CCDCOE

On 30 July 2020, for the first time, the Council of the European Union unanimously imposed restrictive measures against six individuals and three entities that have been found responsible for or involved in various cyber-attacks against EU Member States (see Regulation EU 2020/1124 of 30 July 2020). The malicious cyber activities were the attempted cyber operation against the Organisation for the Prohibition of Chemical Weapons, the WannaCry and NotPetya attacks and Operation Cloud-Hopper. The imposition of sanctions in relation to cyber attacks is a clear sign that the EU is changing its posture from a more cautious naming-and-shaming strategy to a braver commitment against malicious cyber activities. It might also encourage developments and confirm trends of international law principles applied to the use of information and communication technologies.

Breaking the ice against cyber attacks

In June 2017, the EU called for the establishment of a framework of a joint diplomatic response to malicious cyber activities called the Cyber Diplomacy Toolbox (CDT).¹ The declared objective of the CDT was to create a suitable framework for a joint EU diplomatic response to malicious cyber activities to mitigate and/or discourage potential aggressors in the cyber realm from harming the political, security and economic interests of the European Union. This would also be achieved through the imposition of restrictive measures against entities and individuals involved in malicious activities and those measures would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and effect of the activity. Consequently, in May 2019, a framework which regulates the imposition of sanctions available within the CDT was adopted by the Council of the European Union as an instrument available to the EU’s Common Foreign and Security Policy (CFSP) (see Council Decision CFSP 2019/797 and Council Regulation EU 2019/796). As a result, asset freezes and travel bans can be imposed on natural and legal persons if they are directly responsible for cyber attacks which constitute an external threat against the Union. All subjects supporting the actions of the malicious actors are also subject to the sanction regime.² Almost three years after the first call for the creation of a sanctions framework addressing cyber threats against the EU, the Council of the European Union blacklisted individuals and entities responsible for cyber attacks against EU member states.

Brace yourself, sanctions are coming

The 30 July sanctions were timely as EU Member States are facing a tremendous amount of malicious cyber activities. Cyber criminals have been exploiting the COVID-19 pandemic by conducting illicit activities targeting not only individuals, but also the EU’s essential operators, critical infrastructures and, in particular, the health sector. In April, Josep Borrell, the High Representative of the European Union for Foreign Affairs and Security Policy, hinted at the imminent possibility of the first use of the sanction regime by not only condemning the wave of malicious cyber activities suffered by Member States, but also remarking on the availability of the joint EU diplomatic framework adopted in 2019 to prevent, discourage, deter and respond to cyber threats against the Union. The declaration was followed by the Council’s official statement regarding the extension of the 2019 regime until 18 May 2021. Although individual states have warmly welcomed the Council’s decision regarding the imposition of sanctions (see official statements from EU and non-EU countries such as Estonia, the Netherlands, France, the UK, Australia and the US), the efficacy of these measures is yet to be demonstrated. Due to their rather antagonistic nature, sanctions imposed on individuals could have a limited effect against cyber criminals in terms of deterrence and de-escalation. As it is generally recognised that cyber attacks are likely to be organised by state-sponsored groups, the possibility of retaliation remains high. However, measures imposed at a regional level rather than unilaterally by Member States might work as a political shield to protect individual states from direct deterioration of financial and political ties between them. As the sanctions target individuals and non-state actors rather than governments, the EU is also preserving its ability to maintain a dialogue with third states, which might be crucial when discussing confidence-building measures in international forums.

States are not (yet) to blame

The ability to adopt sanctions lies in the hands of the Council of the European Union.³ Although this body is political because of its composition, the listing process needs technical attribution containing the identities of the subjects involved in the malicious cyber operations, which will be used to build the grounds for the listing process. The official statement from the Council reminds us that the sanctions imposed on entities and individuals must be distinguished from attribution of responsibility to a third state, which remains a sovereign political decision based on all-source intelligence. This means that, although a general attribution to individuals and entities must be made in order to apply restrictive measures, the malicious conduct of targeted entities and individuals has not been linked to the action of a government under the law of state responsibility. The CDT tool is a focused mechanism which seeks to provide instruments to stabilise and secure the cyberspace of the European Union rather than offering an international law mechanism to hold states responsible for malicious conduct in cyberspace. To be able to impose sanctions, the Council needs a level of attribution which is as precise as possible to avoid abuse and maintain respect for the framework confirmed by the Council in 2019,⁴ which in the case of cyber attacks, is likely to be based on digital forensic evidence. Examining the Regulation containing the sanctions, the attribution section lists the name and the details of the affiliation of the cyber criminals. Not only are non-state actors from the APT10 group mentioned, but so are individuals attached to the Russian foreign military intelligence service (GRU). This is significant as it raises the possibility that state actors are behind the malicious activities, while not directly accusing any government, and thus maintains political freedom for the EU to further its cyber diplomacy dialogue and objectives.

As the listing and delisting process lies within the competence of the Council, it consists of a mix of political and technical attribution. In fact, MSs representatives on the Council need not only to possess and make use of the cyber intelligence related to the specific incidents but also to agree on the grounds for listing which, politically speaking, is not as easy as it sounds. This aspect implies that MSs are ready for an improved level of cooperation on cyber deterrence, not only on a normative matter but also in a more practical and tangible approach. As a matter of fact, the newly published EU Security Union Strategy foresees the creation of a European Joint Cyber Unit (page 9) as an incumbent development to corroborate the ongoing efforts for the establishment of common rules on information security and cybersecurity for all EU institutions, bodies and agencies. This could result in cooperation between situational awareness agencies and bodies such as ENISA, the Europol EC3 and the EU CSIRT network.

Fostering international legal norms on cyber through the cyber sanctions tool

The first activation of the EU sanctioning framework against cyber-attacks marks an important step not only to secure a coherent response against cyber threats targeting the Union but also for advancement on the cyber diplomacy level while following trends of international law principles regulating the cyber domain. Although the CDT is not concerned with addressing international law principles, the declaration announcing the first use of the EU sanction mechanism made by the EU High Representative Josep Borrell is indicative, as it is calling ’upon ‘every country to cooperate in favour of international peace and stability, to exercise due diligence and take appropriate action against actors conducting malicious cyber activities’. Without being too creative, it is useful to outline a few remarks on the language used in this instance. First, the statement seeks to promote and encourage dialogue towards the acceptance of basic principles of the UN Charter such as the prohibition of the use of force and the acceptance of the non-intervention principle for malicious cyber operations, with the aim to ensure international peace and stability. This is a common formula widely used in the UNGGE meetings of experts during which states discuss the role of international law and the principles of the UN Charter applied to the use of information and communication technologies. There is a general understanding that international law and the UN Charter apply to cyberspace, but disagreements on how they apply remain, especially when malicious cyber activities below the threshold are considered. Second, the due diligence principle is mentioned. This principle of international law prescribes that states take all feasible measures to end malicious cyber operations that are conducted from or through their territory which could negatively affect the legal rights of other states. As there is no standard on the degree of effort and resource that a single government should exercise in order to prevent or stop ongoing cyber attacks originating from their territory, the due diligence principle sees scattered acceptance through unilateral public statements from states (see those of Estonia and France). The fact that the EU believes in due diligence indicates that a more favourable approach to the principle can be shown on a unilateral level by EU Member States, by endorsing it in the international forums for discussions dealing with cyber. Third is the use of retorsions. As was highlighted in Borell’s statement, governments should take appropriate action against actors conducting malicious cyber operations. The CDT has been designed to give a more practical and assertive response against cyber attacks, rendering the perpetrators accountable. Being a corollary to the international law instruments of unilateral remedy available to the MSs, the remedies in the CDT can include the use of retorsions. The design of the restrictions fits the unfriendly but lawful actions available to states. Unlike other international law self-help instruments, retorsions can be used to target individuals (i.e. expelling diplomats as a result of a malicious cyber operation); they respect the rule of law since they need to be imposed within a framework, avoiding the abuse of the rights of the individuals or entities involved; they are flexible since they do not need a previous international wrongful act for their utilisation; and they are lawful even if their results are detrimental to the interests of the targeted state (see Tallinn Manual 2.0, Rule 20, para 4).

Conclusion – Slow and steady wins the race

The first activation of the restrictive measures contained within the EU CDT has been an important step in finding a common approach to responding to malicious activities within European cyberspace. Even though it is unclear whether the effects of the sanctions will be enough to prevent and deter future cyber threats, the EU is certainly trying hard by giving its members an additional instrument to collectively address cyber events and impose costs for the misconduct of non-state actors and, indirectly, of states. Since the imposition of restrictive measures needs the approval of a political body such as the Council of the European Union, the CDT sanction regime can be beneficial in boosting cooperation and encouraging the exchange of information among Member States on cyber matters to target individuals and entities involved in malicious cyber operations. Moreover, it will also work as a catalyst to improve the resilience of individual states by advancing compliance with relevant EU legislation such as the NIS Directive and the coordination and preparedness address to large-scale cross-border cybersecurity incidents and crises.⁵ Finally, standing against cyber attacks, the EU can inspire individual states to speak out on their position on international law and harmonise views and contributions to the international dialogue on the responsible use of information and communication technologies.

Author: Samuele De Tomas Colatin, NATO CCDCOE Law Branch

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

Incyder article available here. [↩]
On the technical analysis of the CDT’s sanction regime, see Incyder article available here. [↩]
Thanks to the initiative of the Estonian presidency of the Council, the EU sanctions map has been created to provide a visual overview of sanctions adopted by the Council. Restrictions following cyber attacks are listed under the ‘Thematic Restrictions’ drop-down menu. [↩]
See Council Decision CFSP 2019/797 and Council Regulation EU 2019/796. [↩]
See Blueprint Recommendation 2017/1584. [↩]