After a Year of Silence, Are EU Cyber Sanctions Dead?

Stefan Soesanto
Tuesday, October 26, 2021, 11:49 AM

The European Union has stopped issuing cyber sanctions, but it's not for lack of new attacks.

Josep Borrell, EU high representative for foreign affairs and security policy, speaks at a hearing in Brussels on Oct. 7, 2019. Photo credit: European Union 2019/European Parliament via Flickr, CC-BY-4.0

Published by The Lawfare Institute
in Cooperation With

One year ago, on Oct. 22, 2020, the Council of the European Union imposed its second, and so far last, EU cyber sanctions package in response to malicious cyber activities that constitute an external threat to the European Union or its member states. Though these sanctions were envisioned as a new tool to impose significant costs and bring about a change in policy or behavior from the sanctioned governments and individuals in cyberspace, they have failed in both substance and volume to achieve their strategic aims.

To date, only eight individuals and four organizations have been sanctioned by the European Union for various campaigns, including WannaCry, NotPetya, and the 2015 Bundestag hack. By comparison, since April 2015, the U.S. Treasury Department has imposed cyber-related sanctions on a combined 99 individuals and 59 entities, including 13 individuals and 19 entities in 2021 alone.

The limited EU response is not for lack of high-profile malicious cyber campaigns uncovered and attributed to foreign government agencies, groups and individuals that targeted EU member states. Instead, the imposition of EU cyber sanctions has been hampered by a lack of coordinated intelligence collection efforts, a focus on voluntary intelligence sharing, and a political process that likely undermines the creation of a common EU threat perception in cyberspace.

A Year of Adversarial Campaigns

Adversarial campaigns by a wide array of foreign state actors targeting EU member states have continued since the last round of sanctions were announced a year ago. On Feb. 17, 2021, the U.S. Department of Justice unsealed a federal indictment against three North Korean military hackers. Jon Chang Hyok, Kim Il and Park Jin Hyok were charged with “participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks [and] to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies.” Among the handful of victims named in the indictment: the Polish Financial Supervision Authority, a Maltese bank and a Slovenian cryptocurrency company.

In March, the Finnish Central Criminal Police (KRP) and the Finnish Security Intelligence Service (SUPO) attributed the breach of the Finnish Parliament’s internal information technology system in the fall of 2020 to a Chinese threat actor known as APT31. In an effort to call out APT31’s activity in several member states, the EU high representative for foreign and security policy, Josep Borrell, published a declaration on July 19, which stated that these activities “have been conducted from the territory of China for the purpose of intellectual property theft and espionage.” Two days later, the French cybersecurity agency, ANSSI, warned that they are “currently handling a large intrusion campaign impacting numerous French entities. Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31.”

In mid-April, Swedish public prosecutor Mats Ljungqvist announced that “Russian military intelligence, [the] GRU who, via its 85th Center, also known as unit 26165, has planned and carried out the serious breaches of data secrecy against the Swedish Sports Confederation” from December 2017 through May 2018. However, despite the Swedish attribution assessment, Ljungqvist explained that his office “reached the conclusion that the necessary preconditions for taking legal proceedings abroad or extradition to Sweden are lacking. I have, therefore, today decided to discontinue the investigation.”

The list goes on. The EU Computer Emergency Response Team noted in April 2021 that at least six EU institutions, bodies and agencies were affected by the supply chain attack against SolarWinds’s Orion platform. The Belgian Ministry of the Interior stumbled on a previously unknown espionage campaign while securing their systems against Hafnium’s indiscriminate exploitation of vulnerabilities in Microsoft Exchange Server. And the Dutch newspaper de Volkskrant reported that a Russian intelligence service infiltrated the network of the Dutch police back in 2017, when they were the lead investigator into the Malaysia Airlines flight MH17 incident.

Impediments to EU Cyber Sanctions

Given that there are marked differences between the intelligence type and volume necessary to confidently connect a campaign to a specific individual operator, a government agency or an intrusion set like APT31, it is unsurprising that these cases have broken down or are stuck at different stages in the investigatory process. In the North Korean case, the affected EU countries were likely unable to connect the dots across several national jurisdictions and might have deemed the individual incidents not severe enough to push them up to the EU level. The APT31 case seems to miss crucial intelligence that clearly links APT31 to a Chinese government agency or specific individuals—meaning that either intelligence has not yet been collected by an EU member state or it has been collected but the member state is unwilling to share it with the union’s other 26 governments for operational reasons. Meanwhile, the Swedish case likely ran into the problem that the GRU’s 85th Center and the operators responsible were probably already sanctioned by the European Union in June and October 2020. Time will tell whether these investigatory hurdles and intelligence blind spots will persist.

The GRU Ghostwriter campaign against Poland and Germany could break the EU’s cyber sanction abstinence. On Sept. 24, just two days prior to the German federal election, the EU high representative published a declaration stating that Ghostwriter’s “malicious cyber activities are targeting numerous members of Parliaments, government officials, politicians, and members of the press and civil society in the EU by accessing computer systems and personal accounts and stealing data.” The declaration ends with the promise that “the European Union will revert to this issue in upcoming meetings and consider taking further steps.” This is suggestive of a potential discussion of EU cyber sanctions, but whether or not they are imposed will depend on whether the EU member states have the intelligence at hand to identify and sanction specific Ghostwriter operators. Another course of action could be to sanction the GRU yet again, hoping that this will somehow create a different outcome. That being said, as of this writing, no EU institutions have picked up discussions on the Ghostwriter issue.

The EU’s nonuse of cyber sanctions over the past year, and the challenges of responding to the Ghostwriter campaign in particular, are indicative of a flawed process. First, the intelligence services of the European Union’s 27 member states are not streamlined to selectively gather relevant foreign intelligence to underpin the EU cyber sanction process. As a result, classified intelligence sharing on adversarial campaigns occurs only by accident or when one intelligence agency proactively reaches out to others to figure out whether they have relevant information that they are willing to share. Second, intelligence sharing on the EU level is by design voluntary as information has to be declassified to be shareable with the other 26 members. Some member states are likely to outright refuse to engage in this process for operational reasons, while others have run into the problem that the intelligence shared is not compelling enough. Third, the decision to impose cyber sanctions is a political process that likely undermines the creation of a common cyber threat perception within the EU. When the Polish government raised the issue of Ghostwriter on the EU level back in June, the bloc refused to take any subsequent action. But when the German government brought up the same issue three months later, the EU’s high representative released a declaration on Ghostwriter within just nine days. And fourth, at the end of this complicated process, it is unclear whether EU cyber sanctions impose any costs on the sanctioned individuals or entities. In fact, the more EU cyber sanctions are imposed on the same threat actor—such as the GRU—the weaker the EU’s argument becomes that sanctions can bring about a change in policy or behavior from the sanctioned individuals and entities.

There are many smart people working in the EU institutions and agencies on cyber policy, and a serious response to the Ghostwriter campaign would be a vindication of their work. But this seems unlikely. The status quo for the EU cyber sanctions regime will probably persist, because admitting failure is hard and major policy overhauls never come easy.

Stefan Soesanto is a senior researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zurich. Prior to joining CSS, he was the Cybersecurity & Defense Fellow at the European Council on Foreign Relations (ECFR) and a non-resident James A. Kelly Fellow at Pacific Forum CSIS.

Subscribe to Lawfare