Set against the odd frame of US President Donald J. Trump wanting to invite Russia to govern the world as part of a reconstituted G8, the actions taken by the Office of Foreign Assets Control (OFAC) on June 11 to sanction Russian cyber actors were a welcome reminder that actions can speak louder than words and that credible, sustainable actions like these are (hopefully) what advance actual policy goals. Taken by itself, this set of sanctions is the important, if routine, work that dismantles networks of bad actors doing bad things. It was not escalatory, but it serves as a reminder of the threats posed by Russia and raises some interesting questions.
The OFAC sanctions target the destabilizing cyber activities of Russia’s Federal Security Service (FSB). The press release on the sanctions specifically mentioned Russia’s responsibility for the devastating NotPetya cyber hack that caused billions of dollars in damage to companies and devastated the computer systems at global shipping giant Maersk, Ukraine’s Boryspil International Airport, US pharmaceutical giant Merck, and many others. It also cited Russia’s prepositioning of cyber assets that have the potential to cause global disruption, including intrusions of the US energy grid.
Stated this way, especially the targeting of global commerce and critical infrastructure systems that are well outside of normal state-to-state hacking for espionage purposes, the Trump administration is publicly painting Russia with the same broad brush of bad cyber actor that it has used against Iran and North Korea. That is rather significant company as this administration has not even accused China, long seen as the most significant global cyber threat, of such behavior.
A final notable piece of the sanctions was the targeting of Russian entities that enable Russia’s undersea espionage and hacking efforts. The US and UK governments have previously warned about the threat posed by Russia’s access to the undersea cables that essentially prop up the global financial system and the Internet. It is unlikely that OFAC would specifically name cyberattack access points in a designation action–such information would reveal sources and methods of intelligence collection and would not be necessary to support a designation–but noting that threat raises the question of whether Russian security services used such undersea tools in the NotPetya attack or have used them to lay the groundwork to cripple the critical systems that traverse those cables.
Brian O’Toole is a nonresident senior fellow with the Atlantic Council’s Global Business and Economics Program. He worked at the US Department of the Treasury from 2009 to 2017. As senior adviser to the director of the Office of Foreign Assets Control (OFAC), he helped manage the implementation of all OFAC-administered economic and financial sanctions programs. Follow him on Twitter @brianoftoole.
Daniel Fried is a distinguished fellow in the Atlantic Council’s Future Europe Initiative and Eurasia Center. As the State Department’s coordinator for sanctions policy in the Obama administration, he crafted US sanctions against Russia, the largest US sanctions program to date, and negotiated the imposition of similar sanctions by Europe, Canada, Japan, and Australia.