Lawmakers grill Mnuchin on Treasury's cyber sanctions
- By Derek B. Johnson
- Mar 04, 2020
Lawmakers pressed Treasury Secretary Steven Mnuchin at a Mar. 4 House Appropriations Committee hearing about how effective the department's financial sanctions against other nations for conducting cyberattacks were in deterring future behavior and how it was defining their success.
"If a sanction is enforced upon another foreign entity, how does that restore or make whole the U.S. entity?" asked Rep. Tom Graves (R-Ga.) at the hearing. He also asked Mnuchin if he's noticed "any sizable positive impact on the reduction of breach attempts on U.S. companies" as a result.
Mnuchin said sanctions are "just one of the many tools" the U.S. government uses to help protect federal and private IT infrastructure.
Rep. Mike Quigley (D-Ill.) brought up sanctions implemented by both the Obama and Trump administrations against Russian entities and individuals for interfering in the 2016 U.S. presidential election, noting that Russia's covert campaign to influence the U.S. electorate "seem to be continuing" and that former Director of National Intelligence Dan Coats warned that "the lights are blinking red" before stepping down last year.
"What are we missing? Are we sanctioning the right people or should we be sanctioning people higher to the top that are making these decisions?" Quigley asked. "I don't think that's a political question. The fact is both administrations put these sanctions in place for a reason and the efforts continue. All I'm suggesting is that maybe it's not working because we're sanctioning the wrong people or the enforcement isn't strong enough, or in some manners they're overcoming those sanctions by alternative means."
Mnuchin said Treasury has hired "a significant number of people" to oversee its sanctions program are properly staffed to handle the workload. He also said he is actively overseeing the sanctions process and believes it has enough people and money to carry out its mission effectively.
"This is like a factory that we have, and there are always things that are being researched, intelligence that's being driven to us and future things that are being worked on," Mnuchin said. "So I'm not going to make any comments just as a matter of policy on future sanctions, but the answer is yes, I do think our sanctions programs work, and I do think we're sanctioning the right people, and I do believe we have proper resources."
Quigley was not satisfied with that answer.
"To continue this assuming that behavior will change based on our current efforts is probably optimistic and that we have to look at this from a different vein," Quigley said. "The fact that you are involved in this, as you say, and so much of your time, your input into what else we can do, given that this isn't stopping, would be appreciated."
The question of how effective sanctions are in deterring foreign governments or connected individuals from committing future attacks is a hotly debated topic in cybersecurity policymaking. U.S. officials often argue they are one component in a multi-layered "name and shame" strategy, often paired with criminal indictments and travel restrictions and designed to marshal international support and make it harder for hackers to move around or conduct business.
North Korea and Iran are already under heavy international sanctions and have economies that are largely isolated from international trade with the U.S.-Western financial system. The FBI has stated that name-and-shame tactics have no effect on North Korean behavior, and sanctions might actually lead to increased activity as ransomware attacks and other cyber-enabled theft is leveraged to make up for lost revenue elsewhere.
Derek B. Johnson is a former senior staff writer at FCW.