On March 15, 2018, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned 19 Russian individuals and five entities for involvement in destructive cyber activities, such as interference in the 2016 U.S. election, Russian-sponsored cyber attacks, and intrusion into U.S. critical infrastructure. These SDN designations were made pursuant to the Countering America's Adversaries Through Sanctions Act (CAATSA) and OFAC's cyber-related sanctions program. The sanctioned individuals and entities largely overlap with those named in indictments by U.S. Special Counsel Robert Mueller in his ongoing investigation into Russian interference in the 2016 U.S. presidential election. Accordingly, these designations should have limited direct effect on U.S. businesses, although the sanctions themselves are notable given the Trump Administration's mixed views on foreign policy toward Russia. These sanctions also come as the United Kingdom has expelled Russian diplomats and considered sanctions in response to Russia's involvement in a nerve gas attack in England.
As part of this round of sanctions, the Russian Main Intelligence Directorate (GRU) and Federal Security Service (FSB) were designated pursuant to CAATSA’s provision targeting cyber actors operating on behalf of the Russian government. These Russian intelligence agencies were already sanctioned under OFAC’s cyber-related sanctions program. However, the move is interesting because the Trump Administration has generally shown a reluctance to exercise its significant sanctions authority under CAATSA. For example, despite CAATSA’s requirement that secondary sanctions be imposed against foreign entities conducting certain transactions with the Russian defense and intelligence sector, the Trump Administration has declined to impose these sanctions. Previously, the U.S. State Department noted that the threat of secondary sanctions is a sufficient deterrent for parties dealing with listed entities. The previously-issued general license authorizing transactions with the FSB for regulatory purposes – for example, as part of the Russian import process for information technology products – remains in effect.
The Treasury Department also issued a press release by Secretary Mnuchin providing additional detail on the sanctions. Secretary Mnuchin emphasized that OFAC is employing multiple sanctions programs to pressure Russia, including the North Korea sanctions programs, the Global Magnitsky Act, and the Sergei Magnitsky Act. The press release also explicitly blames Russia for the “recent use of a military-grade nerve agent in an attempt to murder two UK citizens.” The Department of Homeland Security and FBI also released a Technical Alert stating that Russian government hackers have penetrated the U.S. energy grid and have been targeting U.S. governmental, energy, nuclear, commercial, water, aviation, and critical manufacturing sectors.
On March 14, 2018 the UK acted in response to what Prime Minister May termed a “brazen” attack on UK soil for which the Russian state was “culpable,” by expelling 23 (or 40%) of the 58 accredited Russian diplomats, the largest single expulsion in 30 years. By comparison, following the murder of Alexander Litvinenko in 2007, the UK expelled 4 diplomats. Longer term measures have also been proposed, such as greater monitoring of Russian private flights and freight, and powers to stop people “suspected of hostile state activity” at UK borders.
It remains to be seen whether the EU will impose further sanctions on Russia in response to the attack in addition to the measures currently in force. However, in a joint statement on March 15, 2018, the U.S., UK, France, and Germany condemned the attack and noted “heightened” concerns about Russia’s behavior.
As relations between the United States/United Kingdom and Russia worsen and may result in additional sanctions, U.S. and UK businesses should remain vigilant about compliance if they do business with Russia or Russian companies. The United States in particular has authorization under CAATSA to impose additional sanctions on Russian oligarchs, malicious cyber actors, and those that conduct business with the Russian military or intelligence sectors. Businesses should ensure their compliance programs remain up-to-date with the latest sanctions and have contingency plans in the event that a contract with a Russian entity falls under new sanctions. Extra care should be taken to ensure compliance with the myriad of sanctions programs when doing business with the Russian government or its state-owned entities, or the Russian defense, intelligence, energy, or financial sectors.