¹ Maggie Miller, ‘FBI Sees Spike in Cyber Crime Reports during Coronavirus Pandemic’, The Hill, 16 April 2020, https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic.

² Council on Foreign Relations, Cyber Operation Tracker, https://www.cfr.org/cyber-operations.

³ ibid.

⁴ Certain limitations of case selection for this study should be noted. First, this study is concerned only with cases in which sanctions were actually imposed (threats to implement sanctions remained outside this research). Second, we reviewed cases where sanctions or a combination of sanctions and other means of response were implemented; cases of solely diplomatic reaction or criminal indictment without sanctions imposition were excluded. Finally, our dataset included only cases of alleged interstate cyber attacks, leaving aside designation of cyber criminals as individuals without any links to the government.

⁵ John Kerry, US Secretary of State, ‘Condemning Cyber-Attack by North Korea’, 19 December 2014, https://2009-2017.state.gov/secretary/remarks/2014/12/235444.htm.

⁶ US Department of the Treasury, ‘U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash’, 8 August 2022, https://home.treasury.gov/news/press-releases/jy0916.

⁷ US Department of the Treasury, ‘Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group’, 2 March 2020, https://home.treasury.gov/news/press-releases/sm924.

⁸ US Department of the Treasury, ‘Treasury Sanctions Nigerian Cyber Actors for Targeting U.S. Businesses and Individuals’, 16 June 2020, https://home.treasury.gov/news/press-releases/sm1034.

⁹ US Department of State, ‘The United States Sanctions Cyber Actors Backed by Iranian Intelligence Ministry’, 17 September 2020, https://2017-2021.state.gov/the-united-states-sanctions-cyber-actors-backed-by-iranian-intelligence-ministry/index.html.

¹⁰ US Department of the Treasury, ‘Treasury Sanctions Iran Cyber Actors for Attempting to Influence the 2020 U.S. Presidential Election’, 18 November 2021, https://home.treasury.gov/news/press-releases/jy0494.

¹¹ US Department of the Treasury, ‘Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and Malicious Cyber-Attacks’, 15 March 2018, https://home.treasury.gov/news/press-releases/sm0312.

¹² US Department of the Treasury, ‘Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware’, 5 December 2019, https://home.treasury.gov/news/press-releases/sm845.

¹³ US Department of the Treasury, ‘Treasury Sanctions Russian Cyber Actors for Virtual Currency Theft’, 16 September 2020, https://home.treasury.gov/news/press-releases/sm1123.

¹⁴ US Department of the Treasury, ‘Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware’, 23 October 2020, https://home.treasury.gov/news/press-releases/sm1162.

¹⁵ US Department of the Treasury, ‘Treasury Sanctions Russia with Sweeping New Sanctions Authority’, 15 April 2021, https://home.treasury.gov/news/press-releases/jy0127.

¹⁶ US Department of the Treasury, ‘Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange’, 8 November 2021, https://home.treasury.gov/news/press-releases/jy0471.

¹⁷ Eric Geller, ‘Biden Pledges Robust Response to Cyber Crisis “From the Moment We Take Office”’, Politico, 17 December 2020, https://www.politico.com/news/2020/12/17/biden-cyber-crisis-response-447858; Richard Luscombe, ‘Biden Mulls Punishments for Russia over Suspected Role in Government Hack’, The Guardian, 20 December 2020, https://www.theguardian.com/world/2020/dec/20/russian-hack-suspected-role-biden-mulls-punishment.

¹⁸ The White House, ‘A Letter on Blocking Property with respect to Specified Harmful Foreign Activities of the Government of the Russian Federation’, 15 April 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/a-letter-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation.

¹⁹ US Department of the Treasury, ‘Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’, 21 September 2021, https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.

²⁰ US Department of the Treasury, ‘Treasury Takes Robust Actions to Counter Ransomware’, 21 September 2021, https://home.treasury.gov/news/press-releases/jy0364.

²¹ US Department of the Treasury, ‘Treasury Sanctions Russia-Based Hydra, World's Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex’, 5 April 2022, https://home.treasury.gov/news/press-releases/jy0701.

²² Council Implementing Regulation (EU) 2020/1125 of 30 July 2020, Implementing Regulation 2019/796 concerning Restrictive Measures against Cyber-Attacks Threatening the Union or Its Member States, [2020] OJ L246/4; US Department of the Treasury, ‘Treasury Sanctions Russian Federal Security Service Enablers’, 11 June 2018, https://home.treasury.gov/news/press-releases/sm0410.

²³ EU Regulation 2020/1125 (n 22); US Department of the Treasury, ‘Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups’, 13 September 2019, https://home.treasury.gov/index.php/news/press-releases/sm774.

²⁴ EU Regulation 2020/1125 (n 22).

²⁵ Council Implementing Regulation (EU) 2020/1536 of 22 October 2020, of Implementing Regulation (EU) 2019/796 concerning Restrictive Measures against Cyber-Attacks Threatening the Union or Its Member States, [2020] OJ L 351 I/1; UK Foreign, Commonwealth and Development Office, ‘UK Enforces New Sanctions against Russia for Cyber Attack on German Parliament’, 22 October 2020, https://www.gov.uk/government/news/uk-enforces-new-sanctions-against-russia-for-cyber-attack-on-german-parliament.

²⁶ EU Regulation 2020/1125 (n 22).

²⁷ HM Treasury, Office of Financial Sanctions Implementation, ‘Financial Sanctions Notice: Cyber’, 15 March 2022, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1060768/Notice_Cyber_150322.pdf.

²⁸ HM Treasury, Office of Financial Sanctions Implementation, ‘Financial Sanctions Notice: Cyber’, 24 March 2022, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1063154/Notice_Cyber_240322.pdf.

²⁹ The imposition of sanctions for the cyber-espionage operation Cloud Hopper by the EU is the sole example: EU Regulation 2020/1125 (n 22).

³⁰ Drezner, Daniel W, ‘Sanctions Sometimes Smart: Targeted Sanctions in Theory and Practice’ (2011) 13(1) International Studies Review 96, 97CrossRefGoogle Scholar.

³¹ Gary Clyde Hufbauer and others, Economic Sanctions Reconsidered (3rd edn, Peterson Institute for International Economics 2007) 3.

³² Maarten Smeets, ‘Can Economic Sanctions Be Effective?’, WTO Economic Research and Statistics Division, Staff Working Paper ERSD-2018-03, 15 March 2018, 4.

³³ For a discussion of the compatibility of economic sanctions with World Trade Organization obligations see Neuwirth, Rostam J and Svetlicinii, Alexandr, ‘The Economic Sanctions over the Ukraine Conflict and the WTO: “Catch-XXI” and the Revival of the Debate on Security Exceptions’ (2015) 5 Journal of World Trade 891, 894Google Scholar.

³⁴ Hufbauer and others (n 31) 63.

³⁵ Baldwin, David A and Pape, Robert A, ‘Evaluating Economic Sanctions’ (1998) 23(2) International Security 189, 191CrossRefGoogle Scholar.

³⁶ Francesco Giumelli, Coercing, Constraining and Signaling: Explaining UN and EU Sanctions after the Cold War (ECPR Press 2011) 3.

³⁷ For instance, between 22 February and 20 October 2022, Australia, Canada, the EU, France, Japan, Switzerland, the UK and the US imposed sanctions on 8,330 individuals and 1,543 entities from Russia: Statista, ‘Sanctions Imposed on Russia 2022, by Target’, November 2022, https://www.statista.com/statistics/1293531/western-sanctions-imposed-on-russia-by-target.

³⁸ In 1985 Hufbauer and co-authors published the 1st edition of Economic Sanctions Reconsidered: History and Current Policy (Peterson Institute for International Economics 1985) based on case studies of 103 sanctions episodes and analysis of sanctions-related public policies. The 2nd edition of Economic Sanctions Reconsidered (Peterson Institute for International Economics 1990) and the 3rd edition of 2007 (n 31) remain among the most cited studies on the subject. A number of quantitative studies followed the work of Hufbauer and others, most of which demonstrated that while sanctions sometimes make targets change their behaviour, some identifiable factors do contribute to the success of sanctions: eg, Dashti-Gibson, Jaleh, Davis, Patricia and Radcliff, Benjamin, ‘On the Determinants of the Success of Economic Sanctions: An Empirical Analysis’ (1997) 41 American Journal of Political Science 608CrossRefGoogle Scholar; Drezner, Daniel W, ‘Conflict Expectations and the Paradox of Economic Coercion’ (1998) 42 International Studies Quarterly 709CrossRefGoogle Scholar. Nonetheless, this approach of Hufbauer and co-authors is not free from critique: see Pape, Robert A, ‘Why Economic Sanctions Do Not Work’ (1997) 22(2) International Security 90CrossRefGoogle Scholar. A turn towards the study of targeted sanctions is seen since the early 2000s, when the voices of those who oppose comprehensive sanctions based on their negative externalities sound more convincing: eg, David Cortright and George Lopez, Smart Sanctions: Targeting Economic Statecraft (Rowman & Littlefield 2002); Brzoska, Michael, ‘From Dumb to Smart? Recent Reforms of UN Sanctions’ (2003) 9 Global Governance 519CrossRefGoogle Scholar; Ella Shagabutdinova and Jeffrey Berejikian, ‘Deploying Sanctions while Protecting Human Rights: Are Humanitarian “Smart” Sanctions Effective?’ (2007) 6 Journal of Human Rights 59. The UN Targeted Sanctions database by Biersteker and co-authors (Thomas J Biersteker, Sue E Eckert and Marcos Tourinho (eds), Targeted Sanctions (Cambridge University Press 2016)) is another heavily cited data source for research on whether economic sanctions work. Based on analysis of 23 episodes of UN-targeted sanctions, Biersteker and co-authors assess only 22 per cent of sanctioning cases to be successful, which is lower than the overall success rate reported by Hufbauer and others (34 per cent). Elizabeth Rosenberg and co-authors in The New Tools of Economic Warfare: Effects and Effectiveness of Contemporary U.S. Financial Sanctions (Center for a New American Security 2016) examine the effectiveness of financial sanctions particularly, and conclude that this type of sanction is relatively more effective (in up to 40 per cent of cases) than other types of sanction. Lektzian and Patterson (David Lektzian and Dennis Patterson, ‘Political Cleavages and Economic Sanctions: The Economic and Political Winners and Losers of Sanctions’ (2015) 59 International Studies Quarterly 46), and Pond (Amy Pond, ‘Economic Sanctions and Demand for Protection’ (2017) 61 Journal of Conflict Resolution 1073) study economic and political costs incurred by senders and targets as well as micro-dynamics of the success rate of sanctions. For a detailed and critical review of literature on the effectiveness of economic sanctions refer to Dursun Peksen, ‘When Do Imposed Economic Sanctions Work? A Critical Review of the Sanctions Effectiveness Literature’ (2019) 30 Defence and Peace Economics 635.

³⁹ Hufbauer and others (n 31) 158–59.

⁴⁰ On these issues see Stanley J Marcuss and Stephen D Mathias, ‘U.S. Foreign Policy Export Controls: Do They Pass Muster under International Law?’ (1984) 2 Berkeley Journal of International Law 1; Bradley A Curtis and Jack L Goldsmith, ‘Customary International Law as Federal Common Law: A Critique of the Modern Position’ (1997) 10 Harvard Law Review 815.

⁴¹ Alexandra Hofer, ‘The Developed/Developing Divide on Unilateral Coercive Measures: Legitimate Enforcement or Illegitimate Intervention?’ (2017) 16 Chinese Journal of International Law 175.

⁴² The first general justification for the legality of economic coercive measures is the Lotus principle (PCIJ, SS Lotus case (France v Turkey) (1927) PCIJ Rep (Ser A, No 10) 18). States are free to conduct economic relations at their own discretion provided they respect their obligations under treaties and legal norms that have been recognised as customary international law. In the light of this principle, economic sanctions are prima facie legal; see Hofer (n 41) 180 para 9. The second justification is based on the law of countermeasures. In this respect Gestri has described the EU as ‘a trailblazer’ in implementing the doctrine of ‘collective countermeasures’: Marco Gestri, ‘Sanctions Imposed by the European Union: Legal and Institutional Aspects’ in Natalino Ronzitti (ed), Coercive Diplomacy, Sanctions and International Law (Brill/Nijhoff 2016) 70, 99. See also Daniel H Joyner, ‘UN Counter-Proliferation Sanctions and International Law’ in Larissa van den Herik (ed), Research Handbook on U.N. Sanctions and International Law (Edward Elgar 2017) 105; and Devika Hovel, ‘Unfinished Business of International Law: The Questionable Legality of Autonomous Sanctions’ (2019) 113 American Journal of International Law Unbound 140.

⁴³ Rahmat Mohamad, ‘Unilateral Sanctions in International Law: A Quest for Legality’ in Ali Z Marossi and Marisa R Bassett (eds), Economic Sanctions under International Law: Unilateralism, Multilateralism, Legitimacy, and Consequences (Asser Press/Springer 2015) 71. See also Matthew Happold, ‘Economic Sanctions and International Law: An Introduction’ in Matthew Happold and Paul Eden (eds), Economic Sanctions and International Law (Hart 2016) 1.

⁴⁴ Carter's work on reforming the US sanctions regime can be distinguished as particularly comprehensive: Barry E Carter, ‘International Economic Sanctions: Improving the Haphazard U.S. Legal Regime’ (1987) 75 California Law Review 1163. See also Sarabeth Egle, ‘The Learning Curve of Sanctions – Have Three Decades of Sanctions Reform Taught Us Anything?’ (2010) 19 Currents: International Trade Law Journal 34; Anthonius W de Vries, Clara Portela and Borjia Guijarro-Usobiaga, ‘Improving the Effectiveness of Sanctions: A Checklist for the EU’, CEPS Special Reports, No 95, November 2014, https://core.ac.uk/download/pdf/76796051.pdf.

⁴⁵ François Delerue, Cyber Operations and International Law (Cambridge University Press 2020); Anders Henriksen, ‘Lawful State Responses to Low-Level Cyber-Attacks’ (2015) 84 Nordic Journal of International Law 323.

⁴⁶ Christina Lam, ‘A Slap on the Wrist: Combatting Russia's Cyber Attack on the 2016 U.S. Presidential Election’ (2018) 59 Boston College Law Review 2167.

⁴⁷ The Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security held two substantive sessions: 9–13 September 2019 and 10–14 February 2020.

⁴⁸ Apart from the US, the EU and the UK, Australia introduced a cyber-specific sanctions regime in December 2021: Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Regulations 2021, F2021L01855, https://www.legislation.gov.au/Details/F2021L01855. The Australian regulation contemplates targeted financial sanctions and a travel ban on the persons designated as responsible for ‘significant cyber incidents’. The power of designation is vested in the Minister for Foreign Affairs. Our examination of the Consolidated List as of 24 October 2022 (https://www.dfat.gov.au/international-relations/security/sanctions/consolidated-list) did not reveal any designations under the counter-cyber sanctions regime.

⁴⁹ UNGA Res 56/83, Articles on Responsibility of States for Internationally Wrongful Acts (12 December 2001), UN Doc A/RES/56/83 (ARSIWA), art 49(1).

⁵⁰ ibid arts 49–53.

⁵¹ International Law Commission, Articles on the Responsibility of States for Internationally Wrongful Acts, with Commentaries (2001), UN Doc A/56/10 (ARSIWA with Commentaries).

⁵² Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017) 30–50.

⁵³ The Netherlands: Ministry of Foreign Affairs, ‘Letter to the Parliament on the International Legal Order in Cyberspace’, 5 July 2019, 4–5, https://www.government.nl/ministries/ministry-of-foreign-affairs/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace; France: Ministère des Armées, ‘International Law Applied to Operations in Cyberspace’, October 2019, 6, 9–10, https://documents.unoda.org/wp-content/uploads/2021/12/French-position-oninternational-law-applied-to-cyberspace.pdf.

⁵⁴ The GGE Report of 2015 envisages a negative obligation of states to ‘not knowingly allow their territory to be used for internationally wrongful acts using ICTs’ as ‘voluntary, non-binding norms, rules or principles of responsible behaviour of States’: UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security: Note by the Secretary-General (26 June 2015), UN Doc A/70/174, para 13(c) (GGE Report 2015). See The White House, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’, May 2011, 10, https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf; see also Scott J Shackelford, Scott Russell and Andreas Kuehn, ‘Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors’ (2016) 17 Chicago Journal of International Law, article 1, 22–23; François Delerue, ‘Cyber Operations and the Principle of Due Diligence’ in François Delerue, Cyber Operations and International Law (Cambridge University Press 2020) 353.

⁵⁵ ICJ, Corfu Channel (United Kingdom v Albania), Judgment [1949] ICJ Rep 4.

⁵⁶ Antonio Coco, Talita de Souza Dias, ‘‘Cyber Due Diligence’: A Patchwork of Protective Obligations in International Law’ (2021) 32 European Journal of International Law 804.

⁵⁷ ibid.

⁵⁸ Charter of the United Nations (entered into force 24 October 1945) 1 UNTS XVI (UN Charter).

⁵⁹ See, inter alia, Schmitt (n 52); James Gow and others (eds), Routledge Handbook of War, Law and Technology (Routledge 2019); Yoram Dinstein and Arne Willy Dahl, Oslo Manual on Select Topics of the Law of Armed Conflict: Rules and Commentary (Springer Nature 2020).

⁶⁰ The UN General Assembly welcomed this affirmation of the GGE on Developments in the Field of Information and Telecommunications in the Context of International Security on numerous occasions: see UNGA Res 70/237, Developments in the Field of Information and Telecommunications in the Context of International Security (23 December 2015), UN Doc A/RES/70/237. A significant number of states confirmed this applicability during the sessions of the OEWG.

⁶¹ See also Michele G Markoff, ‘Explanation of Position at the Conclusion of the 2016–2017 UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, Remarks’, 23 June 2017, https://2017-2021.state.gov/explanation-of-position-at-the-conclusion-of-the-2016-2017-un-group-of-governmental-experts-gge-on-developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-sec/index.html.

⁶² Declaration by Cuba, at the Final Session of GGE on Developments in the Field of Information and Telecommunications in the Context of International Security, 23 June 2017, http://misiones.minrex.gob.cu/en/un/statements/71-unga-cuba-final-session-group-governmental-experts-developments-field-information.

⁶³ Ministry of Foreign Affairs of the Russian Federation, ‘Response of the Special Representative of the President of the Russian Federation for International Cooperation on Information Security, Andrey Krutskikh, to TASS’ Question concerning the State of International Dialogue in this Sphere’, 29 June 2017, http://www.mid.ru/en/foreign_policy/news/-/asset_publisher/cKNonkJE02Bw/content/id/2804288.

⁶⁴ China did not publicly share its position; see Elaine Korzak, ‘UN GGE on Cybersecurity: The End of an Era?’, The Diplomat, 31 July 2017, https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe.

⁶⁵ Declaration by Cuba (n 62).

⁶⁶ For instance, Pakistan, Russia, the Syrian Arab Republic: OEWG, 11 September 2019, 11 February 2020 (n 47).

⁶⁷ Austria, Brazil, Canada, Chile, Czech Republic, European Union, Italy, Lichtenstein, New Zealand, Pacific Islands Forum, Sweden, Switzerland, United Kingdom, and others: OEWG, 11 February 2020 (n 47).

⁶⁸ Russia raised a question of how the application of international law in cyberspace correlates with voluntary principle: OEWG, 11 February 2020 (n 47).

⁶⁹ Cuba, Egypt, Jordan, Pakistan, Singapore, Syria: OEWG, 11 February 2020 (n 47).

⁷⁰ Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (14 July 2021), UN Doc A/76/135, para 71(f),

⁷¹ Schmitt (n 52); Dinstein and Dahl (n 59).

⁷² Jean D'Aspremont, ‘Cyber Operations and International Law: An Interventionist Legal Thought’ (2016) 21 Journal of Conflict and Security Law 580.

⁷³ Corfu Channel (n 55); ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) Merits, Judgment [1986] ICJ Rep 14; ICJ, Certain Activities Carried out by Nicaragua in the Border Area (Costa Rica v Nicaragua) and Construction of a Road in Costa Rica Along the San Juan River (Nicaragua v Costa Rica), Judgment [2015] ICJ Rep 665.

⁷⁴ Experts on Tallinn 2.0 were strongly divided in respect of this issue: Schmitt (n 52) 20–27.

⁷⁵ Jennifer M O'Connor, ‘Memorandum “International Law Framework for Employing Cyber Capabilities in Military Operations”’, 19 January 2017 (quoted in Harriet Moynihan, ‘The Application of International Law to State Cyberattacks Sovereignty and Non-intervention’, Chatham House, Research Paper, December 2019, fn 36, https://www.chathamhouse.org/sites/default/files/publications/research/2019-11-29-Intl-Law-Cyberattacks.pdf; Jeremy Wright, Attorney-General (UK), ‘Cyber and International Law in the 21st Century’, MP Speech on the UK's Position on Applying International Law to Cyberspace, 23 May 2018, https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century.

⁷⁶ Ministère des Armées (France) (n 53) 6, 9–10.

⁷⁷ Government of the Netherlands, Ministry of Foreign Affairs, Letter to the Parliament on the International Legal Order in Cyberspace, 26 September 2019, https://www.government.nl/ministries/ministry-of-foreign-affairs/documents/parliamentary-documents/2019/09/26/letter-to-the-parliament-on-the-international-legal-order-in-cyberspace; Michael Schmitt, ‘The Netherlands Releases a Tour de Force on International Law in Cyberspace: Analysis’, Just Security, 14 October 2019, https://www.justsecurity.org/66562/the-netherlands-releases-a-tour-de-force-on-international-law-in-cyberspace-analysis.

⁷⁸ International Law and Cyberspace: Finland's National Positions, October 2020, https://front.un-arm.org/wp-content/uploads/2020/10/finland-views-cyber-and-international-law-oct-2020.pdf.

⁷⁹ Nicaragua (n 73) para 205.

⁸⁰ The Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations provides that ‘no State may use or encourage the use of economic, political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from its advantages of any kind’: UNGA Res 2625 (XXV) (24 October 1970).

⁸¹ Nicaragua (n 73) para 205.

⁸² Katja S Ziegler, ‘Domaine Réservé’ in Rüdiger Wolfrum and Anne Peters (eds), Max Planck Encyclopedia of Public International Law (online edn, April 2013) 213, https://opil.ouplaw.com/display/10.1093/law:epil/9780199231690/law-9780199231690-e1398.

⁸³ David E Sanger and Catie Edmondson, ‘Russia Targeted Election Systems in All 50 States, Report Finds’, The New York Times, 25 July 2019, https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html.

⁸⁴ UN Charter (n 58) art 2, art 51; Nicaragua v US (n 73) [191].

⁸⁵ Nicaragua (n 73) [195].

⁸⁶ Michael N Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013) 48–51; Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press 2014) 53–60.

⁸⁷ Olivier Corten, The Law Against War (Hart 2012) 5–27.

⁸⁸ ICJ, Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion [1966] ICJ Rep 226, [39].

⁸⁹ Oliver Dörr and Albrecht Randelzhofer, ‘Article 2(4)’ in Bruno Simma (ed), The Charter of the United Nations: A Commentary (3rd edn, Oxford University Press 2012) 17, 18, 21.

⁹⁰ OEWG (n 47) 11 February 2020; Australia: Department of Foreign Affairs and Trade, Australia's Cyber Engagement Strategy, Annex A: Supplement to Australia's Position on the Application of International Law to State Conduct in Cyberspace, 2019; Australia's Cyber Engagement Strategy, Annex A: Australia's Position on How International Law Applies to State Conduct in Cyberspace, 2017; Germany: Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten, Dr Alexander S Neu, Andrej Hunko, Wolfgang Gehrcke, weiterer Abgeordneter und der Fraktion, ‘Krieg im “Cyber-Raum” – offensive und defensive Cyberstrategie des Bundesministeriums der Verteidigung’, Drucksache 18/6989, 10 December 2015, 10; UK: Wright (n 75); US: Harald Hongju Koh, ‘International Law in Cyberspace’ (2012) 54 Harvard International Law Journal Online.

⁹¹ ibid.

⁹² Center for Strategic and International Studies, ‘Significant Cyber Incidents since 2006’, https://csis-website-prod.s3.amazonaws.com/s3fs-public/200901_Significant_Cyber_Events_List.pdf.

⁹³ Sean Watts, ‘Low-Intensity Cyber Operations and the Principle of Non-Intervention’ in Jens David Ohlin, Kevin Govern and Claire Finkelstein (eds), Cyber War: Law and Ethics for Virtual Conflicts (Oxford University Press 2015) 249, 249–50.

⁹⁴ Ministère des Armées (France) (n 53) 7.

⁹⁵ Letter from the Minister of Foreign Affairs to the President of the House of Representatives on the International Legal Order in Cyberspace, 5 July 2019, Appendix: International Law in Cyberspace, 4.

⁹⁶ UK Ministry of Defence, Cyber Primer (2nd edn, 2016) Annex 1A: International Law Aspects, 12.

⁹⁷ Paris Call for Trust and Security in Cyber Space, 11 December 2018, https://pariscall.international/en/call.

⁹⁸ Department of Foreign Affairs and Trade, Australia's Cyber Engagement Strategy, Annex A: Supplement to Australia's Position on the Application of International Law to State Conduct in Cyberspace, 2019; Australia's Cyber Engagement Strategy, Annex A: Australia's Position on How International Law Applies to State Conduct in Cyberspace, 2017.

⁹⁹ Antwort der Bundesregierung (Germany) (n 90) 4, 5, 7.

¹⁰⁰ Ministry of Foreign Affairs (The Netherlands) (n 77).

¹⁰¹ Wright (n 75).

¹⁰² Koh (n 90).

¹⁰³ Ministère des Armées (France) (n 53).

¹⁰⁴ International Law and Cyberspace: Finland's National Positions (n 78).

¹⁰⁵ Roy Schondorf, ‘Israel's Perspective on Key Legal and Practical Issues concerning the Application of International Law to Cyber Operations’, EJIL:Talk!, 9 December 2020, https://www.ejiltalk.org/israels-perspective-on-key-legal-and-practical-issues-concerning-the-application-of-international-law-to-cyber-operations.

¹⁰⁶ Ministère des Armées (France) (n 53) 13.

¹⁰⁷ Brian J Egan, ‘Remarks on International Law and Stability in Cyberspace’, speech at Berkeley Law School, 10 November 2016, https://2009-2017.state.gov/s/l/releases/remarks/264303.htm.

¹⁰⁸ International Committee of the Red Cross, ‘Interpretive Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law’, 46–64, https://www.icrc.org/en/doc/assets/files/other/icrc-002-0990.pdf; another view of the number of key elements of the ‘direct participation in hostilities’ is represented in HCJ 769/02 Public Committee Against Torture in Israel and Palestinian Society for the Protection of Human Rights and the Environment v Israel and Others, ILDC 597 (IL 2006) [2006] (Targeted Killing) para 39.

¹⁰⁹ UNGA Res 68/167, The Right to Privacy in the Digital Age (18 December 2013), UN Doc A/RES/68/167.

¹¹⁰ International Covenant on Civil and Political Rights (entered into force 23 March 1976) 999 UNTS 171 (ICCPR) art 17; European Convention for the Protection of Human Rights and Fundamental Freedoms (entered into force 3 September 1953) 213 UNTS 222 (ECHR) art 8.

¹¹¹ Marko Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ (2015) 56 Harvard International Law Journal 81, 120–30.

¹¹² UN Commission on Human Rights, General Comment No 31: The Nature of the General Legal Obligation Imposed on States Parties to the Covenant (26 May 2004), UN Doc CCPR/C/21/Rev.1/Add.13, para 10.

¹¹³ ICJ, Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion [2004] ICJ Rep 136, [108], [111].

¹¹⁴ ICCPR (n 110) art 2(1).

¹¹⁵ ECtHR, Loizidou v Turkey, App No 15318/89, 23 March 1995, para 62; ECtHR, Al-Saadoon and Mufdhi v United Kingdom, App No 61498/08, 4 October 2010, paras 86–89.

¹¹⁶ ECtHR, Al-Skeini and Others v United Kingdom, App No 55721/07, 7 July 2011, paras 138–140; ECtHR, Jaloud v The Netherlands, App No 47708/08, 20 November 2014.

¹¹⁷ ECHR (n 110) art 1.

¹¹⁸ Milanovic (n 111) 129.

¹¹⁹ ECtHR, Weber and Saravia v Germany, App No 54934/00, 29 June 2006.

¹²⁰ ECtHR, Liberty and Others v United Kingdom, App No 58243/00, 1 July 2008.

¹²¹ ECtHR, Big Brother Watch and Others v United Kingdom, App Nos 58170/13, 62322/14 and 24960/15, Grand Chamber, 25 May 2021.

¹²² ECtHR, Centrum för Rättvisa v Sweden, App No 35252/08, 19 June 2018, para 112. See also Asaf Lubin, ‘Legitimizing Foreign Mass Surveillance in the European Court of Human Rights’, Just Security, 2 August 2018, https://www.justsecurity.org/59923/legitimizing-foreign-mass-surveillance-european-court-human-rights.

¹²³ Big Brother Watch and Others v United Kingdom (n 121) para 340.

¹²⁴ ibid.

¹²⁵ At the request of the applicants, the judgments in Centrum för Rättvisa and Big Brother Watch have been referred to the Grand Chamber, https://hudoc.echr.coe.int/eng-press?i=003-6321717-8260093.

¹²⁶ CJEU, Case C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others, Request for a Preliminary Ruling from the Investigatory Powers Tribunal (London), Judgment, 6 October 2020, ECLI:EU:C:2020:790; CJEU, Joined Cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net and Others v Premier Ministre and Others, Requests for a Preliminary Ruling from the Conseil d’État (Council of State, France) and from the Cour Constitutionnelle (Constitutional Court, Belgium), Judgment, 6 October 2020, ECLI:EU:C:2020:791.

¹²⁷ François Delerue, ‘Reinterpretation or Contestation of International Law in Cyberspace?’ (2019) 52 Israel Law Review 295, 315–16.

¹²⁸ EU statement, Portugal joined: OEWG (n 47) 9 and 10 September 2019.

¹²⁹ Bulgaria; Italy: OEWG (n 47) 9 September 2019.

¹³⁰ Israel: OEWG (n 47) 11 September 2019.

¹³¹ UK: OEWG (n 47) 12 September 2019.

¹³² US: OEWG (n 47) 12 September 2019, 1st subs Session; Singapore, UK, Australia: OEWG (n 47) 11 February 2020.

¹³³ The necessity for lawmaking was expressed by Algeria, the CARICOM group, Nigeria, Russia and the Syrian Arab Republic: OEWG (n 47) 9–11 September 2019.

¹³⁴ South Africa and Chile: OEWG (n 47) 9 and 12 September 2019; Brazil: OEWG (n 47) 12 February 2020.

¹³⁵ The GGE Report of 2015 (n 54) contains 11 ‘norms, rules and principles for the responsible behaviour of states’, which were endorsed by consensus by the UN General Assembly (UNGA Res 70/237 (n 60) para 2(a)) and their content was almost not disputed at the substantial meetings of the OEWG in 2019 and 2020.

¹³⁶ The UN General Assembly in the resolution on the creation of the OEWG in 2018 added three new norms to the existing list and altered a few aspects of the GGE formulations. However, it was adopted by vote, not by consensus, with 119 votes in favour, 46 against and 14 abstentions: UNGA Res 73/27, Developments in the Field of Information and Telecommunications in the Context of International Security (5 December 2018), UN Doc A/RES/73/27.

¹³⁷ Against this background it is revealing that during the OEWG sessions only Egypt explicitly suggested transforming the GGE recommendations to legally binding provisions, and the Philippines expressed concern about the non-binding character of their nature and reduced options for compliance and enforcement.

¹³⁸ GGE Report 2015 (n 54) para 10.

¹³⁹ ‘Poroshenko: Russia Unleashed Cyber War against Ukraine’, The Segodnya, 29 December 2016 (in Russian), https://politics.segodnya.ua/politics/poroshenko-rossiya-razvyazala-kibervoynu-protiv-ukrainy-784445.html.

¹⁴⁰ Council Implementing Regulation 2020/1536 (n 25).

¹⁴¹ UK National Cyber Security Centre, ‘UK Exposes Russian Cyber Attacks’, 4 October 2018, https://www.gov.uk/government/news/uk-exposes-russian-cyber-attacks.

¹⁴² Kerry (n 5).

¹⁴³ The White House, ‘Statement by the President on Actions in Response to Russian Malicious Cyber Activity and Harassment’, 29 December 2016, https://obamawhitehouse.archives.gov/the-press-office/2016/12/29/statement-president-actions-response-russian-malicious-cyber-activity.

¹⁴⁴ Statement of the Ministry of Foreign Affairs of Georgia, 20 February 2020, @MFAgovge, Twitter, 20 February 2020, https://twitter.com/MFAgovge/status/1230479514431631363?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1230479514431631363%7Ctwgr%5E7028efa2532a3132db27d25535179e56c5bc4434%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcivil.ge%2Farchives%2F339589.

¹⁴⁵ Executive Order No 14024, 86 FR 20249, 15 April 2021.

¹⁴⁶ Marco Roscini, ‘Evidentiary Issues in International Disputes related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233, 248–54.

¹⁴⁷ See Luke Chircop, ‘A Due Diligence Standard of Attribution in Cyberspace’ (2018) 67 International & Comparative Law Quarterly 645, 648; Anders Henriksen, ‘Lawful State Responses to Low-Level Cyber-Attacks’ (2015) 84 Nordic Journal of International Law 323, 340–42.

¹⁴⁸ GGE Report 2015 (n 54) para 13(b), endorsed by the General Assembly: UNGA Res 70/237 (23 December 2015) (n 60).

¹⁴⁹ ‘Estonian Links Moscow to Internet Attack’, The New York Times, 18 May 2007, https://www.nytimes.com/2007/05/18/world/europe/18estonia.html.

¹⁵⁰ North Korea was designated by the US as a state that organised the cyber attack on Sony Pictures (press statement of John Kerry (n 5)) and by the UK, the US, Australia, Canada, New Zealand, and Japan as responsible for the WannaCry ransomware (The White House, ‘Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea’, 19 December 2017, https://trumpwhitehouse.archives.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917; US Department of the Treasury (n 23).

¹⁵¹ Russian intelligence agencies or state officials were blamed for a number of attacks, including the cyber operation against SolarWinds Co and its clients, which included US state agencies (US Department of the Treasury (n 15)), the hacking of the German Bundestag in 2015 (Council Implementing Regulation 2020/1536 (n 25), UK Foreign, Commonwealth and Development Office (n 25)), meddling in the US presidential elections in 2016 (US Department of the Treasury (n 11)), Petya and NotPetya ransomwares (US Department of the Treasury (n 22), EU Regulation 2020/1125 (n 22)). In October 2018 the UK National Cyber Security Centre officially claimed that a number of cyber actors widely known to have been conducting cyber attacks around the world are in fact the Russian Military Intelligence Service (GRU): the 2017 BadRabbit ransomware, hacking and release of the medical files of the WADA in 2016, the attack against the Ukrainian financial, energy and government sectors in 2017, an attempt to gain access to the UK defence and science technology laboratory computer systems in 2018, and spearphishing the UK Foreign and Commonwealth office in the same year. In 2020 Georgia, the US and the UK exposed Russia (or, precisely, the GRU) as being responsible for a number of significant cyber attacks against Georgia in October 2019, which disrupted the operations of several thousand Georgian government and privately run websites and interrupted the broadcast of at least two major television stations (Statement of the Ministry of Foreign Affairs of Georgia (n 144); Michael R Pompeo, US Secretary of State, ‘The United States Condemns Russian Cyber Attack Against the Country of Georgia’, 20 February 2020, https://ge.usembassy.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia-february-20; UK Foreign and Commonwealth Office, ‘UK Condemns Russia's GRU over Georgia Cyber Attacks’, 20 February 2020, https://www.gov.uk/government/news/uk-condemns-russias-gru-over-georgia-cyber-attacks). Finally, the US claimed that ‘[b]etween approximately August 2020 and November 2020, state-sponsored Iranian cyber actors executed an online operation to intimidate and influence American voters, and to undermine voter confidence and sow discord, in connection with the 2020 U.S. presidential election’ (US Department of the Treasury (n 10)).

¹⁵² ‘In October 2012, hackers from Iran's Revolutionary Guard carried out cyber-attacks against oil and gas companies in Saudi Arabia and the Gulf’: The Embassy of the Kingdom of Saudi Arabia, ‘Fact Sheet: Iran's Record in Supporting Terrorism and Extremism’, 19 January 2016, https://www.saudiembassy.net/news/fact-sheet-irans-record-supporting-terrorism-and-extremism.

¹⁵³ EU Regulation 2020/1125 (n 22).

¹⁵⁴ Statement of the Ministry of Foreign Affairs of Georgia (n 144); UK Foreign and Commonwealth Office (n 151).

¹⁵⁵ Pompeo (n 151); Global Affairs Canada, ‘Canada Condemns Russia's Malicious Cyber-Activity Targeting Georgia’, 20 February 2020, https://www.canada.ca/en/global-affairs/news/2020/02/canada-condemns-russias-malicious-cyber-activity-targeting-georgia.html.

¹⁵⁶ The White House, ‘Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government’, 15 April 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government.

¹⁵⁷ Council of the EU, ‘Declaration by the High Representative on behalf of the European Union: Call to Promote and Conduct Responsible Behavior in Cyberspace’, 21 February 2020, https://www.consilium.europa.eu/en/press/press-releases/2020/02/21/declaration-by-the-high-representative-on-behalf-of-the-european-union-call-to-promote-and-conduct-responsible-behaviour-in-cyberspace.

¹⁵⁸ Council of the EU, ‘Declaration by the High Representative on behalf of the European Union Expressing Solidarity with the United States on the Impact of the SolarWinds Cyber Operation’, 15 April 2021, https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation.

¹⁵⁹ UK National Cyber Security Centre (n 141).

¹⁶⁰ Ministry for Foreign Affairs of the Russian Federation, ‘Comment by the Information and Press Department on Accusations against Russia of Carrying Out Large-Scale Cyberattacks on Georgian Websites’, 20 February 2020, https://www.mid.ru/en/foreign_policy/news/-/asset_publisher/cKNonkJE02Bw/content/id/4050783.

¹⁶¹ Council Regulation (EU) 2019/796 requires grounds to be given for listing in the sanctions list (art 14), but does not identify the standard of proof or require the disclosure of evidence; the burden of proof is placed on the sanctioned person or entity, which can present ‘observations’ post factum; should the Council find that there is new evidence, the decision can be reviewed: Council Regulation (EU) 2019/796 of 17 May 2019 concerning Restrictive Measures against Cyber Attacks Threatening the Union or its Member States [2019] OJ L 129 I/1, arts 14, 13(1)–(3)). The (US) Countering America's Adversaries Through Sanctions Act (HR 3364, Pub L 115–44 (2017)) (CAATSA) does not mention any such standard or duty in respect of cyber-related sanctions at all.

¹⁶² The cyber-related sanctions regime under CAATSA (ibid s 224(a)(1)) can be introduced for ‘significant activities undermining cybersecurity against any person, including a democratic institution, or government …’. The scope of the EU regime, according to Council Regulation (EU) 2019/796 (ibid arts 1(1), (3), (4)), is narrower but also goes beyond the acts outlawed by international law, extending to ‘cyber attacks’ that ‘have (or potentially may have) a significant effect on the EU or its Member States, in particular to their critical infrastructure, public services (transportation, banking, healthcare, drinking water supply and others), critical state functions such as defence and governance’.

¹⁶³ See Samuli Haataja, ‘Cyber Operations and Collective Countermeasures under International Law’ (2020) Journal of Conflict and Security Law 33.

¹⁶⁴ Executive Order No 13687 (80 FR 817, 2 January 2015), which forms part of a comprehensive sanctions package against North Korea in conjunction with, inter alia, Executive Order No 13722 (81 FR 14941, 15 March 2016) issued in relation to North Korean nuclear and missile programmes. Executive Order No 13722 was also employed to designate North Korean hacking groups with regard to the WannaCry attack, although this Order is included in the North Korea-related sanctions programme (aimed at preventing the proliferation of weapons of mass destruction) rather than the cyber-related sanctions programme.

¹⁶⁵ Executive Order No 13694, 80 FR 18077, 1 April 2015.

¹⁶⁶ ibid ss 1–4.

¹⁶⁷ Executive Order No 13757, 82 FR 1, 28 December 2016.

¹⁶⁸ Alongside the ‘cyber-related’ sanctions CAATSA contains provisions on sanctions related to (1) crude oil projects, (2) financial institutions, (3) corruption, (4) human rights abuses, (5) evasion of sanctions, (6) transactions with Russian defence or intelligence sectors, (7) export pipelines, (8) privatisation of state-owned assets by government officials, and (9) arms transfers to Syria.

¹⁶⁹ US Department of the Treasury, Office of Foreign Assets Control, Directive 1 under Executive Order of 15 April 2021 ‘Blocking Property with respect to Specified Harmful Foreign Activities of the Government of the Russian Federation’, https://home.treasury.gov/system/files/126/sovereign_debt_prohibition_directive_1.pdf.

¹⁷⁰ ibid.

¹⁷¹ US Department of the Treasury, ‘Frequently Asked Question, Russian Harmful Foreign Activities Sanctions, FAQ 889’, https://home.treasury.gov/policy-issues/financial-sanctions/faqs/889.

¹⁷² Although the EU legislation employs the term ‘restrictive measures’ rather than ‘sanctions’, in their economic nature the former are identical to the latter; therefore, in this article these terms are used as synonyms.

¹⁷³ Council Decision (CFSP) 2019/797 of 17 May 2019 concerning Restrictive Measures against Cyber Attacks Threatening the Union or its Member States [2019] OJ L 129 I/13, art 1(1). In May 2020 the Council decided to extend the cyber sanctions regime for a year (Council of the EU, ‘Council Extends Cyber Sanctions Regime until 18 May 2021’, 14 May 2020, https://europa.eu/!jP36Mf) and, in May 2021, for another year until May 2022 (Council of the EU, ‘Cyber-Attacks: Council Prolongs Framework for Sanctions for Another Year, 17 May 2021, https://europa.eu/!CK67uW). In May 2022 the cyber sanctions regime was extended for three years with immediate effect to indicate ‘the strong EU commitment to enhance its resilience and ability to prevent, discourage, deter and respond to cyber threats and malicious cyber activities in order to safeguard European security and interests’ (Council of the EU, ‘Cyber-Attacks: Council Extends Sanctions Regime until 18 May 2025’, https://europa.eu/!qfDkPr).

¹⁷⁴ Council Regulation (EU) 2019/796 (n 161)

¹⁷⁵ ibid art 13(1).

¹⁷⁶ ibid preambular para (4).

¹⁷⁷ ibid art 13(4).

¹⁷⁸ ibid arts 4(1), 5(1), 6(1).

¹⁷⁹ ibid art 12(1).

¹⁸⁰ ibid art 15(1).

¹⁸¹ David Savage, ‘EU Sanctions Enforcement’, in The Guide to Sanctions – First Edition, https://globalinvestigationsreview.com/benchmarking/the-guide-to-sanctions-first-edition/1230031/eu-sanctions-enforcement.

¹⁸² On the application of the EU sanctions regime after Brexit see Erica Moret and Fabrice Pothier, ‘Sanctions After Brexit’ (2018) 60(2) Survival 179.

¹⁸³ See Ministry of Justice and Security, ‘Cyber Security Assessment Netherlands 2019’, https://www.thehaguesecuritydelta.com/media/com_hsd/report/255/document/CSBN2019-EN-def-Web-01-tcm32-405804.pdf; or Shannon Vavra, ‘Dutch Intelligence Warns of Escalating Russian, Chinese Cyberattacks in the Netherlands’, Cyberscoop, 1 May 2019, https://www.cyberscoop.com/dutch-intelligence-warns-escalating-russian-chinese-cyberattacks-netherlands. With regard to the UK see Department for Digital, Culture, Media and Sport, ‘Cyber Security Breaches Survey 2019’, https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019; or ‘More than Half of British Firms “Report Cyber Attacks in 2019”’, BBC News, 23 April 2019, https://www.bbc.com/news/business-48017943; ‘Russia Cyber-Plots: US, UK and Netherlands Allege Hacking’, BBC News, 4 October 2018, https://www.bbc.com/news/world-europe-45746837.

¹⁸⁴ Erica Moret and Patryk Pawlak, ‘The EU Cyber Diplomacy Toolbox: Towards a Cyber Sanctions Regime?’, 12 July 2017, 1, https://www.iss.europa.eu/content/eu-cyber-diplomacy-toolbox-towards-cyber-sanctions-regime.

¹⁸⁵ Cyber (Sanctions) (EU Exit) Regulations 2020, SI 2020/597 (UK Cyber Regulations 2020); and Sanctions (EU Exit) (Miscellaneous Amendments) (No 4) Regulations 2020, SI 2020/951.

¹⁸⁶ UK Cyber Regulations 2020, ibid reg 5.

¹⁸⁷ ibid regs 11–15.

¹⁸⁸ ibid reg 17.

¹⁸⁹ CAATSA (n 161) s 224(a)(1).

¹⁹⁰ Council Regulation (EU) 2019/796 (n 161) arts 1(1), (3), (4).

¹⁹¹ ibid art 1(3); UK Cyber Regulations 2020 (n 185) reg 4(3).

¹⁹² Council Regulation (EU) 2019/796 (n 161) arts 1(1), (2).

¹⁹³ UK Cyber Regulations 2020 (n 185) reg 4(2).

¹⁹⁴ Council Decision (CFSP) 2019/797 (n 173) 13–19.

¹⁹⁵ See Daniel W Drezner, ‘Sanctions Sometimes Smart: Targeted Sanctions in Theory and Practice’ (2011) 13 International Studies Review 99; Navin A Bapat and T Clifton Morgan, ‘Multilateral versus Unilateral Sanctions Reconsidered’ (2009) 53 International Studies Quarterly 1092; Sean M Bolks and Dina Al-Sowayel, ‘How Long Do Economic Sanctions Last? Examining the Sanctioning Process through Duration’ (2000) 53(2) Political Research Quarterly 241.

¹⁹⁶ ‘Russia Puts Losses from Sanctions, Cheaper Oil at up to $140 Billion per Year’, Reuters, 24 November 2014, https://www.reuters.com/article/uk-russia-economy-oil-sanctions-idUKKCN0J80P720141124.

¹⁹⁷ European Parliament, Directorate-General for External Policies Policy Department, ‘Russia's and the EU's Sanctions: Economic and Trade Effects, Compliance and the Way Forward’, October 2017, EP/EXPO/B/INTA/2017/11, 40, https://www.europarl.europa.eu/RegData/etudes/STUD/2017/603847/EXPO_STU(2017)603847_EN.pdf.

¹⁹⁸ Simon Chesterman and Béatrice Pouligny, ‘Are Sanctions Meant to Work? The Politics of Creating and Implementing Sanctions through the United Nations’ (2003) 9 Global Governance 503; William Kaempfer and Anton D Lowenberg, ‘The Political Economy of Economic Sanctions’ (2007) 2 Handbook of Defense Economics 868; Susan Hannah Allen, ‘The Domestic Political Costs of Economic Sanctions’ (2008) 52 Journal of Conflict Resolution 916. A separate strand of the literature examines the target states’ political regime and potential correlation between the type of regime and effectiveness of sanctions against the target; see Abel Escribà-Folch and Joseph Wright, Foreign Pressure and the Politics of Autocratic Survival (Oxford University Press 2015); Dursun Peksen, ‘Autocracies and Economic Sanctions: The Divergent Impact of Authoritarian Regime Type on Sanctions Success’ (2019) 30 Defence and Peace Economics 253.

¹⁹⁹ Iana Dreyer and José Luengo-Cabrera, ‘Introduction’ in Iana Dreyer and José Luengo-Cabrera (eds), On Target? EU Sanctions as Security Policy Tools, Report No 25 (EU Institute for Security Studies 2015) 7, https://doi.org/10.2815/710375.

²⁰⁰ Thomas J Biersteker and Peter AG van Bergeijk, ‘How and When Do Sanctions Work? The Evidence’, in Dreyer and Luengo-Cabrera (n 199) 17, 18.

²⁰¹ The White House (n 156) (emphasis added).

²⁰² Council of the EU, ‘Guidelines on Implementation and Evaluation of Restrictive Measures (Sanctions) in the Framework of the EU Common Foreign and Security Policy’, Doc 5664/18, 4 May 2018, https://data.consilium.europa.eu/doc/document/ST-5664-2018-INIT/en/pdf.

²⁰³ ibid para 4.

²⁰⁴ ibid paras 4, 5.

²⁰⁵ Council Regulation (EU) 2019/796 (n 161) preambular paras 1 and 2.

²⁰⁶ UK Foreign, Commonwealth & Development Office, ‘Statutory Guidance – Cyber Sanctions: Guidance’, 3 November 2020, https://www.gov.uk/government/publications/cyber-sanctions-guidance/cyber-sanctions-guidance.

²⁰⁷ Julia Edwards and Jason Lange, ‘US Slaps More Sanctions on North Korea after Sony Hack’, Reuters, 4 January 2015, https://www.reuters.com/article/us-northkorea-cyberattack-sanctions-idUSKBN0KB16U20150104 (‘It's not as if they [the sanctioned North Korean individuals] travel a lot abroad to western Europe or the United States … They don't have billions of dollars in western banks’, said Joel Wit of 38North, part of the US Korea Institute at Johns Hopkins University in Washington).

²⁰⁸ US Department of State (n 9).

²⁰⁹ ibid.

²¹⁰ ‘Obama Expels 35 Russian Diplomats in Retaliation for US Election Hacking’, The Guardian, 30 December 2016, https://www.theguardian.com/us-news/2016/dec/29/barack-obama-sanctions-russia-election-hack.

²¹¹ ‘Obama Expels 35 Russian Diplomats, Accuses Russia of Meddling in Election’, Euronews, 29 December 2016, https://www.euronews.com/2016/12/29/washington-gives-35-russian-diplomats-72-hours-to-leave-the-us-in-response-to.

²¹² Ivan Nechepurenko, ‘Russia Says It Shut Down Notorious Hacker Group at U.S. Request’, The New York Times, 14 January 2022, https://www.nytimes.com/2022/01/14/world/europe/revil-ransomware-russia-arrests.html.

²¹³ US Department of the Treasury (n 16).

²¹⁴ Robyn Dixon and Ellen Nakashima, ‘Russia Arrests 14 Alleged Members of REvil Ransomware Gang, Including Hacker U.S. Says Conducted Colonial Pipeline Attack’, The Washington Post, 14 January 2022, https://www.washingtonpost.com/world/2022/01/14/russia-hacker-revil.

²¹⁵ Kari Paul and Lois Beckett, ‘What We Know – and Still Don't – about the Worst-Ever US Government Cyber-Attack’, The Guardian, 19 December 2020, https://www.theguardian.com/technology/2020/dec/18/orion-hack-solarwinds-explainer-us-government.

²¹⁶ ‘Pompeo Says Russia “Pretty Clearly” behind Cyberattack, Prompting Pushback from Trump’, NPR, 19 December 2020, https://www.npr.org/2020/12/19/948318197/pompeo-russia-pretty-clearly-behind-massive-solarwinds-cyberattack.

²¹⁷ Trevor Hunnicutt, David Lawder and Daphne Psaledakis, ‘Biden's Options for Russian Hacking Punishment: Sanctions, Cyber Retaliation’, Reuters, 20 December 2020, https://www.reuters.com/article/usa-cyber-breach-biden/bidens-options-for-russian-hacking-punishment-sanctions-cyber-retaliation-idUSKBN28U0DV.

²¹⁸ ibid.

²¹⁹ Biersteker and Van Bergeijk (n 200) 19.

²²⁰ Mancur Olson, The Logic of Collective Action: Public Goods and the Theory of Groups (Harvard University Press 1971).

²²¹ Julia Ioffe, ‘How Not to Design Russia Sanctions’, Atlantic, 31 January 2018, https://www.theatlantic.com/international/archive/2018/01/kremlin-report-sanctions-policy/551921.

²²² John Walcott and Jonathan Landay, ‘US Plans to Sanction Russian Oligarchs This Week: Sources’, Reuters, 4 April 2018, https://www.reuters.com/article/us-usa-russia-sanctions/u-s-plans-to-sanction-russian-oligarchs-this-week-sources-idUSKCN1HB34U.

²²³ US Department of the Treasury, ‘Treasury Designates Russian Oligarchs, Officials, and Entities in Response to Worldwide Malign Activity’, 6 April 2018, https://home.treasury.gov/news/press-releases/sm0338.

²²⁴ Lauren Gambino, ‘Trump Administration Hits 24 Russians with Sanctions over “Malign Activity”’, The Guardian, 6 April 2018, https://www.theguardian.com/us-news/2018/apr/06/trump-russia-sanctions-election-meddling-latest.

²²⁵ ibid.

²²⁶ See Olson (n 220) 29 (‘Where small groups with common interests are concerned, then, there is a systematic tendency for “exploitation” of the great by the small’). Economic incentives, as well as a higher degree of consensus in a small (or ‘privileged’) group enable its members to expect that their collective needs will be met one way or another: ibid 58.

²²⁷ ibid 50.

²²⁸ ibid 53.

²²⁹ Alexandr Pyatin, ‘“For Me, This Is a Total Crisis”: Vekselberg Told How His Life Changed due to US Sanctions’, Forbes, 3 June 2019, https://www.forbes.ru/milliardery/377121-dlya-menya-eto-totalnyy-krizis-vekselberg-rasskazal-kak-ego-zhizn-izmenilas-iz-za?photo=1 (in Russian).

²³⁰ Deripaska v Mnuchin and Others, US District Court (District of Columbia), Case 1:19-cv-00727, https://www.courtlistener.com/recap/gov.uscourts.dcd.205241/gov.uscourts.dcd.205241.1.0.pdf.

²³¹ Kaempfer, William and Lowenberg, Anton D, ‘Using Threshold Models to Explain International Relations’ (1992) 73 Public Choice 419CrossRefGoogle Scholar.

²³² Kaempfer, William and Lowenberg, Anton D, ‘The Political Economy of Economic Sanctions’ (2007) 2 Handbook of Defense Economics 886CrossRefGoogle Scholar, n 32.

²³³ Francesco Giumelli, The Success of Sanctions: Lessons Learned from the EU Experience (Routledge 2013).

²³⁴ Giumelli's methodological approach has been employed in a series of recent studies on the effectiveness of sanctions; see Jones, Lee, Societies under Siege: Exploring How International Economic Sanctions (Do Not) Work (Oxford University Press 2015)CrossRefGoogle Scholar; Veebel, Viljar and Markus, Raul, ‘Lessons from the EU-Russia Sanctions 2014-2015’ (2015) 8 Baltic Journal of Law & Politics 165CrossRefGoogle Scholar. An instructive report prepared in 2015 by the Task Force on Sanctions within the EU Institute for Security Studies was built ‘on the framework presented by Francesco Giumelli’ to adopt ‘a “new narrative” on how sanctions effectiveness can be conceptualized’: Dreyer and Luengo-Cabrera (n 199) 12.

²³⁵ Giumelli (n 233) 7.

²³⁶ ‘US Expels Russian Diplomats over Cyber Attack Allegations’, BBC News, 29 December 2016, https://www.bbc.com/news/world-us-canada-38463025.

²³⁷ The White House (n 156).

²³⁸ A criminal complaint of more than 170 pages against a North Korean citizen accused of conducting the attack against Sony Pictures is available at: https://www.justice.gov/opa/press-release/file/1092091/download.

²³⁹ Giumelli (n 233) 7.

²⁴⁰ ibid 8.

²⁴¹ ibid.

²⁴² @DonaldTrump, Twitter, 3 August 2017, https://twitter.com/realDonaldTrump/status/893083735633129472 (last visited 10 August 2020).

²⁴³ Richard Sokolsky and Eugene Rumer, ‘U.S.-Russian Relations in 2030’, Carnegie Endowment for International Peace, 15 June 2020, https://carnegieendowment.org/2020/06/15/u.s.-russian-relations-in-2030-pub-82056.

²⁴⁴ Giumelli (n 233) 10.

²⁴⁵ ibid.

²⁴⁶ ‘Few New Sanctions Left to Impose on Iran, Russia: Robert O'Brien’, Tehran Times, 26 October 2020, https://www.tehrantimes.com/news/453901/Few-new-sanctions-left-to-impose-on-Iran-Russia-Robert-O-Brien.

²⁴⁷ Only two cases of hacking-back have been made public so far. In February 2019 the US military blocked internet access to the Internet Research Agency, a Russian ‘fabric of trolls’, on the day of the 2018 midterm elections; see Ellen Nakashima, ‘U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms’, The Washington Post, 27 February 2019, https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html. A few months later, June 2019, a new US cyber operation was articulated and reported to consist of the deployment of hacking tools at Russian grid systems; see David E Sanger and Nicole Perlroth, ‘U.S. Escalates Online Attacks on Russia's Power Grid’, The New York Times, 15 June 2019, https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html.

²⁴⁸ Dizaji, Sajjad Faraji and van Bergeijk, Peter AG, ‘Potential Early Phase Success and Ultimate Failure of Economic Sanctions: A VAR Approach with an Application to Iran’ (2013) 50 Journal of Peace Research 721CrossRefGoogle Scholar.

²⁴⁹ See Council of the EU, ‘EU Best Practices for the Effective Implementation of Restrictive Measures’, 8519/18, updated 4 May 2018, https://data.consilium.europa.eu/doc/document/ST-8519-2018-INIT/en/pdf; ‘Guidelines on Implementation and Evaluation of Restrictive Measures in the Framework of the EU CFSP – update’, 5664/18, 4 May 2018, https://data.consilium.europa.eu/doc/document/ST-5664-2018-INIT/en/pdf; Hovi, Jon, Huseby, Robert and Sprinz, Detlef F, ‘When Do (Imposed) Economic Sanctions Work?’ (2005) 57 World Politics 479CrossRefGoogle Scholar; Francesco Giumelli, ‘The Effectiveness of EU Sanctions: An Analysis of Iran, Belarus, Syria and Myanmar (Burma)’ (2013), EPC Issue Paper No 76, 20.