Europe Calling What about cyber sanctions?

The unstable and complex current events related to the Russian invasion in Ukraine has brought the ‘sanctions’ tool to the fore. The negative impact on the Russian population and on the country’s economy has started to be noticed, even though the dissuasive effect on the military front will take much more time to show.

These developments are interesting for several reasons. The one that is of interest to us today is the relevance of the ‘sanctions’ tool in the cyber field. As a reminder, the EU has a framework for diplomatic response to malicious cyber activities. It is called the Cyber Diplomacy Toolbox and its main aim is to help the Union and its Member States to react in a necessary and proportionate way to influence the behaviour of aggressors. To please EU regulation nerds reading this, the Council Decision making the ’sanctions’ tool operational was adopted on 17 May 2019 and specifies what is seen as a malicious activity, which individuals and entities are subject to restrictions and what the restrictions are.

In 2020, sanctions were already imposed on individuals and entities based in Russia, China and North Korea. It appears they weren’t bothered either way. Sanctionable malicious activities are countless, yet very few restrictive measures are taken, and their effect is limited, to say the least. Of course, the idea isn’t to go to the other extreme and to give out sanctions left and right. Some would have a mind to quote the United States and its heavy-handed measures (13 individuals and 99 entities in 2021) – and the U.S. are one single country, which the EU is not.

Then, how come sanctions work in a ‘traditional’ framework, yet not in the cyber field? In other words, why are sanctions initiated as a result of malicious activities not an efficient foreign policy instrument?

Better to name the perpetrators than search for them

In order to take a restrictive measure against someone, you first need to pin a malicious act upon them. Yet, attribution is first and foremost a political action. Beyond this premise, the EU recognises that attribution of a malicious activity to a State or a non-State actor remains a sovereign political decision of each Member State. In simple language, this means that each Member State decides whether it wishes to impose sanctions on actors from third countries (non-EU members). Sweden is a good example of this: in April 2021, the Swedish Prosecution Authority attributed the infiltration of and spying on the Swedish Sports Confederation to the GRU, the Russian military intelligence service. Despite this established fact, it also specified that the necessary preconditions for taking proceedings or extradition were lacking. Move along, nothing to see here.

One necessary prerequisite for reasonable attribution and a joint diplomatic response is the exchange of information. There is considerable scope to improve the efficiency of such activity at European level. There cannot be a joint diplomatic action without shared situational awareness. If evidence is not shared, it isn’t possible to define the scope and impact of a malicious act. But to go as far as acting together while respecting the necessity and proportionality of a response…

The issue of characterisation extends beyond the need to share technical elements. From the way things are described, it isn’t possible to prioritise. Is a ransomware attack on a hospital more deserving of sanctions than spying on the Bundestag? Should we prioritise an actual act over a potential act? There are many such questions, but not so many joint responses.

Sharing is caring

There is no international legal evidence system that would unambiguously and absolutely define what has conclusive force in any case. Thus, what we do is we collect, assess, interpret – and decide in favour of using legislation. Yet, providing evidence of attribution is often based on intelligence, which is a voluntary action by Member States – levels of openness and sharing vary as there is always a threat of sensitive information being compromised. In this context, it would be quicker to list what could facilitate the use at European level to justify sanctions.

The situation is thus relatively complex, as the point is to make stakeholders from other Member States aware of the technical elements of an attribution (that allow to know with reasonable confidence which source of threat carried out the malicious act) in order to support political and judicial action – imposing targeted restrictive measures as part of a joint diplomatic response. Indeed, while IoC sharing has great tactical value, cyber-related sanctions won’t be of much use if they are not adopted in the broader context of the Union’s foreign policy strategy.

The French Presidency of the Council of the European Union #EUFP2022 had the intention (which it communicated in an unclear and very generic way) of working on reviewing the Cyber Diplomacy Toolbox. I am using the past tense because we are halfway through this presidency, the Russian invasion in Ukraine requires immediate attention and elections will be taking place in France in less than two months. The only certainty in this unstable context is that it is urgent that we wait to review the Toolbox – even if it means missing the opportunity to combine this review with the alignment of the EU’s different diplomatic tools.