanctions. But it could prove as problematic as it could powerful: Sanctioning Chinese companies could also raise tricky deniability questions rarely relevant in other sanctions contexts.

Sanctions policy works by identifying those entities engaged in bad acts and freezing those entities out of commercial transactions with other companies or financial institutions. However, “naming” or attributing a bad act to a particular individual or entity is notoriously difficult in the cyber context since on the Internet identities are much more easily disguised or denied. Taking this a step further, if the Treasury Department designates not just the individual hackers responsible for cybertheft, but also the Chinese company that makes use and benefits from the stolen trade secrets, then they will have designated themselves an additional attribution challenge. Even if it is clear who is at fault, companies that have benefited from the cybertheft can deny any involvement in the wrongdoing.

The high-profile hack on Sony is a good example of the challenges of attribution and the denial of guilt. The U.S. government linked North Korea to the Sony hack, but did so without a detailed public explanation of the evidence supporting this attribution. One can imagine good reasons for this, among them classified intelligence sources and a desire to keep secret the techniques used to locate the hackers. Further, North Korea was already a likely culprit given the drama around the film The Interview and its depiction of Kim Jong-un. Nonetheless, lots and lots of people came out with various theories on how North Korea wasn’t behind the attack and criticized the U.S. government for not showing evidence of who was behind it.

Since the U.S. has no diplomatic relations with North Korea, the naming and shaming of North Korea in the Sony case didn’t do further damage to the relationship between our countries. But China is different from North Korea, and our economic relationship with China may mean, at the very least, that the Chinese reaction to these sanctions will be to deny they were behind the cybertheft and ask for some kind of explanation as to why certain entities were added to the list of designated entities. While it is not customary for the Treasury Department to offer up a detailed public explanation for why certain entities are sanctioned, there may be new pressure to do so given the challenges of cyber attribution, the public interest in cyber attacks, and our economic and diplomatic ties to China.

Deniability is not the only issue raised. U.S. companies are familiar with and accustomed to complying with U.S. sanctions policy. They are restricted from doing business in sanctioned countries and have developed careful compliance programs to know who their customers are and stop transactions with sanctioned individuals or other entities. These companies’ compliance programs are designed to monitor updates to Treasury’s list of designations as entities are added or removed. However, given the interconnectedness of the U.S. and Chinese economies, complying with sanctions against a broad set of large, multi-national Chinese companies could impose thornier compliance issues for even the most sophisticated U.S. companies. Chinese companies have become an increasingly important part of U.S. companies’ supply chains, and the possibility of a broad swath of companies being sanctioned could mean a difficult and challenging process of untangling U.S. business from Chinese companies.

It is, of course, hard to argue that Chinese companies that profit from the cybertheft of U.S. company trade secrets shouldn’t be punished, and sanctions seem like an awfully powerful and effective means by which to do that, especially in conjunction with the numerous other tools the administration is looking to use to combat cybercrime. Sanctions have proven themselves to be a potent tool for foreign policy and to combat human rights abuses, and this first round of designations under the cyber Executive Order will be significant not just for the diplomatic relationship between China and the United States, but also for how the U.S. government extends its use of sanctions to influence economic and cybersecurity policy. The question, in other words, isn’t whether the U.S. should or will use sanctions, but how it will and what will happen once it does.