EU cyber-sanctions framework examined

Anastasiya Kazakova, Public Affairs Manger

On May 17, 2019, the European Council established a framework, which now allows the European Union to impose targeted restrictive measures (simply put – sanctions) as a response to cyberattacks.

In this blogpost we examine the framework to get more details on what constitutes a cyberattack, who might be punished and how, and whether cyber-attribution has been covered.

Background to the story

For the past several years there has been much discussion in Europe about the necessity of ‘cyber-sanctions’, and of late there has been a push for proactive measures. In 2018, both British and Dutch military intelligence publicly announced details of the hacking attempts they detected to ‘access the secure systems of the Organization for the Prohibition of Chemical Weapons working to rid the world of chemical weapons’. The EU’s reaction followed immediately: in a joint statement, high-ranking EU officials expressed serious concerns about the cyberthreat; however, they did not mention sanctions as a countermeasure.

Just a few days later, Bloomberg reported about a leaked memo in which certain Member States were pushing for developing an EU cyber-sanctions regime against third states, international organizations, or individuals behind cyberattacks. However, not all the EU countries backed the idea: Italy strongly opposed new possible sanctions against Russia, ‘a move that appears to be in line with Rome’s calls to de-escalate tensions with Russia’.

Nevertheless, the EU continued calling for proportionate countermeasures, and on October 18, 2018, the European Council announced that it ‘welcomes the adoption of the new regime of restrictive measures’, with this message being strengthened by the current European Commissioner for Digital Single Market, Andrus Ansip, reiterating that ‘collective attribution’ makes the EU stronger against online attacks.

It is important to note that in June 2017 the EU adopted a framework for a joint response to malicious cyberthreats – known as the Cyber Diplomacy Toolbox; however, the document explicitly states that sanctions against an individual or entity do not represent attribution of responsibility to third states, as they would be based on purely political decisions.

Formalization of cyberattacks

So, the 2019 cyber-sanctions framework introduces the legal notion of cyberattacks as an external (italics – author’s) threat to the EU or to the Member States, which

• originate, or are carried out, from outside the EU;
• use infrastructure outside the EU;
• are carried out by and/or with the support of, at the direction, or under the control of an individual or entity established or operating outside the EU.

From this, the same actions that are carried out in, or originate from the EU would not fall under the scope.

Cyberattacks are also defined as actions involving:

• access to information systems;
• information system and/or data interference; or
• data interception (and a threat to the EU constitutes a cyberattack if it is carried out against EU institutions, bodies, offices or agencies, its delegations to third countries, or to international organizations, its Common Security and Defence Policy (CSDP) operations and missions and its special representatives).

The framework reserves the right to apply such sanctions against third states and international organizations where deemed necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP). Here, in particular, decision-makers retain quite a broad scope for legitimizing future cyber-sanctions.

Finally, the framework puts an explicit focus on critical infrastructure and elections, defining cyberattacks as a threat to Member States that affect information systems relating to:

• critical infrastructure (here the framework gives a detailed classification);
• critical state functions, in particular in the areas of defense, governance and the functioning of institutions;
• the storage or processing of classified information; and/or
• government CERTs.

Possible targets & types of sanctions

The framework establishes a broad scope of possible targets in case of cyber-sanctions – they could be any individual or entity that:

• is responsible for cyberattacks, including attempted ones;
• provides financial, technical or material support for cyberattacks, or is otherwise involved in cyberattacks, including attempted ones, through planning, directing, assisting, encouraging or facilitating them whether by action or omission;
• is associated with both the above points.

For each category, sanctions might include a ban from travelling to the EU, asset freezes, and/or prohibition to make funds and economic resources.

Open questions & practical considerations

The Council is responsible for adopting a list of those who would be subject to cyber-sanctions, and will adopt such decisions unanimously (though there have been rumors that some Member States wanted a qualified majority to overrule those who have doubts). However, the framework is silent on how a cyberattack would be attributed and investigated, thus still keeping it in a ‘grey legal zone’.

As a wild guess, the EU Intelligence and Situation Centre (INTCEN), an intelligence body under the External Action Service (EEAS) and under the authority of the EU’s High Representative, might be the body that would investigate cyberattacks and take part in decision-making. However, INTCEN does not have the competency to engage in espionage; it was created to provide intelligence analysis, early warning, and situational awareness. In the 2019 Non-Paper on Attribution of Malicious Cyber Activities, it is explicitly stated that INTCEN’s role should be ‘introductory, complementary or accessory’.

Thus, until INTCEN’s competence may become broader, the main decision-making would be at national level, meaning that Member States’ intelligence agencies would share primary sources for further political decisions. However, again the framework is silent on how the work between national agencies would take place and whether obtained intelligence used as evidence for imposing cyber-sanctions would be declassified to legitimize cyber-attribution. For now, it is clear that the overall decision-making on cyber-sanctions could be largely influenced (or even abused) by a particular Member State whose intelligence agency would provide evidence.

Speaking practically, the EU’s example is crucial as it’s one more point in favor of traditional instruments against non-traditional threats, but the question as to whether sanctions are effective and would help the EU improve its cyber-resilience remains open.

The EU cyber-sanctions framework seems also important as it introduces a broad scope of possible targets as we discussed above, and thus sanctions may apply to companies incorporated or registered under a Member State’s laws as well as to other non-EU companies if their business is done in some parts or the whole of the EU. Putting it simply, non-EU companies may be affected by cyber-sanctions too if they have business connections to parties listed by the Council. Thus, companies would have to conduct a thorough and continuous analysis of the Council’s list to identify any listed individuals or entities they might directly or indirectly deal with.