The new EU Cyber Sanctions Regime: Closing the Accountability Gap?

Several EU member states and hundreds of companies operating in the EU have been subject to cyber-attacks in the last years. Since 2004, 17 EU member states have been subject to election interference, in 2017, the ransomware WannaCry infected servers on an unprecedented scale in the EU and indicated some of the vulnerabilities of our digital age. Moreover, the Bundestag hack of 2016 and the attack on the Danish global shipping giant Maersk in 2017, are additional examples of recent attacks on European cyber infrastructure which resulted in calls for a new EU sanctions regime. Subsequently, the Council of the European Union has recently adopted a new horizontal autonomous regime of restrictive measures to target actors involved in malicious cyber activities.

Under Council Regulation 2019/796, the scope of the new EU sanctions regime will entail a broad definition of listing criteria, including cyber-attacks on public infrastructure, hacking of financial institutions and the use of ransomware. Sanctions will include travel bans and the freezing of assets of listed entities and individuals within the EU.

Attribution of attacks to perpetrators

The vexed question of such an instrument lies in the legal, technical and political attribution of cyber-attacks on public and private cyber infrastructure. Determining the origin of state sponsored and non-state actor attacks is complex and requires significant resources, such as forensic capabilities. Despite these efforts it might not always be conclusive.

From a legal perspective, attribution is also one crucial element of the rules governing countermeasures and retorsions, triggering state responsibility under public international law. Furthermore, a sound evidentiary base for new listings under the cyber sanctions regime is decisive, since the Council has lost a number of cases in the European Court of Justice due to a lack of evidence provided by the Member States. Therefore, the Court could also play a role by shaping the listing criteria, consolidating the procedural law and setting evidentiary standards for cyber sanctions.  However, in practice decisions of attribution will often be of a political nature inseparable from technical and legal aspects. Decisions to list individuals are highly delicate decisions on which consensus has to be found in the Council in the first place.

Effectiveness of cyber sanctions

Moreover, the effectiveness of such a new regime also depends on the Council’s ability of swift decision making, and clear objectives to add new natural and legal persons to the sanctions list. While the effectiveness of such a sanctions regime lies primarily in a signal and a deterrence component it will probably not coerce or constrain all sanctioned actors from continuing their malicious actions. Nevertheless, such a sanctions regime identifies actors and signals to the internal audience in the EU that such actions are not tolerated. Secondly, actors outside the EU are also being signaled that such norm violations can entail retaliatory actions. Hence, a deterrence effect might affect primarily state or state sponsored actors, while criminal hacking groups, not affiliated or supported by government entities might not be severely affected by the measures.

First round of listings

On the 30th of June, the Council announced its first listings under the cyber sanctions regime. EU member states decided to sanction three groups, individuals and entities responsible for recent attacks. First, two Chinese Officials involved in cyber attacks, named “Operation Cloud Hopper”, on dozens of multinational companies and service providers located in the EU, such as Swedish Ericson.

The second set of targets consisted of the four Russian GRU secret service agents who were expelled from the Netherlands in 2018 for hacking the WIFI system of the Organization for the Prohibition of Chemical Weapons (OPCW) in the Hague. The Council also listed the Main Centre for Special Technologies, a department in the Russian GRU specialized on hacking, for attacking the Ukrainian Electricity grid in 2015. The third group, also called the Lazarus group, consist of North Korean entities affiliated with the government and organized the WannaCry ransom attack resulting in a collapse of the British NHS servers and millions of losses for the affected private sector. These three listings are in line with similar cyber sanctions listings and criminal indictments by the US and are thus not surprising for observers. Nevertheless, the Councils decision to list Chinese and Russian individuals has to be seen as a bold move, in particular for the very first listings under the new cyber sanctions regime.

International Cooperation as a catalyst

Deterrence effects also depend on the alignment by non-EU states such as EFTA states, Japan and Canada which have frequently joined the EU´s sanctions policies on other issues. Moreover, it will be interesting to observe an alignment of the Council´s listings with the US Office of Foreign Assets control, which has been pursuing a cyber sanctions program since 2015. Of course, the future of EU-UK sanctions policy alignment will also play a significant role that could affect the effectiveness of this new policy tool, due to the importance of the UK as a major financial hub. The success of cyber sanctions will also depend on a strong cooperation with the private sector and a robust and coherent enforcement by  EU member states and the EU Commission´s Directorate General FISMA. Despite several cyber-attacks from Chinese actors, the EU has been previously reluctant to sanction any Chinese individuals, besides a general arms embargo imposed after the Tian’anmen massacre in 1989.

Hence, the recent listing of Chinese entities underlines an increasing assertiveness and the EU´s intent to address norm violations by relevant trading partners, too. This is a remarkable shift in the EU´s sanctions policy and the new instrument of cyber sanctions could evolve to a powerful policy tool in the future. Finally, it remains to be seen, if the Council can also find consensus to target relevant suspicious actors involved in future cyber-attacks.

Fotocredit Title: Wikimedia Commons

Julius Seidenader studied History and Political Science at the University of Vienna in Austria, and EU & Public International Law at the Leiden Law School in the Netherlands. He specialized in Sanctions Policy, EU&US export control laws, armed conflict and the MENA region.

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

This site uses Akismet to reduce spam. Learn how your comment data is processed.