Strategic Access, Strategic Pressure: Sanctions in UK Offensive Cyber Policy

Sanctions and export controls are divisive policy levers to limit an adversary's access to technology; however, this is not always the outcome that occurs when they are implemented. Their impact is mediated by a target state’s capacity for adaptation. Some sanctioned entities respond by developing alternative tech ecosystems, which are harder for Western intelligence services to observe, access, or influence. For instance, in September 2025, Ukrainian authorities revealed that Russia was developing their own equivalents to Western electronics for military technologies, in response to supply chain restrictions caused by sanctions on post-2022 sanctions on Russia. The Ukrainian Commissioner for Sanctions Policy, said ‘They have the ability to make chips which are of poor quality – so far’. Going further, China's innovation efforts are underway (for example through companies like DeepSeek) to create a robust national technological ecosystem that is largely domestically governed and designed to reduce visibility and vulnerability to forces outside its sphere of influence, partially as a result of sanctions.

Against this backdrop, it is clear that sanctions present challenges that directly intersect with considerations for cyber strategy and operational access in the current international environment. The way sanctions and export controls are designed today can also impact the UK’s ability to conduct offensive cyber operations in the future. They may limit the access necessary for future espionage and effects campaigns by removing already known technological access pathways into adversary infrastructure that could be used by the UK and their allies. The risk of such unintended outcomes raises key questions for UK policymakers: when, and how, should sanctions continue to be used, given other strategic priorities? This policy perspective argues that access for future cyber espionage and effects operations should only be sacrificed where sanctions clearly degrade a high-value target and where loss of future options is justified by immediate strategic gain.

Do Sanctions Work?

Sanctions regimes are a widely used policy lever, yet their effectiveness is subject to contentious debates. The sanctions regimes developed by the UK and its allies are products of a neoliberal international order in which economic interdependence, shared norms and broad multilateral buy-in could also be used for coercive economic purposes. Rather than acting as a switch that compels behaviour, sanctions and export controls function more as a pressure mechanism with effects that diffuse unevenly across a target state’s economy, political system and technological base. Even at the height of the pre-Trump liberal international order, sanctions often had limited success beyond their immediate signalling value.

Historical cases, from Cuba to North Korea, show that while sanctions can inflict substantial economic damage, they have frequently failed to deliver core political objectives such as regime change or enduring behavioural shifts, and in some instances resulted in severe humanitarian costs. Instead, the economic consequences can entrench existing power structures and incentivise regimes to double down on self-reliance and control. For cyber operators, this can translate into more tightly controlled, segmented, and domestically engineered networks, resulting in environments that are harder to view, penetrate and undermine.

In active conflicts such as the war in Ukraine, policymakers have prioritised sanctions and export controls that signal rapid political resolve, even though their economic and strategic effects typically unfold slowly. The pressure to respond quickly can therefore outweigh longer-term considerations. However, cyber espionage and effects operations may rely on maintaining persistent but fragile access over time. Sanctions and export controls may inadvertently close off access points required by cyber operators, such as software dependencies, vendor relationships or maintenance channels.

This trade-off becomes more acute in scenarios involving technologically sophisticated adversaries, such as in a future confrontation with China. Therefore, rather than using sanctions to try to take out all identified high-impact supply chain nodes during a potential China/Taiwan conflict, the West could instead use calculated sanctions to exacerbate dependencies that we want to become essential to China’s military activities. Then, if the UK and its allies choose to disable these dependencies in the future, this would drastically impact China’s operational capabilities. Both the use of sanctions and of offensive cyber capabilities should be treated as a strategic optimisation question: we should only sacrifice cyber access when it can offer a significant pay-off.

How Could Strategic Sanctions Facilitate Future Cyber Effects Operations?

To more effectively consider how to deploy sanctions while preserving cyber effects capabilities, the UK government needs to adopt a policy of developing structured partnerships with key technology providers. In particular, companies whose products underpin adversaries’ critical operational infrastructure, including those that specialise in cloud services, satellite communications, networking equipment, identity management and operating systems, as well as other technology that adheres to international standards. These all create persistent, if sometimes indirect, points of leverage and visibility. Similarly, industrial control systems used in energy, manufacturing and defence production may rely on Western-designed architectures. This can be the case, regardless of whether the implementing country trusts Western governments, turning these companies into military-industrial supply-chain pressure points even in wartime, for example, Starlink. Therefore, effective partnerships of this kind could allow and preserve access by UK cyber operators via these technologies even when they are part of adversaries’ systems.

This model would reflect shared stakes in geopolitical stability, as conflict disrupts not only governments but also companies, their markets and employees, and can expose all these actors to regulatory and reputational risk. For instance, damage to undersea cable networks or semiconductor supply chains would directly affect companies like Taiwan Semiconductor Manufacturing Company and Google, whose operations depend on global integration.

That technological commonality can create operational opportunity is demonstrated by historical examples like the infamous Stuxnet attack. This may not have been possible had Iran not been using sanctioned Western technologies, particularly those by Siemens and Microsoft (though neither firm was complicit in evading sanctions), which likely made mapping the system and designing a zero-day exploit much more feasible.

Rather than a deputisation policy that authorises private actors to conduct offensive cyber operations, the government would retain responsibility for legal authority, ethical oversight, targeting and escalation control, while industry would provide specific forms of lawful access. Pilot programmes could help test such arrangements and ensure alignment with legal obligations and responsible cyber governance frameworks. Any offensive cyber activities must remain consistent with international law, the principles of Just War and the Responsible Cyber Power in Practice (RCPIP) operational principles. A benefit of this approach is that it could create the environment for information gathering and simultaneously lay the groundwork for future high-impact cyber effects operations. The strategic objective of this policy proposal is to establish conditions that help prevent, delay, or, if necessary, shorten future conflict.

Alternatively, instead of an industrial policy, HMG may choose to undertake an intelligence operation that sets up businesses to be used in this way at a later date. In exceptional cases, governments may seek to seed, shape or covertly enable technology platforms and suppliers that are likely to be adopted by targets of interest, thereby creating future access vectors. Such approaches would require clear separation from legitimate commercial markets to avoid distorting competition or undermining trust in UK industry. They are therefore best understood as high-risk, niche tools, not a scalable alternative to partnership-based approaches. However, successful examples exist, such as Operation Trojan Shield, in which Anøm, the encrypted communications device company, known to be used by criminals around the world, was secretly run by the FBI and the Australian Federal Police. This operation resulted in the arrest of over 800 criminals in 16 countries. Operation Trojan Shield demonstrates how controlled technology platforms can generate intelligence at scale. While distinct from international offensive cyber operations, it illustrates the value of shaping the technological environment in advance and may offer other lessons that are transferable to the cyber effects context.

Can Strategic Sanctions Loopholes be Deployed Covertly?

There are many factors and consequences that must be considered when operationalising this policy, including how to do so without telegraphing the UK’s intentions to the target country. China is a relevant example here, as its government’s attempts at decoupling its economic and technological interests from US-dominated supply chains point to a clear fear that these entanglements already pose a threat.

This policy perspective focuses on outlining the rationale for this kind of policy proposal, leaving the discussion of more detailed operational discussions for a later date. However, this idea could build on existing government structures, for instance, Europe and its allies use existing intelligence sharing frameworks to employ the necessary operational secrecy for successful cooperative security measures; this can be done to minimise the risk of leaks or poorly coordinated sanctions activity. This policy perspective is not advocating for this to be used in all cases involving sanctions, but rather as a bespoke tool to be deployed covertly and selectively as part of a wider cyber espionage and effects campaign where there has been assessed to be both operational and strategic benefit that outweighs those offered by blanket sanctions.

It is important to note that, even if the possibility of this strategy is known by adversaries, the effects of the policies advocated for in this article may still be successful. While, as previously mentioned, China is aware of the espionage and attack risk posed by including foreign technology in its stack, it is still not totally independent of all international supply chains. In particular, advanced semiconductor design and fabrication (from materials to equipment) are dominated by companies based in the US and allied countries. Reversing this situation was a stated objective of the ‘Made in China 2025’ initiative, although it was not fully achieved. Thus, as has been the case for Russia/Ukraine, sanctions could still potentially be effectively used against third markets and intermediary companies who contribute to China's technology stack, particularly across Asia, Latin America and Central and Eastern Europe. These examples show that the benefit of sanctions does not outweigh the risk of lost access for intelligence capabilities.

Conclusion

This article approaches cyber effects not as discrete actions, but as outcomes shaped by the strategic environment in which offensive cyber advantages are prepared, sustained and eventually deployed. It asks how policy tools such as sanctions modify that environment, sometimes in ways that constrain future cyber leverage rather than enhance it. The UK should consider the possibility that responsible statecraft may require maintaining capabilities, access and influence that can shape the strategic environment over time and maintain UK and European relevance to prioritise the preservation of democracy in a world increasingly defined by Great Power politics. It is not an idealistic ethics, nor necessarily a comfortable one, but within the constraints of the current international system, it may be the most proportionate recourse.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other organisation or institution.

For terms of use, see Website Terms and Conditions of Use.