A hammer in search of a nail: EU sanctions and the cyber domain
In mid-October 2018, the leaders of the 28 EU member states met in Salzburg, Austria, to map out the Union’s future security policies. On cyber-related issues, the Council agreed that within the development of the ‘framework for a joint EU diplomatic response to malicious cyber activities’ – the so-called cyber diplomacy toolbox - the “work on the capacity to respond to and deter cyber-attacks through EU restrictive measures [sanctions] should be taken forward […].”
The Union’s inching toward “cyber-sanctions” did not necessarily come as a surprise. Back in February 2016, the Dutch EU Presidency already articulated in one of its papers that “imposing sanctions against certain ‘natural or legal persons, entities or bodies’ could be a way to raise the costs of undertaking coercive cyber operations and serve as a deterrent to conduct such actions.” By June 2017, the Council seemed to tacitly endorse sanctions, by affirming that “measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures, […], are suitable for” the toolbox.
What did come as a surprise was that the call for sanctions did not go hand-in-hand with an institutional push toward coordinated attribution on the EU level. The EU’s view on attributing malicious cyber incidents to a nation state, group, or individual, seems to be caught between two separate work streams. In the context of the cyber diplomacy toolbox, the Council stipulated in June 2017 that “not all measures of a joint EU diplomatic response to malicious cyber activities require attribution to a State or a non-State actor.” Meanwhile, on the topic of ‘increasing resilience and bolstering the EU’s capabilities to address hybrid threats,’ the European Commission emphasized in June 2018 that “the EU and its Member States need to improve their capacity to attribute cyber-attacks, not the least through enhanced intelligence sharing.” But if not every EU sanctions measure requires attribution, then why would the member states improve their attribution capabilities to begin with? Clearly, not every member state will be equally affected by a particular cyber incident, and not all 28 national governments will be equally interested in escalating an issue toward sanctions, countermeasures, or armed conflict. Case in point, the current push toward EU sanctions was initiated by a group of eight-member states, led by the UK and the Netherlands, and including Denmark, Estonia, Finland, Latvia, Lithuania, and Romania.
Prior to the meeting in Salzburg, this group of eight released a paper that exercised a rather strange degree of verbal gymnastics on the issue of attribution to secure widespread support for sanctions within the Council. On one hand, they argued that member states should utilize “established process to present evidence to support a listing under EU restrictive measures.” On the other hand, it firmly stipulated that the imposition of sanctions should not dependent upon any EU member state having to publicly attribute a cyber incident to a particular nation state, group, or individual.
The group of eight thus envisioned to create two interlocking processes. First, a mechanism of collective attribution on the EU level to shield individual member states from targeted countermeasures by the sanctioned entity. And second, an EU policy of collective reasoning to assure the Council that a cyber incident against one member state will be seen as an attack against all member states.
The problem with this approach is that when it comes to collective attribution, not all EU member states are created equal. In terms of capacity and capability, the UK for example - with its vast defense and intelligence apparatus and vibrant information security sector - clearly outperforms countries such as Bulgaria, Spain, or Sweden. Similarly, an attribution assessment made in Sofia, Madrid, or Stockholm will carry significantly less political weight and diplomatic force behind it than any conclusion reached in London.
Figure 1. EU government attribution pathways
Source: Compiled by author
What makes the group’s approach ineffective is that the Council’s reaction to two of the most prominent recent cyber incidents speaks volumes to the futility of collective reasoning on the EU level. In April 2018 – two months after the UK and the other four Five Eyes countries publicly attributed the NotPetya attack to Russia - the EU Councilcould merely find consensus to “firmly condemn the malicious use of information and communications technologies.” Similarly, despite the Dutch government publicly presenting forensic evidence on October 4 which undoubtedly proved that the attack on the OPCW was conducted by Russian military intelligence, the EU Councilwas merely capable to “condemn the hostile cyber-attack carried out against the[OPCW],” without holding anyone responsible.
Evidently, the political calculations within the individual EU member states, and the uneven distribution of attribution capabilities among the EU 28, are significant hurdles for the Council, resulting in the lowest possible common denominator. As a result, it is highly unlikely that the Union will ever achieve unanimous consensus on collective attribution, nor will it naturally succeed in infusing a sense of collective reasoning among the 28 member states. In view of these existing structural problems, the upcoming British exit from the EU – which will result in the breakaway of the UK’s attribution capabilities and the loss of the most vocal EU member state willing to publicly attribute malicious cyber incidents – will exacerbate their difficulties.
At its core, a potential solution to fix the EU’s structural problems will have to revolve around streamlining public attribution. As long as an EU member state retains the sovereign choice to publicly attribute a cyberattack or not, and as long as the Council depends upon unanimity to react to a cyber incident, the longer it will take for the cyber diplomacy toolbox to deliver on the promise of change.
* * *
In terms of the practical implementations of a ‘cyber sanctions regime,’ the 28 EU member states also need to be more precise about what they want to achieve, and whether they have learned anything from the sanction blunders of the US Treasury Department.
As it currently stands, EU sanctions are not punitive, but are “designed to bring about a change in policy or activity by the target country, entities or individuals. Measures are therefore always targeted at such policies or activities, the means to conduct them and those responsible for them.” Thus, the fundamental questions an EU cyber sanctions regime has to contend with are:
(a) Can it influence policies and activities that are embedded within the realm of espionage, (b) can it avoid collateral damage when targeting the means of a state to conduct cyber-operations, and
(c) will it neutralize or interfere with current and future law enforcement activities.
On the first question, the jury is still out, but there are strong indicators to suggest that sanctions do not produce any coercive effects, nor are they relevant for deterrence purposes. Between January to November 2018, the US Treasury Department’s Office of Foreign Assets Control (OFAC) imposed cyber-related sanctions on a combined 59 individuals and 28 companies hailing from Iran, North Korea, and Russia. Yet, so far none of the three countries in question have decreased their cyber-related activities. On October 3, 2018 FireEye summarized that “North Korean operators appear to be undeterred by public outings,” and that due the vast resources and large network dedicated to generate funds for the regime, their operations “will continue in the future.” On October 19, the US Department of Justice charged Russian national Elena Alekseevna Khusyaynova for “her alleged role in a Russian conspiracy to interfere in the U.S. political system, including the 2018 midterm election.” And on October 26, Facebook removed “multiple Pages, Groups and accounts that originated in Iran for engaging in coordinated inauthentic behavior” that targeted people in the US and UK.
Table 1. OFAC Cyber-Related Sanctions (Jan. 1–Nov. 8, 2018)
On the second question, two items are of particular relevance. First, OFAC’s sanctions from June 11, 2018 against five Russian entities including California-based smart devices security specialist Embedi (based in Berkley) and cyber security firm ERPScan (based in Palo Alto) must be considered. OFAC’s decision led to the rather awkward situation of the US government preventing two US-based companies from doing any business with the United States. And second, President Obama’s amendment of Executive Order 13694 on December 29, 2016, which put Russian cybersecurity company ZorSecurity on OFAC’s list of Specially Designated Nationals and Blocked Persons. Curiously though, ZorSecurity is owned by information security researcher Alisa Esage Shevchenko, who among others was credited in 2015 by the US Department of Homeland Security for helping find flaws in critical energy management software. The thread that loosely connects all three entities is that they currently employ Russian security researchers that at one time in their career either directly worked for a Russian security and defense agency, or were employed by a company that worked with a Russian security and defense agency. If the EU chooses to emulate this approach for the sake of hitting the supply structure of Russian intelligence agencies, then Kaspersky Lab will most likely end up being a prime target. The European Parliament already fired a shot across the bow in June 2018 by calling on all EU institutions to “ban[software, IT and communications equipment] that have been confirmed as malicious, such as Kaspersky Lab.”
On the third question, it is important to note that in contrast to the US Department of Justice, no public prosecutor in any of the 28 EU member states has filed any criminal charges against foreign entities or persons in relation to the numerous major cyber incidents that hit the continent. As a result, the implementation of a cyber sanctions regime will neither neutralize nor interfere with current and future law enforcement activities, because none of the EU member states have done anything in that regard.
The bottom line is that when it comes to cyber-related sanctions, the European Union cannot simply re-invent its go-to sanctions hammer as if it will coerce, deter, or increase the continent’s security in the cyber domain. The fundamental challenge for the EU is to develop new and innovative policies for its member states to leverage which currently do not exist in relation to any of the other domains. That is the challenge the EU needs to solve, showing the added value the Union brings to the table.
Stefan Soesanto is the former Cybersecurity & Defence Fellow at the European Council on Foreign Relations (ECFR) and a non-resident James A. Kelly Fellow at Pacific Forum. At ECFR, he designed and held cyber wargame exercises in cooperation with Microsoft EMEA and organised the 2018 Odense Cybersecurity & Defence Conference together with the Office of the Danish Tech Ambassador and the Center for War Studies at the University of Southern Denmark.