Last week, news reports said the United States government was considering enacting sanctions against individuals and organizations in China and Russia for their involvement in hacking incidents targeting US companies. While hacks against government bodies like the Office of Personnel Management (OPM) have received the most attention, these sanctions are not aimed at these sorts of attacks.
These actions may sound like a giant step into the unknown, as hacking has not been targeted in this way by the US government. However, in many ways they are not. The US government has used similar sanctions in the past against various criminal groups. For example, a 2011 executive order targeted several transnational organized crime groups. Many other criminal groups are subject to sanctions imposed by other parts of the US government, such as the Treasury Department. These sanctions are generally financial in nature: assets owned in the United States may be seized, and they may also be blocked from using American financial institutions.
Sanctions against private individuals are tools the United States government commonly uses to block the activities of individuals that commit crimes affecting people or organizations within the US. So, are these sanctions a good or bad idea? Will they act as a deterrent against would-be criminal groups engaging in online crime against American companies?
Sanctions against these individuals and groups is, broadly speaking, a good idea. Even if they may be beyond the reach of American law enforcement, it is still a useful instrument of soft power. In particular, the criminal forfeiture of assets – inclusive of digital currencies like Bitcoin – would be a powerful step against cybercriminal groups. Again, this would be perfectly in line with previous efforts in the US targeting organized crime groups and drug traffickers.
Our researchers have worked extensively with law enforcement many times in the past, and will continue to do so for years to come. However, there will always be more cybercriminals out there than there are trained law enforcement officers and security researchers trying to stop them. What is needed is to take down the infrastructure and support mechanisms that make these cybercriminal activities easy to carry out and profit from.
The majority of the bulletproof hosts and anonymous payment systems that support the shadow economy of the cybercrime underground are located in Eastern Europe and Asia. If action is not taken to stop these, the multiple attacks and breaches that have hit various companies will become even more commonplace. The Internet will become a very dangerous place. Given how important it is to modern life, this is not acceptable.
This will not be an easy task. However, doing so would be an indication that the United States is taking the safety of companies within its borders seriously and is willing to use the full force of the law to do so.