Member states are required to prevent sanctions violations regardless of the medium that they take. However the lack of clarity from the international community on how to prevent digital circumvention of sanctions is leaving a widening gap for perpetrators to conduct their illicit activities.
when Iranian hackers hacked a US defense company to steal ballistic missile software, is the hacked company responsible for enabling a violation of an UN arms embargo?
When digital currency exchanges are hacked by North Korean cyber warriors, are they responsible for violating a UN asset freeze because of their failure to implement responsible cybersecurity measures?
When Facebook and Twitter promote terrorism propaganda with their algorithms, are they responsible for enabling violators of arms embargoes prohibiting recruitment?
What about the North Korean conducted attacks on online gambling sites to steal cheat codes so that they could make off with millions of dollars, considering that online gambling is a highly unregulated industry because of the confusion over jurisdiction?
Are the online game companies and any third party payment providers participating in a violation of an asset freeze?
Is the jurisdiction for these attacks the location of the hackers, the servers of the gambling company, or the location of the owners or the workers of the gambling company ?
Designing a regulatory framework for cyber related sanctions violations is inherently an international issue. One approach is mapping existing sanctions regimes to digital attack methods using the preceding logic. We have been employing this methodology in our case studies and development of regulatory protocols. More effort is needed to apply this framework to UN processes to improve member-state and private sector prevention of sanctions violations.
International Regulatory Frameworks
FATF has released some guidance regarding how to apply asset freeze sanction rules to digital currencies. They recommend that digital currency providers and users follow standard KYC/AML protocols for preventing transactions with UN sanctioned entities. The recently implemented Travel Rule requires institutions and third party providers to implement identity checks for both senders and receivers of transactions. However there are still many unregulated, peer2peer methods for exchanging virtual currencies that make the rule fall short of a comprehensive framework.
According to General Assembly resolution 65/230 and Commission on Crime Prevention and Criminal Justice resolutions 22/7 and 22/8, the Global Programme on Cybercrime is mandated to assist Member States in their struggle against cyber-related crimes through capacity building and technical assistance. This Global Programmer could expand its efforts by helping to clarify what is required to prevent sanctionable actions using digital means for member states and private sectors.
Other Regulatory Responses
One example of a cyber sanctions framework is the EU, who has enacted some of the strictest measures to prevent sanctionable acts online, although it is not enough to address all categories of sanctions violations. They are monitoring social media companies for distributing some sanctionable content and issueing large fines for violations that are not removed within 24 hours. However these companies are only following these policies in EU jurisdictions and not carrying them over to other locales, meaning the sanctionable content still proliferates globally. The large fines are also argued by some to promote over-censorship by the private sector in certain cases, given the ultimate authority of the social media companies to determine what constitutes sanctionable or illicit behavior.
Both the US and the EU have issued sanctions such as travel bans and asset freezes against individuals and organizations involved in cyber attacks, such as a multi-year IP theft campaign coordinated by Iran and the Wannacry ransomware attacks conducted by the DPRK. These attacks resulted in the loss of restricted military grade technologies, stolen funds, lost data and revenue from shutting down operations, and damaged business reputations. Sanctions for cyber threats have yet to be considered on an international level.