Attribution: A Major Challenge for EU Cyber Sanctions – An Analysis of WannaCry, NotPetya, Cloud Hopper, Bundestag Hack and the Attack on the OPCW
- 16 December 2021
- Bendiek, Annegret; Schulze, Matthias
The European Union first imposed what were referred to as “cyber sanctions” against individuals associated with the Russian, North Korean and Chinese govern-ment in July 2020. The measures include travel bans and asset freezes. They apply across the EU 27 and have been adopted as a diplomatic or political response to malicious cyber operations against the EU. Cyber sanctions are only one of the common diplomatic instruments that are part of the EU’s cyber diplomacy toolbox. Their intensity is adjusted to stay below the threshold for armed conflict. Since 2017, EU Member States have been using this toolbox to try to respond to serious cyber operations in a coordinated way under the Common Foreign and Security Policy (CFSP). However, demonstrating and implementing a proportionate, coherent and, above all, legally justified EU response to cyberattacks is highly challenging. The diplomatic response must be consistent from a legal, technical and political perspective, in the event that listed individuals challenge the EU’s restrictive measures (financial sanctions or travel restrictions) in court. Under Article 263 IV of the Treaty on the Functioning of the European Union (TFEU), the targets of such punitive measures enjoy full legal protection from the European Court of Justice (ECJ).
If the EU wants to impose legitimate cyber sanctions, it first needs to determine the origin (attribution) of cyberattacks in a careful and reasonable manner. However, at EU level, the process of attribution, i.e. the technical, legal and political assignment of individual responsibility for cyberattacks, is incoherent and partly contradictory. The reasons for this are manifold. Attribution is a sovereign act of the Member States which have varying technical and intelligence capabilities. The EU’s role is only to coordinate, collect forensic evidence and share intelligence among the Member States and EU institutions. Given the increasing number and intensity of attacks in the cyber and information domain space (CIR), attribution is key. It is also necessary to be able to uphold the principle of responsible state behaviour which the EU promotes.
More external publications
- Research and Analysis