Unilateral Cyber Sanctions: Between Questioned Legality and Normative Value.

• Author: Bogdanova, Iryna

TABLE OF CONTENTS 1. INTRODUCTION 912 II. UNILATERAL CYBER SANCTIONS AS AN EMERGING TREND IN ATTEMPTS TO GOVERN CYBERSPACE 914 A. Defining Unilateral Cyber Sanctions 914 B. Motivations behind the Adoption of Unilateral Cyber Sanctions 916 1. Unsuccessful International Efforts to Regulate Cyberspace 916 2. Unilateralism as an Alternative Approach for Cyberspace Regulation 922 C. Current State Practices 924 1. The United States 924 2. The European Union 929 III. UNILATERAL CYBER SANCTIONS AND INTERNATIONAL LAW A. Potential Breaches of International Law 934 1. Customary International Law of State Immunity 934 2. Human Rights Law 937 3. Bilateral International Agreements 939 B. Legal Defenses 941 1. Acts of Retorsion or Countermeasures? 941 2. Can Unilateral Cyber Sanctions Be Justified as Countermeasures? 942 IV. UNILATERAL CYBER SANCTIONS AND INTERNATIONAL ECONOMIC LAW 946 A. Consistency with WTO Law 946 B. Consistency with International Investment Law 951 V. CONCLUSION AND REFLECTIONS 953 I. INTRODUCTION

Unilateral cyber sanctions (or, interchangeably, cyber sanctions) are restrictive economic measures imposed against individuals, legal entities, and government bodies that conduct or facilitate cyberattacks, and are gaining momentum. Cyber sanctions to deter and punish cyberattacks have been already introduced by the United States, the European Union, and the United Kingdom. (1) Cyber sanctions tend to be a double-edged sword. On one hand, they outlaw certain behaviors in cyberspace. On the other hand, they may also be used as instruments of unfair competition and trade protectionism. The latter concern is especially valid given the recent trend to label technological supremacy as a matter of national security. (2)

Notwithstanding their obvious importance, cyber sanctions and their interrelations with international law have thus far remained largely unexplored in academic research. (3) The current state practice of imposing unilateral cyber sanctions merits further academic discussion for three reasons. First and foremost, the emergence of unilateral cyber sanctions reflects a much deeper problem in international law: the apparent inability to negotiate international rules to regulate conduct in cyberspace, either at the United Nations (UN) level or in multilateral and bilateral trade agreements. As long as no substantial progress is made in any of these forums, cyber sanctions will continue to proliferate. Second, the need for cyber sanctions could drastically increase as the ever-growing digitalization of all aspects of life paves the way for more cyberattacks--in addition to the already existing assaults directed at critical infrastructures, election processes, and personal information of millions of individuals. Third, existing cyber sanctions frameworks have been formulated in such a way as to be prone to misuse. In particular, they apply to a broad range of measures that cover not only conventional cyber threats but also cyber thefts and economic espionage. Furthermore, cyber sanctions target individuals, legal entities, government bodies, as well as anyone who provides support or assistance to alleged perpetrators of cyberattacks. Hence, cyber sanctions bear a significant potential to disrupt economic relations and undermine global value chains. Furthermore, in a world heading towards a new geo-economic order, such sanctions might also be abused as instruments of realpolitik.

Against this backdrop, the objective of this Article is to fill in the existing gap in the scholarly analysis of cyber sanctions. In particular, it will summarize the existing state practices as well as analyze the cyber sanctions' legality under international law inter alia the World Trade Organization (WTO) law and investment regulations. Furthermore, the normative value of cyber sanctions will be explored.

This Article proceeds in three Parts. In the first Part, cyber sanctions are defined, reasons for their increasing use are provided, and relevant state practices are documented. The second Part addresses the legality of cyber sanctions under international law. The final Part focuses on the relations between cyber sanctions and international economic law, in particular the WTO and investment law. The Article concludes with a discussion of the potentially positive contribution of cyber sanctions in signaling the emerging norms regulating cyberspace, as well as the threats associated with the sanctions' excessive use.

2. UNILATERAL CYBER SANCTIONS AS AN EMERGING TREND IN ATTEMPTS TO GOVERN CYBERSPACE

   1. Defining Unilateral Cyber Sanctions

      Unilateral cyber sanctions are restrictive economic measures of a temporary nature, used to punish individuals, entities, and/or government bodies engaged in malicious cyber-enabled activities or cyberattacks. They, as a rule, include asset freezes, restrictions on economic relations with sanctioned persons and/or entities, and travel bans. Contrary to UN-authorized sanctions, unilateral sanctions are enacted based on the domestic laws of individual states, without any prior authorization from any regional or international organization. While domestic regulations setting unilateral cyber sanctions establish criteria for determining their scope of application, the very concepts of "malicious cyber-enabled activities" and "cyberattacks" remain fuzzy. (4) In fact, those regulations focus on qualifying certain conduct rather than specifically naming the techniques or technologies used, (5) which often include Distributed Denial of Service Attacks (DDoS), (6) phishing, (7) malware distribution, (8) critical infrastructure vulnerability scanning, among others. This ambiguity in the formulation of cyber sanctions regulations is intentional and provides flexibility in light of the fast-paced evolution of cyber threats.

      Unilateral cyber sanctions are imposed not only to deter attacks that are penalized by the existing international treaties and domestic cybercrime laws (e.g., illegal access to computer systems and data interception) but also to discourage attacks that put the stability of a state at risk. The latter category includes attacks detrimental to critical infrastructures and election processes, as well as theft of private firms' intellectual property (e.g., trade secrets).

      Malicious cyber-enabled activities and cyberattacks have been on the rise for many years. Yet, their dangerous nature has taken new dimensions given attacks on critical infrastructures and health systems during the COVID-19 pandemic. (9) In the present context, the danger stems from the potential infiltration of servers (10) along with the potential spread of misinformation. (11) In fact, the latter has been one of the key concerns in democratic societies.

   2. Motivations behind the Adoption of Unilateral Cyber Sanctions

      1. Unsuccessful International Efforts to Regulate Cyberspace

      Despite the fact that the scale and effects of malicious cyber-enabled activities and cyberattacks are transborder in nature, often "affecting users of cyber systems throughout the world," (12) international norms regulating responsible state and non-state behaviors in cyberspace are nonexistent. In fact, the very concepts of "cybercrime," "cyberattack," and "cyber war" suffer from a lack of internationally accepted distinctions, thus making "concerted international action more difficult to achieve." (13)

      This situation should not lead us astray. The deliberations on the rules of conduct in cyberspace are not new both in the policy and scholarly debates. The rapid development of the information and communication technologies and their interaction with international security engendered global discussions as early as 1999. (14) Since then, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), has been the main forum for the discussion of global cyber norms.

      In certain areas the GGE's work has been fructiferous, while in others rather limited. For instance, in its reports issued in 2013 (15) and 2015, (16) the GGE confirmed the applicability of international law, including the Charter of the United Nations (UN Charter), to cyberspace. (17) However, in 2017, the GGE members could not find a common stance on the application of particular norms of international law in cyberspace (i.e., countermeasures, state responsibility, and international humanitarian law), and therefore were unable to reach an agreement towards a final report. (18) Interestingly, the GGE has never suggested the involvement of the United Nations Security Council (UN Security Council) in cyber affairs. So far, none of the states participating in the GGE have brought to the attention of the UN Security Council "the acuteness of the politico-military threat, let alone a threat to international peace and security, breach of the peace or act of aggression that the UN Charter points to," (19) that certain uses of information and communication technologies might entail. Despite these unsettled aspects, the GGE was tasked to study how to advance responsible state behavior in cyberspace in the context of international security. (20) A report is expected to be delivered in 2021. (21)

      Parallel to the above, a separate UN resolution sponsored by the Russian Federation established an Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG). (22) This clearly showcases the frictions among the UN members regarding the setting of international norms for cyberspace. (23) The main difference between the GGE and the OEWG is the nature of stakeholders involved: the latter includes not only governments but also non-government actors. (24) More recently, and upon the completion of the OEWG mandate, a new OEWG on security and the use of information and communications technologies was established for the period 2021-2025...