Cyber-attacks and sanctions

Man in front of network switch1

There was an interesting discussion on Twitter a few days ago, about The Cyber-Attacks (Asset-Freezing) Regulations 2019.

The gist of the debate was "did you know about these?!", or whether they had snuck by without being noticed by cyber / information security experts.

I am 99% sure I tweeted about them a year or so ago but, since my tweets only hang around for a week or so (thanks to the excellent tweet deletion tool semiphemeral), I thought it might be a good idea to blog about them briefly.

What are these?

These regulations implement Regulation 2019/796, "concerning restrictive measures against cyber-attacks threatening the Union or its Member States".

Their stated aim is to "respond to and deter cyber-attacks", and they do this by attempting to "freeze" the assets of the sanctions targets (known as "designated persons").

When did they come into effect?

They came into effect on 11 June 2019, so they are just over a year old now.

Do they apply to me?

The Regulations apply to UK nationals and any body incorporated or constituted under the law of any part of the United Kingdom (e.g. companies registered in a part of the UK).

The reporting / notification provisions, which I discuss below, apply to a smaller group.

What is the impact on me?

Are you the Queen? If you are then, ma'am, you'll be pleased to note that:

Nothing in this regulation affects Her Majesty in Her private capacity

If you are not the Queen, you need to avoid doing any of the things prohibited by the Regulations, or else face a potential criminal liability.

The prohibited things include:

  • dealing with funds or economic resources owned, held or controlled by a designated person (the "freezing" requirement)
  • making funds available to a designated person, or for the benefit of a designated person
  • making economic resources available to a designated person, or for the benefit of a designated person

They are not strict liability offences, and you need to know, or have a reasonable cause to suspect, that you are doing the prohibited thing. There is also a defence of doing one of these things under the authority of a licence granted by the Treasury but, if you had such a licence, you'd probably know about it.

There is an additional offence of intentionally participating in activities, knowing that the object or effect of them is to circumvent any of the prohibitions, or to enable or facilitate the contravention of them.

Does this cover ransomware payments?

The Regulations are not specifically about ransomware payments, nor do they apply to ransomware payments generally.

If, however, your payment was to a person or group on the sanctions targets list, and you knew or had reasonable cause to believe that this was the case, you would commit a criminal offence, unless you had a Treasury licence.

Who are the sanctions targets / "designated persons"?

The list of sanctions targets is set at European level (for now, at least), and it is not long: just six individuals, and three organisations.

According to the Council implementing regulation, the rationale for the inclusion of these people and groups is:

Those persons and entities or bodies are responsible for, provided support for or were involved in, or facilitated cyber-attacks or attempted cyber-attacks, including the attempted cyber-attack against the OPCW and the cyber-attacks publicly known as ‘WannaCry’ and ‘NotPetya’, as well as ‘Operation Cloud Hopper’.

You can also find the list as made available in UK.

What is the penalty?

Up to seven years in prison, or a fine, or both.

If an offence is committed by a company or partnership, a director or other senior officer of the company, or a partner, may also be liable personally — meaning that they, personally, could be fined or go to prison, rather that the company being liable. This usually gets senior management attention.

Reporting / notification provisions

The sanctions provisions are applicable to everyone, and there are additional specific reporting / notification provisions, which apply only to some businesses.

These are "relevant institutions" (a defined term, which includes money transfer services), and quite a few others if they operate in the UK:

  • an auditor
  • a casino
  • a dealer in precious metals or stones
  • an estate agent
  • an external accountant
  • an independent legal professional
  • a tax adviser
  • a trust or company service provider

Broadly, these provisions require relevant organisations to tell the Treasure if they know, or have reasonable cause to suspect, that someone is a designated person, or else has committed and offence, and they came to this conclusion in the course of their business. They are also required to provide additional information.

The Treasury is also afforded information-gathering powers.

Failure to comply with these reporting / notification provisions, or a request from the Treasury under its information-gathering powers, is, in itself, a criminal offence.

Changes after Brexit

The current regulations derive from EU law and, clearly, we can't be having that, so they are due to be replaced by The Cyber (Sanctions) (EU Exit) Regulations 2020, which are not yet in force.

There is a specific exception for "acts done for purposes of national security or prevention of serious crime", which would appear to extend to private individuals even though there is a benchmarking assessment of what a "responsible officer" would think.

Overseas application?

The Cyber (Sanctions) (Overseas Territories) Order 2020, which came into effect on 8 April 2020, imposes a similar framework on British overseas territories.

  1. This is a modified version of this image, which is licensed under the Pexels licence↩︎