For the first time in its history, the European Union (EU) imposed sanctions against individuals and entities involved in cyber attacks. Restrictive measures include travel bans, the freezing of assets, and blocking European sources of funding. The sanctions were directed at cyber campaigns linked to various Russian, Chinese and North Korean state-associated threat actors. This includes NotPetya and Ukraine blackout attacks carried out by the Russian GRU, as well as an espionage operation the group conducted targeting the Organisation for the Prohibition of Chemical Weapons (OPCW). WannaCry was a North Korean ransomware campaign that had a similarly destructive impact to NotPetya. Finally, Operation Cloud Hopper was a cyber espionage operation carried out by Chinese contractors working on behalf of the Ministry of State Security, and targeted managed service providers to gain access to various third parties.
Europe’s Growing Cyber Diplomacy Toolbox
These latest measures demonstrate that the EU is ramping up its efforts to actively respond to malicious cyber attacks. Up until now, the EU has focused much of its efforts on both defending European networks and developing regulation around security and privacy issues. Yet, this latest move indicates that the Union is now gradually increasing its appetite to engage more assertively. This also highlights the growing maturity of many member states around cyber security—an issue that might not have previously been seen as a matter of high politics or one that would merit sanctions.
In many respects, the punitive impact caused by the sanctions against China, North Korea and Russia will be limited. This is because rather than calling out the states responsible directly, the sanctions were highly targeted against specific individuals and institutions. They are therefore unlikely to create serious financial harm in the way that a wider economic sanction regime might. The sanctions were also directed at what are now dated campaigns, and ones that have already been called out by other governments. In addition, the European sanctions mirror previous U.S. measures issued against North Korean and Russian threat actors. However, these measures were unlikely intended as a dose of direct punishment. After all, few of the Russian, Chinese, and North Korean operatives hit with a travel ban were likely planning a visit to mainland Europe anytime soon.
Responding to Irresponsible Behaviour
Instead, these sanctions are most likely intended as a form of political messaging. By calling out specific forms of cyber activity, the EU has clarified its red lines. The sanctions have responded to campaigns that contained either an overtly destructive element or commercial espionage activity. The EU is therefore distinguishing between these forms of activity and what might be considered traditional espionage—i.e. information gathering campaigns against government and military entities, and an activity that is tacitly acknowledged as fair game by the international community. However, as Dr. Florian Egloff has highlighted, the EU has left its latest move open to ambiguity by refraining from spelling out what they are trying to achieve or specifying their desired future operating environment.
The EU’s sanctions do, however, represent a strong statement of collective action. Cost-benefit calculations shift as more states punish pernicious cyber activity at the same time. We might not expect a small European state to retaliate to a Russian or Chinese state-sponsored campaign independently, yet as part of a larger group there is a safety in numbers. Ultimately, as more states commit to sanctions or attribution statements, it becomes easier for additional states to join in with the political costs reduced. It is here that these latest developments are significant. When the Five Eyes (Australia, Canada, New Zealand, the UK, and the U.S.) initially tied NotPetya to Russia in 2018, they did so alongside Denmark, Estonia, Lithuania and Ukraine. Yet, as Professor Thomas Rid questioned at the time, where was France and Germany? To see European states now work together, and under the rubric of the world’s largest political union, highlights an unambiguous collective spirit. With the sanctions also mirroring many previous U.S. efforts, it remains to be seen whether future cyber sanction regimes could involve a combined transatlantic effort.
Sanctions of this nature therefore ramp up the pressure and political cost for conducting cyber operations that violate international norms, such as destructive attacks or ones that undermine the fabric of democracy. Sanctions are most likely to impact states that can be influenced by the international community, yet could also provoke retaliation from states such as Russia who have adopted a bullish attitude to their cyber operations. However, the message being sent by these sanctions goes further than just the specific operations being called out. The EU will be acutely aware that many states are currently developing cyber operational capabilities, highlighted over the last five years by the growth of Iranian and Vietnamese threat actors. The threat landscape will likely continue to see this ‘rise of the rest’ trend emerge as other states start to actively conduct cyber campaigns. Issuing sanctions therefore also sends a clear message to emerging threat actors.
Attribution and Cyber Threat Intelligence
Sanction regimes are not possible without confident attribution. While the specific government agencies informing the threat activity have not been named, this process almost certainly leveraged cyber threat intelligence at various stages. Government threat intelligence has previously provided context for states choosing to name and shame aggressors. Yet, it has been questioned whether threat intelligence—often couched in caveats and estimated language—provides the definitive proof required to justify more punitive measures, such as formal sanction regimes. This incident, however, serves as a reminder that threat intelligence can provide highly robust insight, which can inform political processes.
Cyber threat intelligence functions should always strive to ensure their reports are actionable across a range of stakeholders. These latest developments demonstrate that CTI can be highly influential in the decision-making process at the highest level of government.