2.1. The legal qualification of cyber operations: From managerialism to consensualism

The first set of problems concerns the legal qualification of cyber operations under lex lata. Potentially, interstate cyber operations can breach a number of primary rules, including the obligation to respect the sovereignty of other states, the principle of non-interference in domestic affairs, international human rights law, the prohibition against using force and, when such operations are conducted during an armed conflict, also norms of international humanitarian law. A legal obligation of ‘cyber due diligence’ – requiring states to ensure that ‘their territory is not used as a base for state or non-state hostile cyber operations against another state that cause serious adverse consequences with regard to a right of the target state’Footnote ⁵² – is still in a nascent form and, despite the positions of some states,Footnote ⁵³ is widely considered lex ferenda.Footnote ⁵⁴ The lex lata scope of obligations is constrained to the general duty of a state ‘not to allow knowingly its territory to be used for acts contrary to the rights of other States’, as formulated by the International Court of Justice (ICJ) in the Corfu Channel caseFootnote ⁵⁵ and other positive obligations stemming from the no harm principle, international humanitarian law and international human rights law.Footnote ⁵⁶ In comparison with this ‘patchwork’ of existing duties,Footnote ⁵⁷ the application of the ‘cyber due diligence’ norm would have extended the scope of primary behaviour beyond the internationally wrongful acts to cover cyber operations with ‘serious adverse consequences’.

The stance that cyberspace is far from being a ‘wild west’ and is governed by non-cyber-specific norms of international law, and in particular the Charter of the United Nations,Footnote ⁵⁸ is well represented in legal scholarshipFootnote ⁵⁹ and – at least, as a matter of principle – affirmed by states.Footnote ⁶⁰ However, even this level of abstraction is not free from disagreement.Footnote ⁶¹ The Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security was unable to adopt final reports in 2016–2017 because of the position articulated by Cuba,Footnote ⁶² and backed by RussiaFootnote ⁶³ and China.Footnote ⁶⁴ According to this, the applicability of jus ad bellum and jus in bello (international humanitarian law) may lead to the establishment of the ‘equivalence between the malicious use of [information and communication technologies] and the concept of “armed attack”’Footnote ⁶⁵ under Article 51 of the UN Charter, and thereby militarise the use of and the response to information and communication technologies (ICTs). The same divergence was found in the positions of states expressed at the OEWG meetings in 2019 and 2020.Footnote ⁶⁶ While the majority of states confirmed the applicability of international law in its entirety to cyberspace,Footnote ⁶⁷ it was contested by a group of states that used arguments related to the importance of state consent for the extension of the scope of non-cyber-specific norms, indeterminate thresholds of ‘armed attack’ by cyber means, and the doubtful applicability of international humanitarian law to hybrid warfare and to civilian perpetrators of cyber attacks.Footnote ⁶⁸ Some states took an intermediate position by appealing to the need to adopt new legally binding instruments.Footnote ⁶⁹ In its report of 2021 the GGE finally acknowledged the applicability of international humanitarian law, but highlighted that these norms apply ‘only in situations of armed conflict’.Footnote ⁷⁰ This acknowledgement is ambivalent, as the question of whether a particular operation with the use of ICTs can be qualified as ‘an armed conflict’ remains outside the brackets; hence this issue will continue to raise controversies in the future.

Apart from the question of whether it is uncontested, the question of how international law applies to cyberspace needs clarification. This clarification takes place in the ex cathedra managerial (or interventionist) form of the logical adaptation and the detailing of general norms by experts and scholars,Footnote ⁷¹ or originates from state behaviour in shaping either the lawmaking path or that of the interpretation of law (as the subsequent application of the relevant rules). The challenges underpinning the managerial path are well reported and lie either in the thresholds or in the limited scope of the application of lex lata, which lead to their under-inclusivity or inadequacy in respect of allegedly interstate cyber operations,Footnote ⁷² or in the contested applicability of general, non-cyber-specific rules in a cyber context. Taking into account recently articulated positions of states expressed officially at OEWG sessions and elsewhere, these challenges can be outlined as follows.

The application of the well-established principle of international law to respect sovereigntyFootnote ⁷³ in cyberspace encounters not only the problem of the indeterminacy of its threshold and the scope of protected infrastructure,Footnote ⁷⁴ but also a split in the official positions of different states with regard to the legal nature of this principle as giving rise to a rule or merely being a fundamental principle. The US and the UK articulated their positions that sovereignty is merely a principle, not a rule.Footnote ⁷⁵ In contrast, France reserved a maximal wide approach, claiming that its sovereignty would be violated by any cyber attacks at ‘information systems located on its territory’ – including ‘equipment and infrastructure located on national territory; connected objects, logical components and content operated or processed via electronic communication networks which cover the national territory or from an IP address attributed to France’ and ‘domains belonging to national registers’.Footnote ⁷⁶ The Netherlands explicitly articulated its position supporting the ‘sovereignty as a rule’ approach, appealing to the two-element test in Tallinn 2.0 and the necessity for a minimal threshold.Footnote ⁷⁷ Finland expressed a comparable position at the first OEWG.Footnote ⁷⁸

In contrast to sovereignty, the application of the non-interference principle to cyber operations is not contested by states; instead, problems arise from its material scope. This principle can be regarded as captured by the dichotomy between types of intervention, which states do not want to allow in respect of themselves and which they would like to be free to conduct in respect of others. Thus, at the international level, although not contesting the normativity of the non-interference principle, states reserved a very high level of abstraction for it and by the use of the two-pronged test elaborated in the ICJ judgment in the Nicaragua case of 1986Footnote ⁷⁹ (which consisted of the element of coercion and an interference into domaine réservé) and apply a very broad grid to outlawed behaviour. Therefore, the non-interference principle, which was underinclusive in non-cyber operations, became extremely underinclusive in cyber operations.

There is a strong tendency in the legal literature to problematise the element of coercion as making the non-interference principle almost unworkable in the cyber context (for attacks having malicious or retaliatory aims cannot be qualified as coercive),Footnote ⁸⁰ but there are also reasons to claim that the first element (domaine réservé) also significantly restricts the applicability of this principle to cyber operations. According to the Nicaragua test, a prohibited intervention must be one bearing on ‘matters in which each State is permitted, by the principle of State sovereignty to decide freely’.Footnote ⁸¹ The notion of domaine réservé was and remains bound with realisation by the state of its powers and competences, but cannot be regarded as a ‘shelter, fully covering entire areas of politics’.Footnote ⁸² For instance, although the election process falls within domaine réservé, this does not mean that all activities related thereto are protected by the non-interference principle. Elections belong to domaine réservé, but this covers only governmental functions related to this process. If we take US election meddling of 2016 as an example, this operation was multilayer, and such actions as reported attempts to hack voting machines, although apparently no votes were affected,Footnote ⁸³ fall within domaine réservé. Other acts, arguably, do not. Among them are hacking by the so-called Cozy Bear and Fancy Bear hacking groups, the subsequent publication on WikiLeaks of the Democratic National Committee emails, hacking the account of John Podesta, chairman of Hillary Clinton's campaign, and a massive informational operation in social networks, based on the use of ‘bots’ and ‘trolls’. This example can serve as an illustration of the very modest role of the non-interference principle.

Application of jus ad bellum norms of international law is based on the two-threshold approach envisaged in the UN Charter in the duality of the ‘use of force’ and ‘armed attack’,Footnote ⁸⁴ which was further supported by the ‘scale and effects’ doctrine elaborated by the ICJ in the Nicaragua case.Footnote ⁸⁵ Although the military paradigm to treat interstate cyber operations received the bulk of attention,Footnote ⁸⁶ the application of these norms to cyberspace is not free from controversy. The reason for this is not only the ever-used indeterminacy argument in respect of the threshold of ‘use of force’ and ‘armed attack’.Footnote ⁸⁷ The commonly used logic of applying jus ad bellum to cyber operations is based on the acknowledgement that the prohibition of the use of force may be violated by any use of force, regardless of the type of weapon,Footnote ⁸⁸ and is underpinned by the permissibility of the consequential use of the analogy with kinetic attacks (causing death, injury or the destruction of physical objects). However, the problem arises from the fact that the chain of consequences launched by a cyber operation might be significantly longer in comparison with the conventional use of force. Not challenging the fact that some cyber operations can take a military form, the use of that analogy can be overstretched to produce results that contrast the well-known refusal of the drafters of the Charter to understand ‘economic coercion’ as falling within the scope of prohibited behaviour.Footnote ⁸⁹

The OEWG meeting held on 11 February 2020 reflected the affirmation of the applicability of the jus ad bellum norms of international law to cyber operations, underpinned by the consequential logic, as mainstream.Footnote ⁹⁰ Four states expressed their concerns and doubts. Brazil and India underscored the lack of clarity in respect of the threshold of ‘use of force’ and ‘armed attack’, whereas Pakistan in general noted its concerns on the applicability of Article 51 of the UN Charter to cyber acts; Russia took the most stringent position that this provision can be applied in the context of an armed attack only, and that a cyber attack without this context does not meet this criterion.Footnote ⁹¹ Should one not doubt the soundness of the consequentialist approach, the majority of publicly known cyber operationsFootnote ⁹² do not reach the threshold of ‘use of force’ because of their low intensity.Footnote ⁹³

This explains the desire of some states to extend the scope of the internationally prohibited ‘use of force’ by domestic efforts that count as an indication of state practice and opinio juris. France set forth that a ‘cyber operation without physical effects’ may also be qualified as the use of force and suggested using a not-exhaustive list of criteria – that is,Footnote ⁹⁴

The Dutch Minister of Foreign Affairs articulated that ‘it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force’.Footnote ⁹⁵ Finally, the UK Cyber Primer, although acknowledging the necessity for a cyber operation to cause ‘the same or similar effects as a kinetic attack’, in a footnote included a clarification permitting such a qualification for attacks, like ‘a sustained attack against the UK banking system, which could cause severe financial damage to the state, leading to a worsening economic security situation for the population’.Footnote ⁹⁶

Turning to the applicability of jus in bello norms to cyber operations, can we truly celebrate that the states answer this question in the affirmative? To begin with, in almost all cases when the application of international humanitarian law is confirmed, we do not know in which source. For instance, 79 states have supported the Paris Call for Trust and Security in Cyber Space, which states laconically that international humanitarian law ‘is applicable to the use of information and communication technologies by States’.Footnote ⁹⁷ A more or less detailed position has been represented by only a few states, which so far include Australia,Footnote ⁹⁸ Germany,Footnote ⁹⁹ the Netherlands,Footnote ¹⁰⁰ the UK,Footnote ¹⁰¹ the US,Footnote ¹⁰² France,Footnote ¹⁰³ Finland,Footnote ¹⁰⁴ and Israel.Footnote ¹⁰⁵

The argument of opponents is that the applicability of international humanitarian law will legitimise militarisation of cyberspace if taken per se, and seems to go against the whole history of the development of jus in bello norms. However, this rebuttal is convincing only if it implies a superficial meaning for the argument of militarisation. Another way is to read it as exposing that without a clear determination of borderlines between cyber operations as a ‘use of force’ or an ‘armed attack’ in jus ad bellum terms and an ‘attack’ or a ‘military operation’ in jus in bello terms, on the one hand, and cyber operations as (ordinary) malicious acts which may take place also during armed conflicts, on the other hand, the shift to international humanitarian law can lead to a misuse of a military legal paradigm of international law. So, at the end of the day it would be jus in bello instead of international human rights law, or national criminal law, which may be well based on numerous international treaties in this respect, as it is not something new when states are sheltering their activities and, on the basis of lex specialis, exclude the application of other regimes.

Finally, the affirmative approach – which is widely endorsed as progressive and pro-humanitarian – can serve to ignore the necessity to adopt cyber-specific norms of international law, although the international humanitarian law regime is full of loose ends and general notions that cannot be seen as self-executing in the cyber context. Hence, the application of international humanitarian law can overstretch such norms, for their material content and design are not tailored for cyberspace.

A collective affirmation of the applicability of international humanitarian law to cyber operations can also lead to disappointment as, besides applicability in abstracto, what deserve close scrutiny are the questions of whether international humanitarian law norms are relevant, adequate and sufficient to deal with military types of cyber operation. There can be identified, at least, three problematic issues. First, what can be highlighted is the scarcity of international humanitarian law provisions applicable to ‘military operations’, even in international armed conflicts. It forms a problem as the majority of cyber operations will not reach the threshold of the international humanitarian law notion of ‘an attack’, and will be qualified as ‘military operations’, if at all. Under Articles 51(1) and 57(1) of the First Additional Protocol the duties of the parties to international armed conflicts are too general and laconic in imposing the general protection of the civilian population and constant care. Let us use France as an example, once again. The French Ministry of Defence has articulated a broad approach to the ‘use of force’ and considered cyber operations without physical damage as falling within this notion, but in the end it had nothing more to do than to admit that ‘most operations, including offensive cyberwarfare operations carried out by France in an armed conflict situation, remain below the attack threshold’ and ‘they remain governed by general principles of IHL’.Footnote ¹⁰⁶

The second problem arises when states try to circumvent the limitations of the scope of ‘an attack’ under jus in bello by stretching this notion to embrace more types of cyber operation. For instance, in his remarks of 10 November 2016, US legal adviser Brian Egan opined that, although ‘not all cyber operations rise to the level of an “attack” as a legal matter under the law of armed conflict’, it is still possible to determine such cyber operation as an attack, ‘considering, among other things, whether a cyber activity results in kinetic or non-kinetic effects, and the nature and scope of those effects, as well as the nature of the connection, if any, between the cyber activity and the particular armed conflict in question’.Footnote ¹⁰⁷ The use of this method will result in an objective inapplicability of international humanitarian law provisions dedicated to ‘attacks’, simply because they are thought and designed to govern kinetic operations.

The third problem connected with the applicability of international humanitarian law to cyber operations originates from the fact that perpetrators of cyber attacks can be in different densities of alliance with the state or a non-governmental party to the armed conflict. Combined with the different nature of cyber operations, this fact can render the rules and concept of ‘direct participation of hostilities’ in its different incarnations reflected in legal scholarship and jurisprudenceFootnote ¹⁰⁸ underinclusive. This outcome results from either a very strict connection with the party to the conflict with regard to classification as a combatant or member of the armed forces, or groups in non-international armed conflicts, or from the requirement of the kinetic-like harm, direct causation, or in some cases a belligerent nexus.

The application of another set of norms – international human rights law – to alleged interstate cyber operations is also theoretically possible in respect of cyber operations, which, inter alia, can intrude into privacy, freedom of expression and association (following the concept of ‘human rights online’).Footnote ¹⁰⁹ However, this is dependent on the extent to which the norms of the human rights treatiesFootnote ¹¹⁰ can be applied extraterritorially.Footnote ¹¹¹ Since the UN Human Rights CommitteeFootnote ¹¹² and later the ICJFootnote ¹¹³ admitted a disjunctive approach to the reading of the ‘within its territory and subject to its jurisdiction’ clause of the International Covenant on Civil and Political RightsFootnote ¹¹⁴ and the European Court of Human Rights (ECtHR) has elaborated spatial (control over the territory or a limited spaceFootnote ¹¹⁵) and personal approaches (control and authority over the individualsFootnote ¹¹⁶) to the notion of ‘jurisdiction’,Footnote ¹¹⁷ contained in the Convention on the Protection of Human Rights and Fundamental Freedoms (ECHR), it is possible to extend the application of these treaties to extraterritorial modes of data interception.Footnote ¹¹⁸ At least three cases adjudicated by the ECtHR prove that this is not a purely hypothetical scenario: Weber and Saravia v Germany,Footnote ¹¹⁹ Liberty v United Kingdom,Footnote ¹²⁰ and Big Brother Watch and Others v United Kingdom.Footnote ¹²¹

Nonetheless, extending the scope of international human rights instruments to extraterritorial cyber operations does not predetermine the results of the application of material human rights norms. It is especially relevant in the case of individual (targeted) interception of data or in cases of mass surveillance. The judgments given by the ECtHR Chambers in 2018 in two cases – Centrum för Rättvisa v Sweden Footnote ¹²² and Big Brother Watch and Others v United Kingdom Footnote ¹²³ – acknowledged that mass surveillance per se does not violate the ECHR. As the Court put it, ‘the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security’ falls within the wide ‘margin of appreciation’ that states enjoy in choosing ‘how best to achieve the legitimate aim of protecting national security’.Footnote ¹²⁴ While not outlawing the mass surveillance in the Big Brother Watch case, the Chamber rendered a very detailed judgment, which, alongside paving the way for similar cases in the future, was designed to provide the governments of the Members of the Council of Europe with a ‘road map’ for the legal regulation of the mass interception of data.Footnote ¹²⁵ On 6 October 2020 the Grand Chamber of the Court of Justice of the European Union (CJEU) delivered two judgments on requests for preliminary rulings in Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others and La Quadrature du Net and Others v Premier Ministre and Others. The Court in these cases found that the general and indiscriminate retention and transmission of traffic data by providers of electronic communications services to a state authority violated EU law.Footnote ¹²⁶ However, according on the judgment of the ECtHR Grand Chamber, the enhanced level of international protection of privacy can remain applicable only for the 27 member states of the EU.

Against the backdrop of the problematic application of the lex lata non-cyber-specific provisions, the lawmaking path to concretise how international law applies to cyberspace does not currently play a significant role. First, the overwhelming majority of states at present prefer not to create any new legally binding instruments.Footnote ¹²⁷ Explicitly articulated grounds for this include references to the sufficiency of the current ‘strategic framework’ for regulating the cyber sphereFootnote ¹²⁸ or to the danger that the creation of new legally binding instruments will undermine or create uncertainty in respect of existing instruments,Footnote ¹²⁹ lack of state practiceFootnote ¹³⁰ or consensus among states,Footnote ¹³¹ or the lengthy character of international lawmaking, which contrasts with the speed of technological developments.Footnote ¹³² Only a minority of states preferred lawmaking,Footnote ¹³³ some of which did so with the reservation that they consider the development of new binding norms as a medium to long-term objective.Footnote ¹³⁴

Secondly, standard setting – which is a mainstream track at this stage should we consider the content of the standards endorsed by the UN General Assembly, both in its initial (11 non-binding norms of responsible state behaviour)Footnote ¹³⁵ and in its extended (13 norms)Footnote ¹³⁶ version – has not brought any ‘added value’ to the qualification of malicious cyber acts compared with existing rules.Footnote ¹³⁷ This standard-setting track may be important and justified as a political instrument to reaffirm the applicability of international law to cyber-specific interstate relations, but by its substance it is legally tautological in the sense that it does not change anything in the assessment of the legality of interstate cyber operations. Standards that may be relevant for setting the boundaries of outlawed cyber activities are constrained by the reference to lex lata international law and, as a general safeguard, these ‘norms do not seek to limit or prohibit action that is otherwise consistent with international law’.Footnote ¹³⁸

Thirdly, in interstate relations, states that suffer from cyber attacks tend not to use the language of international law even in situations which could have been qualified as a breach of its rules. States employ either political rhetoric – calling them a ‘cyberwar’,Footnote ¹³⁹ ‘cyberattacks with a significant effect which constitute an external threat to the [European] Union or its Member States’Footnote ¹⁴⁰ or by referring to international law in general terms. These terms are far from being a concrete legal qualification – for example, by designating such incidents as a ‘flagrant disregard of international law’Footnote ¹⁴¹ or ‘international norms’;Footnote ¹⁴² or pointing out that they undermine ‘established international norms of behavior’.Footnote ¹⁴³ Two cases can be regarded as exceptions to the rule: (i) Georgia alleged that the cyber attacks of 2019 infringed its sovereignty,Footnote ¹⁴⁴ and (ii) the US declared in April 2021 that cyber operations allegedly conducted by the Russian government were ‘efforts’ ‘to violate well-established principles of international law, including respect for the territorial integrity of states’.Footnote ¹⁴⁵

2.2. The attribution of cyber operations to states: A cautious mode

Although the applicability of the secondary rules of international law on the responsibility of states for cyber operations, in contrast to the primary rules, does not encounter any principal objections from states, the challenge lies in the necessity to attribute malicious cyber acts committed by individuals to a particular state under international rules of customary law, which also goes in conjunction with a duty to reach any of the standards of proof applicable in international law.Footnote ¹⁴⁶ Taking into account the specificity of cyber infrastructure,Footnote ¹⁴⁷ it might be of no surprise that states hastened to safeguard the notion that ‘[they] should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences’, at least as a non-binding ‘norm of responsible State behavior’.Footnote ¹⁴⁸

After publicly articulated, although later disavowed, allegations of Russian involvement in the Estonian cyber attacks of 2007,Footnote ¹⁴⁹ it was only in 2014 that states started to officially link malicious cyber acts with agencies or officials of particular states, and these allegations have recently become more frequent. These official statements or acts that imposed sanctions pointed to three states: North Korea,Footnote ¹⁵⁰ RussiaFootnote ¹⁵¹ and Iran.Footnote ¹⁵² Although the EU also imposed sanctions against Chinese nationals for Operation Cloud Hopper in 2020, it did not officially link them to the state.Footnote ¹⁵³

Until now no state has ever officially called another state responsible for an international cyber operation. The approach taken by states regarding the attribution of cyber operations is typically formulated very cautiously. Let us take an example of the condemnation of cyber attacks allegedly committed by Russia against Georgia. Both Georgia and the UK framed their statement as exposing the author of the attacks and as a condemnation of this behaviour without using the language of the law of international responsibility.Footnote ¹⁵⁴ Although the United States and Canada called on Russia to cease such behaviour, they did not qualify such behaviour legally as a breach of international law.Footnote ¹⁵⁵ The US pointed to the Russian Foreign Intelligence Service (SVR) in one of the recent cases of sanctions, calling it ‘the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures’.Footnote ¹⁵⁶ The EU, joining the condemnation campaign, expressed its concern and that of its Member States about the cyber attack, without saying a word about Russian involvement,Footnote ¹⁵⁷ or, without its own assessment, carefully expressed solidarity with the US on the impact of the ‘the SolarWinds cyber operation, which, the United States assesses, has been conducted by the Russian Federation’.Footnote ¹⁵⁸

The current trend of ‘cautious attribution’ is characterised by two main features. First, public exposure of the organiser of a malicious cyber act is not linked to a breach of a particular rule of international law. Secondly, these acts are not accompanied by the disclosure of evidence that meets at least one of the standards that may be applicable under international law. For instance, whereas the UK National Cyber Security Centre relied on the assessment ‘with high confidence’ that the GRU was ‘almost certainly responsible’, which is ‘95%+’ for a list of cyber operations,Footnote ¹⁵⁹ this evidence remained undisclosed.Footnote ¹⁶⁰ Thus, ‘cautious attribution’ reflected a ‘name and shame’ mode and did not represent attribution for the purposes of calling a particular state responsible.

To sum up, the legal considerations outlined in this part of the article expose the necessity for victim states to walk a line between the difficulties connected with the proof and legal qualification of cyber operations, on the one hand, and their desire to punish perpetrators and sponsors and deter further intrusions, on the other. While the instruments provided by international law either cannot be used at all or can hardly be used, unilateral sanctions taking the form of retorsion remain one of the accessible instruments for victim states. When imposing national or supranational sanctions, states are not bound by the standards of proof and the duty to reveal evidence set forth by international law.Footnote ¹⁶¹ The scope of cyber acts that trigger sanctions can be extended to operations which are not necessarily linked to particular foreign states and lie below the threshold of behaviour outlawed at the international level.Footnote ¹⁶² Finally, sanctions can be taken in respect of malicious cyber operations that did not necessarily affect the target state; this significantly extends opportunities for a reaction in comparison with the locus standi under the law of international responsibility, providing non-injured states with the right to react only in the case of a violation of obligations of an erga omnes or erga omnes partes character.Footnote ¹⁶³

4.1. Identifying the goals of the imposition of cyber-related sanctions

Before proceeding to the evaluation of the effectiveness of sanctions as a response to cyber operations, it is instructive to address the objectives of sanctions, of which there are three generally acknowledged goals: (i) coercion (modifying the target's behaviour); (ii) constraint (reducing the target's capacity to take discretionary action); and (iii) signalling and/or stigmatising (notifying the target and, in some cases, third parties of the sender's intended course of action if the target continues the objectionable behaviour).Footnote ¹⁹⁹ The assessment of their effectiveness consists of the analysis of how they achieve the goal(s) intended by the sender.

Both the policymaking on general (non-cyber) sanctions and the scientific discussion around such political responses are based largely on the assumption that the main purpose of sanctions is to change the target's behaviour.Footnote ²⁰⁰ While the US cyber-related sanctions instruments (namely, Executive Order 13694, Executive Order 14024, CAATSA) do not indicate any objectives in implementing sanctions, except for the necessity to respond to cyber incidents that threaten national security, political documents issued in relation to sanctions imposition in some cases shed light on the sender's intentions. Thus, the Fact Sheet published by the White House in connection with the adoption of Executive Order 14024 indicates the explicit intention of the Biden administration to ‘signal that the United States will impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions’.Footnote ²⁰¹ The EU Council states in its Sanctions Guidelines a different aim: to coerce the target to change its objectionable course of action.Footnote ²⁰² According to the Council, the EU imposes restrictive measures ‘to bring about a change in policy or activity by the target country, part of the country, government, entities or individuals, in line with the objectives set out in the [Common Foreign and Security Policy] Council Decision’.Footnote ²⁰³ The particular legal instruments that implement sanctions are intended, in general, to incentivise the required change in the target's policy or activity and, at the same time, clearly indicate the specific objective of the imposed restrictive measures in line with the general goal of coercion.Footnote ²⁰⁴ Interestingly, the EU Regulation 2019/796 indicates the necessity ‘to deter and respond to cyber-attacks’ as the goals of establishing the framework for EU targeted cyber security-restrictive measures.Footnote ²⁰⁵ The goals of the EU cyber-related sanctions regime, at least as they are stated in the applicable policy tools, are not limited to coercion but include also constraining and deterrent effects. The UK Cyber Regulations 2020 do not specify the goal of sanctions imposition, while the relevant guidance rather cautiously formulates it as ‘prevention of relevant cyber activity’.Footnote ²⁰⁶

Although coercion could be among the major reasons for the imposition of sanctions, travel restrictions imposed on particular individuals or limitations on commercial relations with them have a limited coercive impact on the states that are accused of orchestrating cyber operations. It is doubtful that North Korean citizens or Russian intelligence officers have substantial assets in the US, the EU or the UK, or participate in commercial activities with the relevant counterparties.Footnote ²⁰⁷ It is questionable whether Russia, China, Iran or North Korea (even if we presume that these states actually stood behind the relevant cyber operations) would abstain from further acts of that nature because of targeted sanctions imposed on a number of individuals.

The objective of constraining the targets in their capacity to engage in further malicious cyber-enabled activities can be achieved if the sanctioned persons are deprived of assets required for their activities or continuing their malicious activities becomes too costly for them. Raising awareness of the target's cyber-enabled activities probably contributes to the constraining effect of sanctions. When imposing sanctions on the Iranian cyber threat group APT39 in September 2020, the US Department of the Treasury and FBI advisory released particular sets of malware employed by a front company, allegedly controlled by the Iranian Ministry of Intelligence and Security, to conduct cyber intrusions against foreign citizens, companies, institutions and governments globally.Footnote ²⁰⁸ By making the code public, the US authorities aimed to hinder ‘the ability [of the Iranian Ministry of Intelligence and Security] to continue their campaign, ending the victimization of thousands of individuals and organizations around the world’.Footnote ²⁰⁹ That said, none of the episodes of sanctions analysed contemplates the seizure of computers or server systems for obvious reasons: in the case of external cyber attacks, they can be located on the territory of a third party state or their location might not be established at all. Another aspect of constraining – the limitation of sources of financing by denying access to US capital markets and financial institutions – also has a limited impact. North Korean hacking groups or Russian security services are unlikely to use sources of funding from abroad (in particular, because of restrictions in national legislation). The denial of access to foreign capital, therefore, would not significantly raise the costs of the targets’ activities in cyberspace.

The sanctions associated with cyber operations send certain signals to the targeted actors and the states of their residency, as well as to third parties. The signals can differ: from ‘naming and shaming’ to the articulation of a principal position on the inviolability of international norms in cyberspace. The rhetoric around sanctions also enhances the significance of the signalling and stigmatising role of the sanctions. As an example, the imposition of sanctions on the Russian intelligence agencies GRU and FSB, and a number of their officers and affiliated companies, was accompanied by evaluative, often quite harsh, statements at various levels. Republican senators John McCain and Lindsey Graham in their joint statement said: ‘Ultimately, [the sanctions] are a small price for Russia to pay for its brazen attack on American democracy’,Footnote ²¹⁰ while President Obama pointed out that ‘[t]he United States and friends and allies around the world must work together to oppose Russia's efforts to undermine established international norms of behaviour, and interfere with democratic governance’.Footnote ²¹¹ Moreover, the stigmatising targeted sanctions may precede prosecution, including criminal, under the national law of the state with which the sanctioned individual is associated. Thus, in January 2022 the Russian agency FSB dismantled REvil,Footnote ²¹² a notorious hacking group believed to mastermind ransomware hacks against Colonial Pipeline and Kasey, which caused the imposition of US sanctions.Footnote ²¹³ The arrest of 14 members of the hacking group followed several requests by the US administration, and President Biden's appeal to President Putin to cooperate in fighting cyber attacks and ransomware when the two met in Geneva in June 2021.Footnote ²¹⁴

The coercive and constraining effects of cyber-related sanctions are limited, which in certain cases is acknowledged by the states that impose the sanctions. Following a massive cyber attack against multiple US federal agencies from March to December 2020,Footnote ²¹⁵ allegedly originating from Russia,Footnote ²¹⁶ US President-elect Biden's team called for a ‘strong response’ that should go ‘beyond sanctions’.Footnote ²¹⁷ The choice of the new administration, apart from financial sanctions, could include revenge cyber attacks on Russian institutions and potentially cut off Russia from the SWIFT system of international funds transfers and bank communication.Footnote ²¹⁸

The limited prospects to coerce and constrain the target by way of sanctions do not mean that the policy of sanctions in response to cyber attacks is itself a failure; nor does the primary signalling role make sanctions a symbolic gesture. It is essential, however, that the assessment of sanction effectiveness is conducted with a consideration of their objectives. Research carried out by the Targeted Sanctions Consortium (TSC), headed by Thomas Biersteker, in respect of general (rather than cyber-related) sanctions, indicates that ‘sanctions intended to constrain or to signal targets are nearly three times as effective (27 per cent) as sanctions intended to coerce a change in behaviour (10 per cent)’.Footnote ²¹⁹ In the absence of statistically significant data on cyber-related sanctions it does not seem possible to conduct a similar calculation in relation to them. Still, as the studies on general sanctions show, the significance of the objectives of sanctions should not be underestimated.

4.2. Mancur Olson's theory of groups

The theory of collective action and group behaviour developed by Mancur OlsonFootnote ²²⁰ is among the most promising for the assessment of the effectiveness of sanctions. The taxonomy of groups suggested by Olson (including small and large, or ‘latent’, groups, depending not only on the number of their participants but also the benefit that each member obtains from the collective good and the importance of their contribution to the group objective) can be used in the context of cyber sanctions. Among 20 cases of cyber-related sanctions, there is a special group of US sanctions imposed not on perpetrators, legal entities or institutions, but on an elite group. Following the adoption of CAATSA in August 2017, the US Congress instructed the Trump administration to prepare and deliver a list of Russia's ‘most significant senior foreign political figures and oligarchs … as determined by their closeness to the Russian regime and their net worth’ with an obligatory ‘assessment of the relationship between individuals’ and ‘President Vladimir Putin or other members of the Russian ruling elite’, and the measurement of their corruption.Footnote ²²¹ The list was intended to become the basis for a new package of sanctions against Russia for alleged election meddling and interference in Ukraine's internal affairs. As a result of the administration efforts, the notorious ‘Kremlin Report’ was released in January 2018. It included the names of the top officials of the Russian government and the presidential administration (almost all top officials except for the President himself) and 96 billionaires on the Forbes list. The imposition of sanctions against the entire political and economic elite of Russia was neither possible nor reasonable, and sanctioning under the ‘Kremlin Report’ remained an idle threat until April 2018 when sanctions were imposed against six Russian oligarchs ‘with ties to Putin as well as to the Russian government’Footnote ²²² for ‘profiting from’ malicious cyber activities allegedly conducted by the Russian authorities.Footnote ²²³ The sanctioning was accompanied by harsh rhetoric: ‘The Russian government operates for the disproportionate benefit of oligarchs and government elites’, said US Treasury Secretary, Steven Mnuchin, in March 2018; ‘Russian oligarchs and elites who profit from this corrupt system will no longer be insulated from the consequences of their government's destabilizing activities’.Footnote ²²⁴ It was openly admitted that the sanctions were aimed to reach President Putin's inner circle: ‘Today's sanctions send a clear message to Putin and his cronies that there will be a high price to pay for Russia's … attempts to undermine Western democracies, including our own’, McCain said.Footnote ²²⁵

The upper echelons of the targeted state's political elite could be viewed in line with the theory of Mancur Olson as a small group with a properly defined stimulus system punishing those who deviate from group profit-maximising behaviour.Footnote ²²⁶ Participants of a small group have common interests, economic and social incentives, and each is aware of this commonality of interests and of the degree of their contribution towards their achievement. When the number of participants is large, and the group obtains the features of a latent group, its typical participants recognise that they cannot make a noticeable contribution to any group effort or influence the outcome in any way.Footnote ²²⁷ Consequently, they have little incentive to contribute (which constitutes the ‘free rider’ problem). On the contrary, there is no free rider problem in small and well-organised groups in which the members, at less cost, can observe whether any individual contributes or deviates, and impose sanctions on the deviating party. It is empirically proven that in a variety of constituencies – either private or public, including national states – ‘action taking’ groups and subgroups tend to be much smaller than ‘non-action taking’ groups and subgroups.Footnote ²²⁸ These well-organised action-taking groups and subgroups have a significant advantage over the poorly organised, latent masses and have a better negotiating position.

Economic sanctions imposed on key businesspersons of Russia can be viewed in the light of Olson's theory as an attempt by the US administration to use financial leverage against Russian political and business elites to alter their incentives in the communication with the Russian government. The economic pressure on persons close to the Russian upper echelons is presumably based on the beliefs that (i) the sanctioned persons have ‘ties’ with the government and personally with the President; (ii) they represent an interest group consolidated with common economic incentives; and (iii) they influence the decision-making process in the target country.

Based on the assumption that the group can exert pressure either in favour of or against the continuation of the policy of malicious cyber activities, the sanctioning state might seek to make it more costly to support such a policy. The distinct way is to make the group face the decrease in income resulting from sanctions. There are publicly available calculations of the economic impact of sanctions on the business and wealth of targeted persons. The losses of Oleg Deripaska, a major shareholder of United Co RUSAL PLC (Rusal), one of the world's largest aluminium producers, are calculated by Forbes as $3.1 billion,Footnote ²²⁹ while Deripaska himself indicated losses of more than $7.5 billion, or approximately 81 per cent of his net wealth, in the lawsuit against the US Department of Treasury.Footnote ²³⁰

That said, the assessment of the effectiveness of sanctions should not be narrowed down to numbers. Kaempfer and Lowenberg use a threshold model of collective action to examine the ways in which external economic pressure influences the political potency of elites within the target country.Footnote ²³¹ One of the mechanisms described is an ‘increase in reputational benefits awarded to individuals who support certain domestic interest groups, by increasing the effectiveness of those groups in rewarding their supporters with selective incentives’ produced by foreign sanctions.Footnote ²³² The post factum analysis shows that neither the elite group has rallied around the flag, nor the malicious activity in cyberspace ascribed to Russia has somewhat decreased significantly as a result of sanctioning oligarchs. It questions the extent to which the circle of businesspersons on whom sanctions were imposed actually represents part of the ‘action-taking’ subgroup and influences the decision-making process, as well as the capacity of sanctions to encourage opposition to the cyber-related policy, either through a decrease in income or reputational costs. Examples of elite reactions to other sanction regimes – including the withdrawal of several of Russia's richest people from Russian citizenship after February 2022 under unprecedented sanctions pressure – suggest that economic sanctions per se have such a potential. However, the introduction of cyber-related sanctions in 2018 did not have such an effect, which leads to the assumption that the degree of establishment of the link between the weakening financial position of Russian oligarchs and the potential limits of alleged Russian malicious cyber activities is insufficient.

4.3. Francesco Giumelli's four-step analysis

The four-step process of evaluating the impact of sanctions designed by Francesco GiumelliFootnote ²³³ represents a comprehensive analytical framework suitable for the assessment of cyber-related sanctions.Footnote ²³⁴ Understanding the logic of sanctions is at the heart of Giumelli's approach. Considering the potential goals of sanction implementation (coercion, constraint and signalling, as discussed above), assessing their success is built on the determination of whether imposing sanctions adds value to the sender in these three dimensions.

The first step of the analysis is to identify the position of sanctions in the context of the sender's overall foreign policy.Footnote ²³⁵ As sanctions are implemented alongside other political tools, the objective of the first step is to determine their relative significance in the entire foreign policy of the sender. The study of episodes of cyber-related restrictive measures shows that sanctions are integrated into the overall political response. In the episode related to the meddling in the US 2016 presidential elections, the US, in conjunction with implementing sanctions, also designated 35 Russian intelligence operatives located in the Russian embassy in Washington and the consulate in San Francisco as personae non gratae and ordered them to leave the country within 72 hours; access to Russian compounds in New York and Maryland was denied as they were claimed to be used ‘for intelligence-related purposes’;Footnote ²³⁶ ten personnel were expelled from the Russian diplomatic mission in Washington following the adoption of Executive Order 14024 in April 2021.Footnote ²³⁷ Indictments of Korean hackers claimed to be involved in the attack against Sony Pictures not only indicated the willingness of US authorities to prosecute those individuals criminally, but also revealed that North Korean citizens and intelligence groups have become subjects of long-standing and timely FBI forensic analysis.Footnote ²³⁸ When sanctions are considered in the overall context of the sender's reaction to cyber-enabled actions, it creates obstacles to separating the effect caused by sanctions and to evaluating their contribution to the achievement of the sender's objectives.

The second step is to draw out the logic of sanctions.Footnote ²³⁹ Two indicators of ex ante analysis are taken into consideration: (i) the expected direct impact of the sanctions, and (ii) the feasibility of demands. If the sender's goal is to impose material costs on the target (for instance, to make any line of behaviour that differs from the line required by the sender too costly for the target), then coercive and constraining sanctions would be more efficient than those of a signalling nature. Otherwise, if the sender does not expect to have a material impact on the sender, signalling sanctions are the preferable choice. Travel bans – one of the two most common restrictive cyber-related measures in the US, the EU and the UK regimes – do not entail any significant material costs on the targets. Asset freezes might have material impact if the sanctioned persons actually possess assets or economic resources within the jurisdiction of the sender (which is presumably not the case with most cyber-related sanctions applied to date, except for the sanctions against Russian oligarchs). Constraining business operations between the sanctioned persons and US residents might entail either direct costs for the targets (for example, when they had effective commercial contracts at the time of sanction imposition) or indirect costs (the loss of expected profits), but again this is rarely relevant for the known episodes of sanctioning in response to cyber hacking. The second factor – the feasibility of demands – indicates the possibility of the target's compliance with the sender's demands. The feasibility of demands in Giumelli's concept appears to be a distinctive feature of coercive sanctions as opposed to constraining sanctions: imposing coercive measures means that the target has freedom to decide whether to comply with the sender's demands, and ‘this voluntary decision that does not affect their [targets’] political existence’.Footnote ²⁴⁰ When sanctions are imposed in the logic of constraining, the targets generally do not have this freedom of choice: they have to change their behaviour as prescribed by the sender. In the case of cyber-related sanctions, the feasibility of demands seems to be a secondary factor of the ex ante analysis as cyber-related sanctions tend to be mostly of a signalling and stigmatising nature rather than coercive or constraining.

The third step of the analysis is an ex post estimation of the sanctions’ impact and effects,Footnote ²⁴¹ the assessment of their factual consequences – intended or not. This evaluation often includes a cost-benefit analysis, but should not be limited to this. Although sanctions can have a calculable material impact, the assessment of their effectiveness should also include an analysis of effects other than economic costs, the first of which are the political consequences of sanctions. Thus, President Trump, who openly opposed the adoption of CAATSA, argued that the US Congress was making a mistake in introducing new sanctions against Russia. ‘Our relationship with Russia is at an all-time & very dangerous low’, he wrote on Twitter.Footnote ²⁴² The authoritative Carnegie Endowment for International Peace estimates US-Russian relations to be ‘at the lowest point since the Cold War’ with no ‘signs that the relationship will improve in the near future’.Footnote ²⁴³ The US sanctions policy, in particular the episode related to Russia's alleged meddling in the 2016 presidential elections, has undoubtedly contributed to the growing tension in relations between the two states.

Finally, the fourth step is to consider possible alternative tools to sanctions, taking into account the specifics of the situation in which they have been applied.Footnote ²⁴⁴ This analysis estimates whether sanctions were the sender's best choice in the particular circumstances. It seeks to understand whether ‘sanctions bring about effects that could not have been caused by other foreign policy tools and at a minor cost’.Footnote ²⁴⁵ The imposition of cyber-related sanctions can be associated with certain costs for the sender (both in a strictly economic sense, meaning losses incurred by the sender, and in a political sense, that is the weakening of power positions and/or an increase in political risks). Still, sanctions remain a readily accessible instrument. However, the widespread practice of imposing sanctions can limit the further use of this measure: according to US National Security Advisor Robert O'Brien, the US has imposed so many sanctions against Russia and Iran that it has little opportunity left to impose new sanctions, and must look at other possible deterrents.Footnote ²⁴⁶

The analytical framework developed by Giumelli represents a nuanced approach to the assessment of sanction effectiveness in comparison with the mainstream assessment. Although changing the target's behaviour can be among the sender's objectives, it is not the only one. An estimation of the impact of sanctions through the lens of their goal(s) might provide a clearer understanding of the position of sanctions amid other foreign policy tools and their relative, as opposed to absolute, impact.