Under new EU rules, individuals and groups conducting cyber-attacks from outside the bloc may be hit with potential sanctions, including travel bans and asset freezes. But the measures announced on Friday will be applied only to “persons and entities” and not to national governments.
The measures were advocated by Dutch and British governments after their intelligence services launched an investigation last October and uncovered a range of cyber attacks last year, reportedly originating from the GRU, the Russia military intelligence service.
Most notably, the attacks had hit the Organisation for the Prohibition of Chemical Weapons (OPCW), based in the Hague, and led NATO Secretary General Jens Stoltenberg to say that Russia must “stop its reckless pattern of behaviour.”
The new plans aim “to deter and respond to cyber-attacks that constitute an external threat to the EU or its member states”.
Friday’s agreement allows the EU to “impose sanctions on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways,” a statement from the European Council read.
Certain punitive measures that could be dished out as a result of the new agreement include “a ban on persons travelling to the EU, and an asset freeze on persons and entities.”
An EU source told EURACTIV that the GRU attacks “brought everything to a higher level of urgency,” following the 2017 adoption of the EU’s cyber diplomacy toolbox, a framework that provides for a united diplomatic response to hostile cyber campaigns.
The source added that within the Council working party responsible for fleshing out the new measures, the “Netherlands and the UK worked hard to get this regime to the finish line.”
UK Foreign Secretary Jeremy Hunt praised the new agreement on sanctions. “This is decisive action to deter future cyber-attacks,” a statement from Hunt read.
“For too long now, hostile actors have been threatening the EU’s security through disrupting critical infrastructure, attempts to undermine democracy and stealing commercial secrets and money running to billions of euros.”
Dutch Foreign Minister Stef Blok echoed Hunt’s praise and said the Netherlands “attaches great importance to this vehicle that targets perpetrators of cyber attacks.”
“Our joint response sends a clear message: attacks in the digital domain are unacceptable,” he added.
In addition to concerns about Russian hacking efforts, UK intelligence services in January presented evidence to the EU of a coordinated hacking campaign conducted by Chinese state-linked group, Advanced Persistent Threat 10 (APT 10).
Member states had been considering a joint response to the attacks, but eventually adopted a statement that said the EU is “concerned by the rise in malicious behaviour in cyberspace aimed at undermining the EU’s integrity, security and economic competitiveness, including increasing acts of cyber-enabled theft of intellectual property.”
[Edited by Zoran Radosavljevic]