By Rik van Dijk
Since last month, the European Commission acquired a new weapon in the fight against cyber-attacks on EU soil. The European Council, the heads of the European member states, decided that to protect the EU’s interest, a set of ‘tools’ is needed to complement the 2013 EU Cybersecurity Strategy, the 2016 Network and Information Security (NIS) Directive, and the 2016 Joint Framework, which are orientated towards strengthening the EU’s defensive capabilities. This Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities, a.k.a the Cyber Diplomacy Toolbox is the product of analysis of the EU’s ability to deter foreign attackers in the cyber domain.
History of the toolbox
The EU Presidency of the Netherlands during the first half of 2016 stood at the beginning of the Toolbox, as it released a non-paper that aimed at “developing a joint EU diplomatic response against coercive cyber operations.”
In the document, the drafters argue that to influence the behavior of potential aggressors and thus to reinforce the EU’s security, it is necessary to clearly signal the consequences of malicious activities. Moreover, the eventual goal of the tool is to create an EU-wide cyber diplomacy, which would elevate the costs of hostile cyber operations and thus have a deterrent effect.
The discussion opened by the Netherlands in 2016 led to the adoption of the new framework this year. Restrictive measures are an important part of the toolbox and are defined as followed: “More specifically, this framework allows the EU for the first time to impose sanctions on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them.”
The Need for Cyber Sanctions
A question that has to be asked, is if a new sanctions regime exclusively tailored for digital attacks is a necessary tool. Does it allow the European Union to target groups and states that were out of reach beforehand?
Yes and no. According to Francesco Giumelli, assistant professor at the Rijksuniversiteit Groningen, the use of restrictive measures by states as policy tools fulfill more than one objective. Firstly, sanctions serve to hinder the operational capabilities of the target by limiting their economic and political maneuverability. Secondly, they serve as a political and economic deterrent towards agents with hostile intentions, whether state or non-state actors. Thirdly, sanctions also serve as a message towards the societies of the sanctioner that the state takes the issue serious enough to act upon it.
Will EU sanctions hinder the capabilities of state-sponsored hacker groups directly? Most likely not, and the EU already has more useful tools at its disposal to freeze or capture funds of hostile non-state actors. However, sanctions targeting a hacker group, especially when tied to a nation state, will put political pressure on the state sponsor.
For the European Union, restrictive measures are an important policy tool since it is one of the most coercive measures it can put upon a target. Logically, to increase its cyber capabilities, sanctions related to cyber-attacks seem an important addition to the toolbox. However, sanctions require collective attribution by all member states. Here the toolbox seems to fall short, because attribution requires unanimity. The toolbox is ineffective when member states hesitate to publicly attribute an attack, leading to long political debates before a decision is made, or the forfeiting of sanctions all together.
EU Collective Action
Currently, only a handful of targeted restrictive measures has been imposed as a result of a cyber-attack, and none by the European Union. The first sanctions were imposed in 2015, when the United States retaliated against the North Korean hacking of production company Sony with raising economic sanctions on North Korean organizations and officials.
Since then, European companies suffered from the economic fallout of state-crafted ransomware such as Wannacry and NonPetya, among others, and The Netherlands caught four Russian operatives red handed in their blatant attack on the OPCW in The Hague. Only the last case led to a unified condemnation of the European Council and EU leaders, but no attribution towards Russia. For the toolbox to be effective, EU-wide attribution is necessary.
Whilst technical attribution of cyber-attacks is very possible by specialist companies through forensic tools, the political field is more complex. As Paul Ivan writes, “attributing a cyberattack to a third party or country can entail negative political or economic consequences, many countries are reluctant to agree to strong common measures based only on trust and incomplete information.” Russia and China are among the most aggressive actors with regard to cyber-attacks against European targets, but for 28 EU member states to determine unanimous attribution on an attack of which the impact is not always clear; sanctioning such a power is a large political leap. The costs may very well outweigh the benefits.
The EU Cyber Diplomacy Toolbox signals towards actors both within and outside the EU that the member states are increasingly focused on the effects of cyber-attacks against the Union. The toolbox is a logical step, from strengthening defenses to actively deterring threats. However, the operational reality of the toolbox remains to be seen and will rely for a large part on the political will of the EU member states to sanction aggressive powers in the aftermath of the next cyber-attack.