EU adopts system for cyber sanctions

Anyone who „maliciously“ penetrates European information systems from a third country must expect a ban on entry and the confiscation of assets. However, it is unclear how such an attack is to be attributed.

The European Union has adopted new ways of responding to cyber attacks. Suspected attackers from third countries must reckon with sanctions. A corresponding regulation was approved by the Economic and Financial Affairs Council on Friday and subsequently published in the EU Official Journal. It is therefore in force immediately.

In the „Regulation on restrictive measures against cyber attacks threatening the Union or its member states“, the EU states follow a graduated procedure. As with violations of the Foreign Trade and Payments Act, persons, organisations or other „institutions“ are placed on a sanctions list and banned from entering the EU. Their assets can be confiscated or „frozen“. Sanctions may also be imposed on persons or entities associated with the persons concerned. Aid and abet to circumvent the EU measures will also be penalised.

Focus on critical infrastructure and elections

The cyber sanctions belong to the „Cyber Diplomacy Toolbox“, which the Council adopted two years ago. The aim is to „reduce any cyber threats“ and „deter attackers“. One year later, the EU adopted conclusions on „malicious cyber activities“ to support the project. They are intended to ensure a „free, stable and secure cyberspace“.

The regulation defines cyber attacks as unlawful access to information systems, the alteration and interception of data. Particularly important public and private infrastructures, including those for defence or „governance“, are highlighted, as are „submarine cables and objects launched into outer space“. It mentions services in the fields of energy, transport, banking and health. The disruption of elections will also be monitored.

EU intelligence centre to be upgraded

It is questionable how a „malicious cyber attack“ should be attributed. In order to determine the origin of the attacker, the intelligence situation centre INTCEN in Brussels is to be given more competences. Although the European Union has no competence for the coordination of European intelligence services, the INTCEN is not allowed to engage in espionage of its own, but only to process analyses, reports and assessments from the member states. Nevertheless, the Centre should participate in the decision-making process for a possible response to „malicious cyber activities“.

Originally, INTCEN was supposed to assess the origin of „malicious cyber activity“ on a scale ranging from „remote possibility“ (0 to 5%) to „almost certain“ (95 to 100%). However, some Member States have narrowly curtailed such a proposal. One controversial issue, for example, is whether existing intelligence should be disclosed by national intelligence services. However, a paper describing the current state of discussion also mentions information from third countries to identify an attacker. Presumably, this refers primarily to US intelligence services.

National secret services with their own agenda

If the INTCEN is dependent on external suppliers for its assessment, these must be of high quality. Otherwise, the EU intelligence agency could easily be influenced and abused by individual governments. German analyses come, for example, from the Federal Office for the Protection of the Constitution (BfV) and the Federal Intelligence Service (BND), the authorities have also sent their own representatives to the INTCEN.

Both services have repeatedly made allegations that turned out to be false. The former heads of the BND and BfV had declared that Edward Snowden was a spy of the Russian government. Also the secret services in Austria, which are all controlled by the FPÖ, obviously have their own political agenda.

German government wanted majority vote

A knowingly or unintentionally misjudging by the secret services could therefore easily lead to the escalation of a conflict. This is exactly what the new regulation is intended to prevent. The Federal Government had also tried to tighten up the text of the law. According to the ideas of the Federal Foreign Office the sanctions should not be decided unanimously, but with a qualified majority. This would have made it possible to overrule individual EU member states who have doubts about the origin of attacks or the effectiveness of sanctions.

It was also disputed who should actually supervise the implementation and monitoring of sanctions. The European Commission had insisted on assigning it the same implementing powers as in other cases. However, the governments themselves want to be responsible for this. The Commission therefore pointed out that the Council would then also have to deal with complaints from listed persons and opposition proceedings before the European Court of Justice. This, too, is usually the responsibility of the Commission.

Image: Victor Rodriguez on Unsplash