The European Union Imposes Its First Ever Sanctions Against Cyber-attacks

(by Army General (2S) Watin-Augouard, Founder of the FIC)

On 30 July 2020, one year after their release, the Council of the European Union has implemented the framework decision and regulation passed on 17 May 2019 which sanctions through restrictive measures natural or legal persons, entities, or bodies responsible for successful or attempted cyber-attacks. These measures apply to six individuals and three entities.

The implemented bills

On 19 June 2017, the European Council adopted conclusions on a framework for a joint diplomatic response to malicious cyber activities. The “Cyber Diplomacy Toolbox” addresses the need to protect the Union, its Member States and citizens against State and non-State actors undertaking cyber-attacks. It contributes to conflict prevention, cooperation, and stability in cyberspace by setting out measures within the CFSP, including restrictive measures, to prevent and respond to malicious cyber activities.

During the Tallinn Digital Summit (29 September 2017), then President of the European Commission Jean-Claude Juncker declared: “Cyber-attacks know no borders, but our response capacity differs very much from one country to the other, creating loopholes where vulnerabilities attract even more the attacks. The EU needs more robust and effective structures to ensure strong cyber resilience and respond to cyber-attacks.” He added: “We do not want to be the weakest links in this threat. ”

On 19 and 20 October 2017, again in Tallinn, the European Council requested a common approach on cybersecurity in the EU, which translated into the Cybersecurity Act, passed by the European Parliament on 12 March 2019 (see ‘La Veille Juridique’ of the CREOGN – May 2019).

On 27 May 2019, the Council of the European Union made a framework decision and regulation in line with the logic of the “Cyber Diplomacy Toolbox”.

The Council decision (CFSP) 2019/797 of 17 May 2019 concerns restrictive measures against cyber-attacks threatening the Union or its Member States. For the Council, “the measures within the common foreign and security policy (CFSP), including, if necessary, restrictive measures, adopted under the relevant provisions of the Treaties, are suitable for a framework for a joint Union diplomatic response to malicious cyber activities, with the aim of encouraging cooperation, facilitating the mitigation of immediate and long-term threats, and influencing the behaviour of potential aggressors in the long term”.

These measures aim to dissuade and stop cyber-attacks from territories outside the Union that are targeting it or its Member States (cybercrime internal to the Union is therefore not concerned). They can however apply, if deemed necessary, to achieve CFSP objectives in the relevant provisions of Article 21 of the Treaty on European Union when cyber-attacks target third states or international organisations.

The restrictive measures set by the decision concern the prevention of entry into or transit through the territories of Member States and the freezing of funds and economic resources belonging to natural or legal persons, entities, or bodies responsible for cyber-attacks or attempted cyber-attacks. On the matter of frozen funds and resources, the Council Regulation (EU) of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, clarifies the details of its implementation.

As established by the framework decision, the restrictive measures must be differentiated from the attribution of responsibility for cyber-attacks, which is a sovereign political decision on a case-by-case basis. Every Member State remains free to determine by itself the implication of a third State.

Decisions of 30 July 2020

On 16 April 2018, the Council firmly condemned the cyber-attacks known as ‘WannaCry’ and ’NotPetya’, which caused significant damage and economic loss in the Union. These cyber-attacks — ransomware for the former, data destruction tool for the latter —serve as models by their scale and effects. NotPetya, which mainly targeted Ukraine, had significant collateral effects, notably in France (Saint-Gobain, SNCF, Auchan, and BNP).

On 4 October 2018 the presidents of the European Council and of the European Commission as well as of the High Representative of the Union for Foreign Affairs and Security jointly­ condemned an attempted cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. In a declaration on behalf of the EU on 12 April 2019, the High Representative urged the actors to stop undertaking malicious activities which undermine the EU’s integrity, security, and economic competitiveness, including espionage acts violating intellectual propriety. These “cyber-enabled thefts” are notably among those perpetrated by the group called ‘APT10’ (Advanced Persistent Threat 10) involved in ‘ Operation Cloud Hopper’ which targeted companies through the cloud. For the Council, “‘Operation Cloud Hopper’ targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss”.

The sanctions imposed include a travel ban through EU territory and an asset freeze. In addition, EU persons and entities are forbidden from making funds available to those people and entities listed.

Six individuals and three entities are on the list of natural and legal persons, entities, and bodies in Annex I of the Council Decision (CFSP) 2020/1127 and the Council Regulation (EU) 2019/796, blank prior to this decision. Two Chinese and four Russian individuals are concerned as well as three entities: a Chinese, a North Korean and a Russian one. One will notice the EU does not hesitate to punish bodies related to States (Russia in particular).

Below are copied two extracts illustrating how the annex is presented.