The U.K., the Netherlands and other European Union governments are pushing the bloc to expand the scope of its sanctions regime to include cyber attacks, following alleged attempts by Russian and Chinese operatives to infiltrate the computer systems of agencies in Europe and the U.S.
The EU has sanctions protocols in place targeting states for violating nuclear and chemical weapons treaties or harboring terrorism. Now the group of countries, that also includes Estonia, Finland, Lithuania and Romania, wants the bloc to introduce a similar system against the individuals and organizations that are behind cyber-attacks, according to a memo obtained by Bloomberg. EU leaders are slated to discuss security next week in Brussels.
“We urgently need to implement a similar regime to address malicious cyber activity,” the countries wrote in the memo to the EU’s other member states. “The pace of events has accelerated considerably,” making “the introduction of such a regime a pressing priority,” according to the memo.
U.S., U.K. and Dutch authorities last week accused officers from Russia’s GRU military intelligence agency of attempting to breach organizations that were looking into allegations of Russian wrongdoing, including several anti-doping agencies and a United Nations chemical weapons body. A separate Bloomberg Businessweek story last week detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Super Micro Computer Inc.’s server motherboards.
EU sanctions typically take the form of asset freezes against companies and individuals and travel bans against individuals. The bloc also has the ability to apply broader economic penalties — a policy used against Russia over its encroachment in Ukraine.
The group is recommending that cyber penalties focus on individuals and entities. It said the door should also be left open to making cyber-crimes also subject to “sectoral measures.”
The EU has been mulling such a cyber sanctions regime since 2015 and the group of countries is pressing the bloc’s 28 nations to formally agree on the matter at a gathering of EU leaders in Brussels next week.
The next draft of the summit’s conclusions will be circulated among the EU’s national governments on Monday. A person familiar with the matter said that European Council President Donald Tusk, who chairs the meetings of the bloc’s leaders, is mulling whether to include the cyber sanctions reference in the latest version. The communique will then be subject to additional revisions by and on Oct. 18, when EU leaders formally adopt it as a collective decision.
Sanction-worthy behavior would include criminal attacks on information systems, cyber-enabled theft of intellectual property and malicious cyber activities from state or non-state actors, whose behavior was explicitly or tacitly condoned by a foreign government, the countries said. They added the EU should also consider sanctioning activities that seek to interfere in elections. EU elections are set for the spring.
Attributing cyber attacks remains a key hurdle to any sanctions regime, as bad actors often try to fake data points like internet protocol addresses and domain names that could trace back to them. The countries in their memo, however, pointed to detailed and well-researched reports produced by the private sector using open source evidence.
“The lack of an international response leads” actors to conclude that malicious cyber activity is “low cost,” the countries wrote. “Restrictive measures would be a powerful tool to change behavior through signaling at a political level that malicious cyber activity has consequences.”