In the last two decades, and in particular after the 9/11 attacks, the United States and its allies have had a near-monopoly on the use of coercive economic measures (sanctions, trade controls, investment restrictions, etc.) to achieve foreign policy objectives. This dominance has been grounded in the central role that the U.S. financial system, capital markets, and the U.S. dollar play in international trade and commerce.
But the most novel aspect of the recent cyberattack against Sony Pictures is that it demonstrates the proliferation of the weapons of economic warfare. Owing to the low cost of sophisticated tools for cyber exploitation and the distributed nature of expertise in their use, smaller countries like North Korea and Iran now have the ability to deploy those tools to target the economic interests of major powers for political ends.
No longer does oil need to be traded in a country’s currency for that country to be able to project power using economic means. Smaller powers around the world can achieve coercive goals belied by their military weakness. And at the same time, the U.S. and its allies are asymmetrically vulnerable to the targeting of their commercial interests for political purposes given the dominant position their corporations occupy in the global economy.
The time, therefore, has come to think systematically about how to respond when American economic interests become the target of adversaries around the world. The advent and diffusion of cyber exploitation tools means that there are a much broader range of scenarios in which the economic interests of American companies can become part of geopolitical disputes. And while we have long known that the United States is vulnerable to cyberattacks because of its technological connectedness, the direct exploitation of that vulnerability for political ends is novel.
The President’s recent proposal to criminalize the sale of certain exploitation tools is an important step. What is needed, though, is not more law, but more strategy—serious conceptual work on the relationship between the commercial interests of American companies and the strategic interests of the United States, and a viable framework for responding to cyberattacks at all levels of intensity.
North Korea’s recent activities are recognizable to those familiar with the tools and goals of financial warfare. Sanctions, trade controls, and other coercive economic measures generally have one (or both) of two main objectives. First, they are designed to impede the operations of rogue states and illicit actors like terrorist groups or narco-trafficking cartels. Sanctions and the due diligence obligations of banks, among many other measures, make it substantially more expensive and risky, and less efficient, for illicit actors to raise, store, move, and use the funds that are the lifeblood of their organizations. Entities like drug trafficking networks, terrorist groups, and proliferation facilitators require substantial streams of funding and access to the global financial system, to remain effective. The more time and resources they spend trying to fund an organization, the less time spent planning attacks or engaging in other illicit activity.
But sanctions also have a second objective, which is to shape the behavior of decision-makers in foreign governments by raising the costs of their actions. Over the last 12 months, for example, the United States and its allies in Europe have imposed increasingly innovative and wide-ranging sanctions in order to demonstrate to Russia that its activities in Ukraine are not cost-free, and force it to change its calculations about its activities there.
Now back to the Sony hack. While the breach itself was significant—hackers, linked to the North Korean government, stole a large amount of very sensitive data about Sony and interfered with the operation of its networks—the more troublesome aspects of the episode relate to the ways in which the commercial interests of American companies were targeted to affect changes in their behavior. Shortly after the hacks, the group that conducted it threatened attacks on theaters that planned to show the film and as a consequence, Sony canceled the planned release (the movie was, nevertheless, later released).
While in this case, commercial interests were targeted in order to influence the decisions of an American company, it is easy to see how North Korea’s logic could be applied to try and manipulate political decisions of the U.S. government or one of its allies. How would the U.S. government respond if commercial interests of American companies were targeted to change foreign policy decisions? What if North Korean hackers inflicted hundreds of millions of dollars worth of damage on several companies, sequentially, until the U.S. lifted sanctions on North Korea itself, drew down its troop presence in the Korean peninsula, altered deployments of the U.S. Seventh Fleet, or canceled joint military exercises with the South Korean government?
In this sense, the U.S. and its allies are asymmetrically vulnerable, as their companies operate all over the world and often constitute globally recognized brands. Their economic interests can consequently be targeted with much greater ease via cyber tools. Whereas in the past, one needed the presence of a U.S. company in order to target its commercial interests— by disrupting physical operations or denying operating licenses—cyber tools provide both reach and some degree of deniability.
Adversaries of the United States can use (or outsource) cyber exploits to target American interests from half a world away. And as democracies, the United States and most of its allies might be more susceptible to public pressure to act after a significant corporation (or a large group of smaller corporations) is targeted.
One no longer needs to have the dominant global currency in order to utilize the tools of economic statecraft. And conversely, it is not only the fact that our critical infrastructure is wired that creates asymmetric vulnerabilities, but also the distributed nature of our economic interests. What we need now, in addition to substantial work on improving our cyber defenses, is serious thinking on how we will respond when the economic interests of American companies are targeted through the exploitation of their digital vulnerabilities.