The anonymous nature of the Internet can complicate the application of cyber penalties. Authorities will attempt to identify the person or people responsible for a cyber attack by examining technical evidence, including code, IP addresses and data while remaining within acceptable boundaries (of privacy and anonymity) and considering the possibility of identity falsification. If a crime is attributed to an individual, the appropriate national authority will designate penalties, including fines, jail terms and sanctions.

During the pandemic and widespread global lockdown, there has been a marked surge in illegal activities and cyber-attacks aimed directly at governments and national infrastructure, particularly strained healthcare organizations, including a large attack on Pfizer in 2021.

However, cybercrimes aren’t just carried out by individual criminals. In 2020, more than £280 million in cryptocurrency was stolen from a Singaporean crypto exchange, supposedly by the North Korean government. Later that same year, the so-called Solar Winds hack (perpetuated by the Russian government) stole valuable data from over 18,000 US government and private computers. 

When cybercrimes are perpetrated by state actors, conventional economic sanctions (e.g. asset freezes, trade embargoes) may not be an appropriate response, which is why cyber sanctions are implemented. 

Countries that adopt a cyber sanctioning scheme must make every effort to ensure that the penalties imposed will have the desired effect. Regulations tend to differ between jurisdictions, which will be explained later in this article. 

Cyber Sanctions and Penalties Explained

Cyber sanctions are designed to prevent or punish cyber-attacks from malicious state actors. State-level cyber attacks could involve phishing or hack attacks for financial gain or espionage, or even the deliberate distribution of misinformation through social media networks. (There are already concerns that Russia may use cyber attacks or clever cryptocurrency schemes to avoid the hefty sanctions imposed against them following their attack on Ukraine, as covered in this blog post). 

Here are just some of the relevant cyber crime laws implemented across the globe: 

Cyber sanctions in the European Union

The EU first established a cybercrime system in 2019, issuing its first designations in 2020. The first cyber penalties issued targeted Russian, North Korean, and Chinese actors that were involved in several cyber assaults in 2017. Since then, the EU has applied cyber penalties against individuals who attempt or participate in cyber attacks, offer financial or technical assistance to cyber attackers, or who associate with those engaged in cyber attacks. 

Cyber sanctions in the US 

The US preceded the EU by creating its cybercrime system in 2015 and issuing designations in 2016. These designations were issued against parties who attempted to influence the 2016 US election. In the US, OFAC (The Office of Foreign Assets Control) has added targets of US cyber sanctions to their Specially Designated Nationals and Blocked Person List (SDN) list. More than 100 cyber sanctions targets have been identified by OFAC for crimes, including election meddling, hacking, malware attacks and phishing schemes. 

The United States has said they will impose strict cyber penalties against persons who conduct cyber attacks from outside the US that represent a danger to public safety, financial stability or foreign policy; individuals who attempt to exploit trade secrets for commercial or financial gain and individuals who support cyber attacks (financially, materially or technically). 

Cyber sanctions in the UK

After exiting the European Union, the United Kingdom revised its cyber sanctions system, imposing an even stricter regime known as the Cyber Sanctions Regulations of 2020. While it closely resembles the regime of the EU (in terms of its functions and overall goals), they have added or modified its penalties and the licensing procedure, as well as the mechanisms through which individuals who have been designated may dispute their status.

Remaining Complaint With Cyber Sanctions

Businesses that fail to comply with cyber sanctions, even inadvertently, may face hefty fines and jail terms according to the severity of their offense. Financial institutions and other obliged organizations must stay informed of the appropriate sanctions lists that apply within their jurisdiction in order to comply with cyber sanctions, including checking new customers against sanctions lists and performing ongoing monitoring during the entire relationship as sanctions may change at any time.

The basis of every effective cyber sanctions screening process is a robust and precise Know Your Customer (KYC) and Sanctions Compliance process whereby customers’ identities are verified and also screened against relevant Sanctions lists, including checking IP addresses and reviewing digital identities.

If you would like to know more about setting up a reliable Sanctions Screening process, get in touch with us for a free demo.