Europe Has No Strategy on Cyber Sanctions

On July 30, the European Council announced its first ever cyber sanctions package, which comprised travel bans and asset freezes, against various entities and individuals for their respective cyberattacks against the European Union and its member states. The targets of these sanctions included four members of Unit 74455 of Russia’s military intelligence agency (GRU), for the NotPetya campaign and the close hacking operation against the Organization for the Prohibition of Chemical Weapons; two Chinese citizens and Huaying Haitai, a Chinese-based technology company, for APT10’s Cloud Hopper campaign; and the North Korean company Chosun Expo for its support in executing the WannaCry ransomware attack. 

Two months later, on Sept. 11, the Horizontal Working Party on Cyber Issues commenced deliberations on a second EU cyber sanctions package. The 2015 Bundestag hack—which resulted in the exfiltration of 16GB of data and necessitated a complete overhaul of the German Parliament’s information technology network—seemed likely to be a focal point of these new sanctions. But at the time, it remained unclear whether significant cyber incidents against the critical infrastructure of other EU member states— such as the 2015 TV5Monde cyberattack, the 2017 Macron Leaks (the leaking of supposedly internal documents of Emmanuel Macron’s campaign during the 2017 French presidential election), or the 2017-2018 Turla campaign against the French Ministry of Defense—would be included as well.

On Oct. 5, the draft sanctions proposal was forwarded to the Working Party of Foreign Relations Counsellors (RELEX)—and on Oct. 19, the Committee of Permanent Representatives (COREPER II) initiated the written procedure to adopt the new sanctions package. Three days later, the European Council announced the sanctions listings for Igor Kostyukov—the head of the GRU—along with GRU officer Dmitriy Badin and the entire GRU Unit 26165, better known as APT28.

So where does the EU go from here? Did EU cyber sanctions fulfill their designated purpose?

As far as the second cyber sanctions package is concerned, the EU’s strategic logic was largely nonexistent. The European Council had already sanctioned Kostyukov with a travel ban and asset freeze back in January 2019 for the Salisbury chemical attack on Sergei Skripal and his daughter, and German authorities issued an arrest warrant for Badin in May 2020 for the Bundestag hack. Imposing additional EU travel restrictions on Badin has essentially ensured that European law enforcement will never be in a position to arrest Badin in the rare case that he would have decided to enter EU territory for any purpose in the future.

Additionally, it is unclear whether cyber sanctions produce any discernible effect on the adversary’s end. As far as tangible evidence goes, there is no proof that sanctions deter anyone, shame anyone, nor impose costs or restrict an adversary’s ability to conduct their malicious campaigns. The very notion that cyber sanctions (for example, travel bans) might work because Russian military intelligence officials are longing for a house on the French Riviera and want to visit the Colosseum in Rome is built on very thin ice. Similarly, it is highly doubtful that any intelligence front companies nor individual cyber operatives own any funds subject to EU jurisdiction. It is not known whether the EU has frozen any assets of individuals and entities listed under the EU cyber sanctions regime so far. Given this discrepancy, EU cyber sanctions are largely symbolic. Their prime utility seems to be to signal red lines, political intent and EU unity. 

However, public support for EU cyber sanctions among the EU member states was rather timid this time around. Only six out of the 27 EU member states publicly expressed their endorsement. The Dutch Ministry of Foreign Affairs was the only one to publish a written statement on its website, while the other five (Austria, Belgium, Denmark, Estonia and Latvia) engaged solely in Twitter diplomacy, each posting a supportive tweet. Outside of the EU, only the Mission of Canada to the EU, the U.K. Foreign, Commonwealth & Development Office, and the U.S. State Department declared their public support. Tellingly, the German government itself, which currently holds the EU presidency and pushed hard for the Bundestag hack to be sanctioned by the EU in the first place, ignored the council’s sanctions announcement altogether. As a result, all the German newspaper articles covering the second EU cyber sanctions package are devoid of any statements by German government officials. 

Three days before the sanctions were announced, the U.S. Department of Justice and the U.K. Foreign, Commonwealth & Development Office unveiled a public attribution campaign calling out GRU Unit 74455, also known as Sandworm—which, ironically, received more public support from European governments than the announcement of EU cyber sanctions themselves. All in all, seven EU member states came out in support of the U.S.-U.K. effort. The Polish Ministry of Foreign Affairs published a written statement on its website; the Dutch Ministry of Foreign Affairs included its endorsement in its written statement on EU cyber sanctions; and the remaining five members (the Czech Republic, Denmark, Estonia, Latvia and Lithuania) expressed their support on Twitter.

Given this lack of a coherent strategic message, it is questionable whether EU cyber sanctions are communicating their red lines and intent effectively. EU cyber sanctions are supposed to present a joint EU response aimed at preventing, discouraging, deterring, and responding to continuous and increasing malicious behavior in cyberspace. In practice, however, it seems that the act of imposing sanctions—by unanimously adopting a European Council decision and implementing regulation—marks the last instance of strategic signaling altogether for both the EU and the majority of its member states. Granted, the lack of political communication might be due to other foreign policy priorities in the European capitals or the simple absence of social media awareness—but adversaries might very well perceive this as a lack of the member states’ political interest and strategic commitment, or even an inability by the European Council to maintain a unified voice after the voting is done.

Given the adoption of the second EU cyber sanctions package, the question still left unanswered is: Now what? Will the European Council adopt a third cyber sanctions package anytime soon? 

As outlined in July 2020, the priorities for the Horizontal Working Party on Cyber Issues declare that the next three EU presidencies—held by Germany, Portugal and Slovenia—will emphasize the need to make use of the EU cyber sanctions regime when facing malicious behavior in cyberspace. Under the Croatian council presidency, which ran from January to June 2020, the EU pushed out its first and largest cyber sanctions package, targeting six individuals and three entities. Under the German council presidency, which will run from July to December 2020, an insubstantial second cyber sanctions package was announced against two individuals and one entity. Currently, the European Council is in the process of amending the sanctions regime, which could indicate the making of a Become a supporter of IT Security News and help us remove the ads.