Published by The Lawfare Institute
in Cooperation With
On July 30, the European Council announced its first ever cyber sanctions package, which comprised travel bans and asset freezes, against various entities and individuals for their respective cyberattacks against the European Union and its member states. The targets of these sanctions included four members of Unit 74455 of Russia’s military intelligence agency (GRU), for the NotPetya campaign and the close hacking operation against the Organization for the Prohibition of Chemical Weapons; two Chinese citizens and Huaying Haitai, a Chinese-based technology company, for APT10’s Cloud Hopper campaign; and the North Korean company Chosun Expo for its support in executing the WannaCry ransomware attack.
Two months later, on Sept. 11, the Horizontal Working Party on Cyber Issues commenced deliberations on a second EU cyber sanctions package. The 2015 Bundestag hack—which resulted in the exfiltration of 16GB of data and necessitated a complete overhaul of the German Parliament’s information technology network—seemed likely to be a focal point of these new sanctions. But at the time, it remained unclear whether significant cyber incidents against the critical infrastructure of other EU member states— such as the 2015 TV5Monde cyberattack, the 2017 Macron Leaks (the leaking of supposedly internal documents of Emmanuel Macron’s campaign during the 2017 French presidential election), or the 2017-2018 Turla campaign against the French Ministry of Defense—would be included as well.
On Oct. 5, the draft sanctions proposal was forwarded to the Working Party of Foreign Relations Counsellors (RELEX)—and on Oct. 19, the Committee of Permanent Representatives (COREPER II) initiated the written procedure to adopt the new sanctions package. Three days later, the European Council announced the sanctions listings for Igor Kostyukov—the head of the GRU—along with GRU officer Dmitriy Badin and the entire GRU Unit 26165, better known as APT28.
So where does the EU go from here? Did EU cyber sanctions fulfill their designated purpose?
As far as the second cyber sanctions package is concerned, the EU’s strategic logic was largely nonexistent. The European Council had already sanctioned Kostyukov with a travel ban and asset freeze back in January 2019 for the Salisbury chemical attack on Sergei Skripal and his daughter, and German authorities issued an arrest warrant for Badin in May 2020 for the Bundestag hack. Imposing additional EU travel restrictions on Badin has essentially ensured that European law enforcement will never be in a position to arrest Badin in the rare case that he would have decided to enter EU territory for any purpose in the future.
Additionally, it is unclear whether cyber sanctions produce any discernible effect on the adversary’s end. As far as tangible evidence goes, there is no proof that sanctions deter anyone, shame anyone, nor impose costs or restrict an adversary’s ability to conduct their malicious campaigns. The very notion that cyber sanctions (for example, travel bans) might work because Russian military intelligence officials are longing for a house on the French Riviera and want to visit the Colosseum in Rome is built on very thin ice. Similarly, it is highly doubtful that any intelligence front companies nor individual cyber operatives own any funds subject to EU jurisdiction. It is not known whether the EU has frozen any assets of individuals and entities listed under the EU cyber sanctions regime so far. Given this discrepancy, EU cyber sanctions are largely symbolic. Their prime utility seems to be to signal red lines, political intent and EU unity.
However, public support for EU cyber sanctions among the EU member states was rather timid this time around. Only six out of the 27 EU member states publicly expressed their endorsement. The Dutch Ministry of Foreign Affairs was the only one to publish a written statement on its website, while the other five (Austria, Belgium, Denmark, Estonia and Latvia) engaged solely in Twitter diplomacy, each posting a supportive tweet. Outside of the EU, only the Mission of Canada to the EU, the U.K. Foreign, Commonwealth & Development Office, and the U.S. State Department declared their public support. Tellingly, the German government itself, which currently holds the EU presidency and pushed hard for the Bundestag hack to be sanctioned by the EU in the first place, ignored the council’s sanctions announcement altogether. As a result, all the German newspaper articles covering the second EU cyber sanctions package are devoid of any statements by German government officials.
Three days before the sanctions were announced, the U.S. Department of Justice and the U.K. Foreign, Commonwealth & Development Office unveiled a public attribution campaign calling out GRU Unit 74455, also known as Sandworm—which, ironically, received more public support from European governments than the announcement of EU cyber sanctions themselves. All in all, seven EU member states came out in support of the U.S.-U.K. effort. The Polish Ministry of Foreign Affairs published a written statement on its website; the Dutch Ministry of Foreign Affairs included its endorsement in its written statement on EU cyber sanctions; and the remaining five members (the Czech Republic, Denmark, Estonia, Latvia and Lithuania) expressed their support on Twitter.
Given this lack of a coherent strategic message, it is questionable whether EU cyber sanctions are communicating their red lines and intent effectively. EU cyber sanctions are supposed to present a joint EU response aimed at preventing, discouraging, deterring, and responding to continuous and increasing malicious behavior in cyberspace. In practice, however, it seems that the act of imposing sanctions—by unanimously adopting a European Council decision and implementing regulation—marks the last instance of strategic signaling altogether for both the EU and the majority of its member states. Granted, the lack of political communication might be due to other foreign policy priorities in the European capitals or the simple absence of social media awareness—but adversaries might very well perceive this as a lack of the member states’ political interest and strategic commitment, or even an inability by the European Council to maintain a unified voice after the voting is done.
Given the adoption of the second EU cyber sanctions package, the question still left unanswered is: Now what? Will the European Council adopt a third cyber sanctions package anytime soon?
As outlined in July 2020, the priorities for the Horizontal Working Party on Cyber Issues declare that the next three EU presidencies—held by Germany, Portugal and Slovenia—will emphasize the need to make use of the EU cyber sanctions regime when facing malicious behavior in cyberspace. Under the Croatian council presidency, which ran from January to June 2020, the EU pushed out its first and largest cyber sanctions package, targeting six individuals and three entities. Under the German council presidency, which will run from July to December 2020, an insubstantial second cyber sanctions package was announced against two individuals and one entity. Currently, the European Council is in the process of amending the sanctions regime, which could indicate the making of a third sanctions package or hint at a significant overhauling of the sanctions regime itself—for example, widening the definitions of acts to be sanctioned or allowing sanctions against third states, among other options.
The low numbers of cyber incidents as well as individuals and companies sanctioned does not bode well for the incoming Portuguese and Slovenian council presidencies, which will run from January to December 2021. Even if future EU presidencies wish to take a more aggressive approach, there may be a limited amount that they can do. So far, the EU has imposed sanctions only for malicious campaigns that occurred within the past two to five years and were attributed by at least one EU member state. However, because of the absence of collective attribution on the EU level, and the reluctance of individual members to publicly attribute other malicious campaigns, there is currently no pipeline of new cases to be sanctioned on the EU level.
Consider the silence surrounding the cyberattacks and incidents affecting France, for example. In France’s case, the principle of strategic autonomy dictates French behavior in cyberspace—meaning that Paris emphasizes its autonomous ability to assess situations, a total independence in decision-making, and freedom of action. This has resulted in an awkward situation where the U.S. Department of Justice has publicly attributed the 2017 Macron Leaks to Russian military intelligence, while the French government has yet to do so publicly.
Other EU member states—particularly the smaller ones—simply do not have the sophisticated attribution capabilities and expansive intelligence networks required to put forward credible public attribution claims. Nor are they interested in politically locking heads with larger adversarial nation-states that could undermine their commercial interests abroad and domestic politics at home. For this reason, as far as EU cyber sanctions go, there are almost no cases left that the EU can sanction retroactively. Combined with the strategic behavior of the member states, this instills little confidence that future public attribution claims will be made.
For the moment, a third or even fourth EU cyber sanctions package does not seem to be in the making—suggesting that the EU cyber sanctions regime has already run its course. If this holds true in the long run, it could be devastating for the image of the union. Apart from a public declaration by the high representative, sanctions remain the only significant tool in the EU’s cyber diplomacy toolbox.
Time will tell whether the EU will be able to come up with new innovative ideas outside of sanctions to respond to adversarial campaigns, and whether the member states will step up their game on public attribution. For this change to occur, however, European governments have to critically self-reflect on their current approaches in cyberspace, endorse out-of-the-box thinking, and open themselves up to more aggressive policies on the offensive end. Similarly, on the EU level, critical voices need to be heard, uncomfortable realities need to be put front and center, and an honest discussion about the future trajectory of the EU cyber toolbox needs to be kicked off. The EU cannot wait for the toolbox to fall apart, and the member states cannot wait for the union to step up. It’s time to break with the past and start to move forward.