European cyberspace sanctions: a legal arsenal in need of fine-tuning?

The landing on the tarmac of an opponent of the Belarussian regime with the more or less tacit consent of Russia has prompted Europe to question its relationship with Russia. It has to be said that the greatest threat to Europe and its NATO allies remains Russia. This is all the more true for the Baltic states – particularly Lithuania, where the Belarusian opponent was due to land – which, although under the NATO umbrella, are witnessing Russian destabilization attempts on a daily basis, whether through cyber disinformation or full-scale cyber attacks. This form of Russian destabilization is carried out in a particularly insidious way, without it being possible most of the time to identify the threat from the Russian state. One of the most serious of these cyberattacks was the 2007 attack on the Estonian government in Talinn, where a large part of the country’s economy was paralyzed for two days. Since then, Europe has put in place a legal framework linked to a possible, but not exclusive, type of diplomatic response: sanctions. While these are typically put in place to change the international political behavior of a state actor, they are sometimes used to change individual behavior by sanctioning named individuals. At present, the institutions of the European Union have set up a system of sanctions to punish cyber-attacks or cyber-destabilization against a member state that has fallen victim to a third party.

At a time when the Joint Cyber Unit planned by the European Commission is due to come into force on June 30, 2023, enabling the creation of a brand new structure to detect and combat cyber attacks more effectively, the European Union would be well advised to reform a tool that is due to form part of the fourth pillar of the new joint entity. Nevertheless, the European Union’s sanctions regime needs to adapt to the new and growing threats posed by cyber attacks. This inevitably means overhauling the European Union’s sanctions regime, keeping its specific features, while looking at what is being done elsewhere, notably in the USA where the legal framework for such sanctions has existed since 2015.

The existence of European sanctions

The European Union’s sanctions regime was set up in 2019 by a decision of the Council of the European Union 2019/797 and by a regulation of the Council of the European Union n°2019/796.¹⁾Council of the European Union “Council Decision 2019/797 of 17 May 2019 concerning restrictive measures against cyber attacks threatening the European Union OR its Member States” and Council of the European Union Regulation n°2019/796. COUNCIL REGULATION (EU) 2019/796 – of May 17, 2019– on restrictive measures against cyber attacks that threaten the Union or its States members (europa.eu), COUNCIL REGULATION (EU) 2019/796 – of May 17, 2019 – concerning restrictive measures against cyberattacks that threaten the Union or its Member States (europa.eu). This now provides a solid legal basis for the introduction of such sanctions. According to the texts, the aim of the regulation and decision is to “deter and respond to cyberattacks with a significant effect, which constitute a major external threat to the European Union and its member states”.

On the basis of lists of named individuals involved in cyber-attacks, measures such as visa restrictions and asset freezes can be taken against them.

First of all, Article 1 stipulates that the cyber-sanctions regime applies to attacks constituting an external threat, i.e. cyber-attacks originating or conducted from outside the Union, using infrastructures located outside the European Union, executed by any natural or legal person, entity or body established or operating outside the Union, or carried out with the support, under the instructions or under the control of any natural or legal person, entity or body operating outside the European Union. The regulation therefore imposes a foreign element in order to be applicable, i.e. a transaction for which at least the preparatory elements were carried out outside the European Union. Obviously, the regulation will be applicable if all the elements of the cyber attack, from the preparatory element to the attack itself, have been carried out from the European Union. Lastly, it will not be applicable when the cyber attack has no external dimension, in which case the perpetrator must be apprehended by the authorities of the Member State from which the attack was carried out.

Secondly, the sanctions regime, like any diplomatic sanctions regime, has an eminently political value. Regulation n°2019/796 allows sanctions to be taken on the basis of article 21 paragraph 2 of the TEU (Treaty on European Union), which refers to the objectives of the Treaty on European Union, i.e. safeguarding the values of the European Union, its fundamental interests, its security, its independence and the consolidation of these same values.²⁾Paragraph 6, Article¹ “Where deemed necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP) set out in the relevant provisions of Article 21 of the Treaty on European Union, restrictive measures under this Regulation may also be applied in response to cyberattacks with significant effects directed against third countries or international organizations.” Clearly, the imposition of sanctions on the basis of regulation n°2019/796 must be made necessary in order to meet the European Union’s objectives of preserving its autonomy and values. It is therefore theoretically conceivable that the European Union could decide to apply this sanctions regime in response to attacks on allied third countries or international organizations. European sanctions can therefore potentially have an extraterritorial dimension, by coming to the aid of a non-EU country or an international organization not located on the territory of an EU member state, if they meet the objectives set out in the Common Security Policy. Inevitably, this assistance role is assigned to NATO by Article 5 of the Washington Treaty, which states that “the Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against all the Parties”. But this framework seems difficult to transpose to cyber attacks. On the one hand, Article 5 was conceived solely with a view to mutual aggression – in the classic sense of the term, i.e. military aggression – and on the other hand, NATO does not offer the possibility of a sanctions mechanism to respond to cyber aggression, nor is this its role. Finally, the European sanctions framework offers the advantage of flexibility, making it possible to respond to aggression which is not directed exclusively against a NATO country, but against any State or international organization, provided that this meets the objectives of the Common Foreign Policy defined by the European Union under article 21 paragraph 2. The geographical scope of these sanctions is therefore potentially wide.

Nevertheless, the material scope of cyber-sanctions is limited by the regulation to activities having a “significant” effect.³⁾Paragraph 1, Article¹ “This Regulation shall apply to cyber attacks with significant effects, including attempted cyber attacks with significant potential effects, which constitute an external threat to the Union or its Member States”.This de facto excludes operations with minimal impact, relating to one or more intrusions into a computer system, as well as intrusion into information systems. This intrusion must have the effect of hindering or interrupting the operation of such systems. As the regulation only applies to attacks affecting the interests of the European Union, the significant impact of the hindrance or interruption can be considered to be automatically constituted when it concerns these institutions, bodies or agencies, or representatives of the European Union. For other interruptions and hindrances, the “significant” impact must be assessed taking into account, according to the article of the regulation, several concrete criteria such as the scope, scale, impact or seriousness of the disruption caused (….) to State functions, public order or security, as well as the number of natural or legal persons, entities or bodies affected, or the number of Member States concerned. These criteria obviously raise the question of how to concretely assess the impact of cyber attacks on member countries or European institutions. In reality, assessing the degree of importance is very difficult to measure, and depends less on objective considerations than on political variables. While it is conceivable, as envisaged by the regulation, that the amount of economic loss caused to the company or the economic benefit derived by the perpetrator, or even the quantity or nature of the data stolen, could be taken into account by the Council of the European Union as an objective element for assessing the “significant” nature of the attack, the criteria are not limitative and leave considerable room for political appreciation. Let’s not forget that the Council of the European Union is made up of 27 heads of state and government from countries that are themselves of a political persuasion. They will thus always seek to impose their political vision to the detriment of objective criteria for assessing the seriousness of the situation presented to them. It’s true, however, that judging “impact criticality” using simple “objective” criteria is complicated. Certain medium- or long-term consequences for the company or institution that has been attacked are therefore difficult to assess following a cyber-attack. For example, economic or reputational damage can only be detected years after the attack.

Lastly, the texts refer to the possibility of imposing sanctions against damaging cyberattacks that could have a significant effect. This possibility raises doubts as to its real applicability, given the difficulty of proving the significant effects of a transaction that has not actually come to an end…. Nevertheless, this provision can be explained by the political will of the EU Council not to allow attempts to go unpunished, which could lead to future attacks.

This sanctions regime has the advantage, however, of existing where there is no legal framework within the UN that would allow such a regime to be put in place. The UN sanctions regime is based on Article 41 of Chapter 7 of the UN Charter, which stipulates that sanctions do not involve the use of armed force: “The Security Council may decide what measures not involving the use of armed force shall be taken to give effect to its decisions, and may call upon Members of the United Nations to apply such measures. Such measures may include the complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio and other means of communication, as well as the severance of diplomatic relations”.

It is therefore up to the Security Council to decide on measures that do not involve the use of armed force. However, on the one hand, China and Russia, through their presence on the Security Council and their veto power, would certainly block any proposal to introduce a sanctions regime, and on the other hand, there is in reality no consensus on this issue within the UN General Assembly or the UN Security Council. Thus, during a commission organized on October 23, 2017⁴⁾First Committee: delegations remain divided on ways to prevent militarization meeting coverage & press releases On the subject of cyberspace, the members of the Security Council displayed their differences, notably Russia, for whom “the application of existing international law to cyberspace is a means of covering up forceful actions in the sensitive field of space-based information”. The EU’s sanctions regime, which is autonomous compared to that of the United Nations, even if it transcribes many UN sanctions resolutions into EU law, comes into its own here.

Examples of sanctions taken by the EU on the basis of regulations

Based on these regulations, the European Union’s first sanctions against cyber-attacks were taken against Russians, Chinese and North Koreans involved in attacks such as WannaCry, NotPetya or Cloud Hopper. Thus, by European Union regulation n°2020/1125 of July 30, 2020 implementing European Union regulation n°2019/796, two North Korean and Chinese companies and six nationals of these countries were sanctioned with an asset freeze and travel ban within the European Union. What these attacks have in common remains, on the one hand, the means used: that of “WannaCry” or WannaCrypt ransomware, software that takes personal data hostage and exploits a security flaw in older Microsoft systems that are behind on their updates and therefore vulnerable; and that of the scale of “WannaCry” and “WannaCypt” ransomware, which affected at least 3,000,000 computers in 150 countries including Russian agencies. Finally, by implementing regulation no. 2020/1536 of October 22, 2020 applying the same regulation, the Council of the European Union imposed restrictive measures against two individuals and an organization responsible for attacks on the German Bunderstag⁵⁾EUR-Lex – 32020R1536 – EN – EUR-Lex (europa.eu) (German Federal Parliament).

At present, a total of 8 individuals and four entities have been designated under EU Regulation n°2019/796, and are therefore subject to an asset freeze and travel ban within the EU. It is worth noting that not only two sub-directorates of the GRU, Russia’s intelligence directorate, but also six Russian nationals have been sanctioned under Regulation 2019/796. The attribution of responsibility for these attacks to the Russian state therefore arises, even though the “WannaCry” or “Not Peyta” attacks affected Russian entities. This question of attributing responsibility for the attacks to a sovereign country inevitably raises the question of the imputability under international law of an illegal act to a State. Thus, for a cyber attack to be attributed to a State, the internationally reprehensible act must be attributed to the State, the conduct must constitute internationally wrongful conduct, and there must be no circumstance precluding the wrongfulness of the act in question. It is also worth remembering that acts attributable to the State are applicable in cyberspace, since international law applies to State activities in cyberspace⁶⁾A handbook has been devoted to developing the applicability of international law to cyberattacks. Talinn Manual2.0 on the International Law applicable to Cyber Operations- On the direction of Michael N Schmitt. As one German diplomat put it, the attack “doesn’t take place in cyberspace, but in a specific place”, violating state sovereignty with this cyberattack. However, according to the established case law of the International Court of Justice, notably Corfu Channel⁷⁾ICJ Corfu Channel case, judgment on the merits of 9 April 1949 it is not enough for the act to be carried out from the territory of a State or by citizens of that State for it to be attributed to that State. These people must also act under the instruction, sub-direction or control of the State, for example by using public power. Lastly, the same applies when the State in question approves after the fact the behavior of those responsible for the act. According to the award criteria, Russia is clearly responsible for the actions of the GRU, which in fact reports to Russian Defense Minister Sergei Choigou, who in any case acts on behalf of the Russian state. However, the degree of certainty required by the European Union to attribute an international fact to a State actually hinders the attribution of these cyberattacks to a State. Indeed, the European Union requires a near-certainty that the act is attributable to the State in order to impose sanctions, and the particularly complex nature of cyber-attacks often does not result in the degree of certainty required by the European authorities. Some European countries, such as the Netherlands or the UK, have nevertheless individually attributed cyber-attacks on several occasions as part of unilateral or bilateral declarations as in 2018. But it has to be said that, in the absence of clearer proof of a State’s responsibility, the sanctions system will continue to designate individuals as bearing that responsibility.

The U.S. sanctions regime and its application

The United States adopted a regulatory framework very early on, instituting a system of sanctions against cyber-attacks. Thus, Executive Order n°13694 of April^1, 2015⁸⁾Executive Order — “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber- Enabled Activities” | whitehouse.gov (archives.gov) the equivalent of a presidential decree in the United States, provides for a sanctions regime consisting of a freeze on the assets of people listed as SDNs (Specially Designated Names) by the US Treasury Secretary. As a result, the Executive Order imposes an asset freeze on persons listed or designated by name, and prohibits any US Person from doing business with the person listed or designated by the Secretary of the Treasury. The sanction is in itself particularly severe, since the USA applies the so-called “fifty percent rules” for freezing assets, i.e. any legal entity holding 50% of the shares of a listed company is subject to the same freeze sanction. Finally, OFAC’s extensive definition of “US person” is hardly conducive to relativism. US persons are defined as “any US citizen, permanent resident, and any entity organized under the laws of the United States or any jurisdiction within the United States, including foreign branches”.

The awareness of a specific cyber sanctions regime is linked in particular to the numerous Russian interferences notably during the election of President Donald Trump.

Thus Executive Order n°13694 was quickly amended by Executive Order n°13757 of December 28, 2016⁹⁾DCPD-201600880.pdf (govinfo.gov) taken by President Barack Obama following Hilary Clinton’s defeat in November of the same year. In many ways, the defeat was Russia’s fault. Both Executive Orders recognize the possibility, as does the European sanctions regime, of naming individuals involved in cyber-attack activities. Thus, on the basis of the two EOs, numerous natural and legal persons have been designated under the sanctions program set up by these EOs. In addition to the Russians sanctioned as a result of the interference, individuals and companies from Iran, Nigeria and North Korea have also been or are still being sanctioned on the basis of these two Executive Orders.

While the possibility of broader sanctions, such as sectoral sanctions, is also lacking here, the recent evolution of the US sanctions regime clearly pushes it in the direction of recognizing state responsibility in the area of cyber attacks. In fact, by Executive Order n°14024¹⁰⁾Federal Register :: Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation President Joe Biden prohibits U.S. financial institutions from participating in the primary market for ruble and non-ruble bonds issued after June 14, 2021, in particular by the Central Bank of Russia, and from lending funds denominated in ruble or non-ruble to the latter. OFAC has just given a particularly broad definition of a “US financial institution”, even if it excludes subsidiaries of a “US person” from its application. The secondary sanction concerns any U.S. entity and its foreign branches whose business consists of accepting deposits, granting, transferring, holding or brokering loans or other extensions of credit, or commodity futures contracts. The term “U.S. Financial Institutions” includes depository institutions, banks and savings and trust companies, securities brokers and dealers, futures and options brokers and dealers, futures and currency dealers, securities and commodities exchanges, clearing corporations, investment companies, employee benefit plans, as well as U.S. holding companies, U.S. affiliates and U.S. business corporations.

Finally, and most importantly, it directs the U.S. Treasury Secretary to impose asset freezes on a range of entities that may be involved in these activities, including any person who is or has been an official leader or member of the government of the Russian Federation, or any political entity, agency or instrumentality of the Russian federal government. The official aim is to be able to sanction political entities that directly involve Russia as a state. The political statement linked to the sanction leaves no room for doubt. According to Joe Biden, the aim is to punish Russia for “its actions of international destabilization” and in particular their attempt to interfere in the American political election, this time in 2020.

The US sanctions regime is therefore gradually moving towards a sectoral sanctions regime in the field of Russian national security. This tends to extend the scope of sanctions and to name Russia in cyberattack activities attributable to it.

Undeniably, the US sanctions regime remains political, given President Biden’s previous statements on President Putin. But in general, the American sanctions policy remains infinitely more proactive than the European one, since it is objectively difficult not to associate a GRU action with the Russian state. The fact remains that here, the will to sanction rests solely on the executive power, i.e. the American President and his Secretaries of State and the federal agencies closely linked to the American President.

Even if it is a fact that CISA, the American cybersecurity agency, takes into account open sources of information from security companies such as FireEye, Kapersky, Symantec or MITRE in its identification of sanctions, it’s easy to think that sanctions policy depends less on the findings of these companies than on the political conception of the president in office. This is even more glaring in the case of the sanctions introduced by the European Union: while the European Union has its own designation criteria, notably the “significant” criterion for an attack, and certain technical criteria for assessing this criterion, the introduction of sanctions in the USA is a matter of near-discretion on the part of the American President.

However, it has to be said that this favors greater reactivity in implementing the decision, where member states have to agree unanimously to take a decision.

Proposal to improve the European sanctions system.

Europe more responsive

The intensity of deterrence depends above all on the EU’s responsiveness in implementing sanctions. However, the decision to impose sanctions by the Council of the European Union, which has to be taken unanimously by the member states and the High Representative of the European Union for Foreign Affairs and Security Policy, encourages inertia within the Council if a member state opposes it. Even if other responses could be put in place, such as judicial ones, the diplomatic response through a coordinated sanctions policy remains at the heart of the common security policy sought by Europeans. In this context, it would be desirable for the Council of the European Union to place cyberspace-related sanctions on a more systematic agenda, or even to set up an exceptional European Council following major cyberattacks requiring sanctions.

On the other hand, cooperation between RELEX – the Group of External Relations Advisors, which deals with legal, financial and institutional issues relating to the CFSP – and the European External Action Service (EEAS), which deals with purely political issues, could prove crucial to the speed of the response. Sanctions policies are endorsed by these two European institutions, and then put on the Council’s agenda by COREPER. Coordination between these two entities could therefore take the form of the development of common assessment criteria, with a pre-existing list of criteria for designating these entities.

Solidarity between member countries

For a decision to be taken, all member states must subscribe to a single deterrence policy. To this end, it would be interesting to apply the mechanisms provided for in European treaties in the event of armed aggression or terrorist action. For example, activation of the solidarity clause provided for in Article 222 of the TFEU, which allows member states to act jointly to prevent terrorist threats to one of the EU countries, or Article 42.7 of the EU Treaty, which stipulates that “in the event of a Member State being the object of armed aggression on its territory, the other Member States owe it aid and assistance by all the means in their power” would be desirable as a guarantee of solidarity with all member states. The aim is to involve member states in the decision-making process, by guaranteeing them joint European collaboration in the event of cyber-attacks, but also in the event of a third country responding to a sanction imposed on it. The aim is to provide a European response, rather than a NATO response via Article 5, and to give credibility to a common European security policy.

Designation of state authorities as responsible for attacks

The decision of the Council of the European Union establishing the framework for targeted measures excludes the possibility of attributing responsibility for the attacks to any one state. However, as we have seen, the question of a state’s responsibility is sometimes clear. The question of assigning political responsibility to another country – notably Russia – is left to the discretion of EU member states on a case-by-case basis. This provision seems at odds with current European objectives based on cooperation, particularly in the field of defense. On December 11, the Council of the European Union adopted a decision establishing Permanent Structured Cooperation (PSC), enabling member states to work together more closely on security and defense issues. This PESCO or CSP is destined to expand, and currently involves 25 member states, who agree to adopt targeted or sectoral sanctions against entities or states on behalf of this new structure. In the final analysis, this structure does not commit states to a solidarity of recognition, but it clearly encourages the European Union to adopt a common position. The cyberspace sanctions regime seems to be moving away from the possibility of linking sanctions taken in the name of PESCO or CSP, since it rules out the possibility of common recognition and designation. It is not possible to designate individuals or legal entities as PESCO’s representatives, and leave it to the individual member states to assign responsibility on a case-by-case basis. It would be like taking one step forward and one step back: the better to go forward, the better to go back. At the very least, there needs to be joint coordination between member states, in the absence of joint recognition, as regards the recognition and attribution of attacks to a state. And yet, in the coming years, cyber defense could become one of the major thrusts of European defense policy, given the increasing scarcity of conventional forms of conflict.

The European Union is swimming between two waters in terms of sanctions for cyber-attacks, leaving the primacy of recognition to member states, while at the same time implying that the state itself is responsible by placing natural or legal persons of third-country nationals under sanction. Of course, it’s a diplomatic tool, so inevitably it’s sometimes a question of preserving the sensitivities of some and others, and not damaging the EU’s possible bilateral relations with this state. But it has to be said that the tool lacks coherence in the face of a potential state threat. The United States is beginning to understand this through a sanctions regime aimed directly at the third-party state responsible.

Moreover, individual targeted measures have certain well-known limitations: they cannot have the desired effects of a coherent sanctions policy. The primary aim of a sanctions policy is to change the behavior of the offending state in terms of international law. However, it is clear that the meagre targeted sanctions taken against Russian or Chinese entities, whether individuals or legal entities, cannot have a significant dissuasive effect on the state from which the individuals¹¹⁾Targeted Sanctions are acting. The Impacts and Effectiveness of United Nations Action, Thomas J. Biersteker, Sue E. Eckert, and Marcos Tourinho

This doesn’t mean that we have to completely follow American logic. The European Union’s determination to impose a European strategic autonomy shows that the European Union must not unthinkingly copy the American sanctions model on its own. We need to leave room for demonstrating the involvement of the State or entities acting on their behalf. It would therefore be ideal to have a more sector-based system of sanctions aimed directly at the Member State, alongside a more targeted system of sanctions such as that currently set up by the Decision and the Regulation. In short, it’s a question of genuinely sanctioning the State when it obviously needs to be sanctioned, but at the same time remaining within the framework of the legality and proportionality of the measure taken in the face of aggression. It would have been imprudent, for example, to attribute the “WannaCry” attack to Russia when all the evidence suggests that Russia itself was affected in the attack.

In setting up this regime, the aim is not just to attack Russia, but also any state with the intention of attacking a member state of the European Union. Ideally, these sanctions should be imposed without ideological bias, but with firmness and without diplomatic restraint when state-sponsored cyber-attacks deserve to be denounced.

The need to respond to a state threat is now more than ever necessary, given the stakes involved in the threat of cyber-attacks. The European Union’s operational capacity to establish a coherent framework of state sanctions measures must be the cornerstone of its diplomatic policy in the years to come.