This article is part of our special report Europe’s cybersecurity agenda.
EU diplomats agreed to provide support to find and prosecute hackers outside the bloc and help member states that are hit with cybersecurity breaches, as part of a strategy to step up defence against large-scale attacks.
In a move to stop hackers and respond to major cybersecurity attacks, member states can help investigate criminals in countries outside the EU, according to a set of guidelines that diplomats have agreed on.
Foreign affairs ministers from EU countries already agreed in June that they could raise sanctions against third countries if an attack comes from those countries, or if they allow hackers to carry out attacks from within their borders.
Earlier this month, diplomats signed off on a more detailed set of guidelines for how the EU can respond to hackers.
The agreement comes after the large-scale WannaCry and Petya attacks hit European companies and government offices earlier this year.
EU institutions have started to up their work on cybersecurity. The European Commission proposed new legislation last month to give the bloc’s cybersecurity agency ENISA more power and to create a certification programme that measures how secure technology products are.
The so-called cyber diplomacy “toolbox” agreed by EU diplomats outlines how member states can react when they suffer major cybersecurity breaches.
Guidelines agreed on 11 October explain what the bloc plans to do to help prevent, stabilise and respond to attacks. They include the possibility of sanctions, as well as diplomatic intervention, help to prosecute criminals and support to EU member states that are targeted by hackers, EURACTIV has learned.
Member states can agree to use each measure separately or can use several preventative means or response tools together when the bloc is attacked.
Ministers can ask to trigger different response options listed in the guidelines even if an attack is considered an “unfriendly act”, an international law term for something that is harmful but not illegal, as well as if it is deemed a more drastic “wrongful act”.
When ministers agreed on the toolbox in June, they underscored that the EU would not need to prove that hackers come from a certain country before carrying out any of the measures to stop or respond to a cybersecurity incident.
Security researchers warn that it can be very difficult to trace where an attack comes from.
“The EU stresses that not all measures of a joint EU diplomatic response to malicious cyber activities require attribution to a state or a non-state actor,” the ministers’ statement from June reads.
Ukraine pointed blame at Russia’s security services for the Petya malware attack in June, but Russia has denied involvement.
Petya also hit Maersk, the Danish shipping firm and German personal care company Beiersdorf, among other European companies.
Tim Maurer, director of the cyber policy initiative at the Carnegie Endowment for International Peace, a think tank based in Washington, said EU countries’ move to agree on how they will react to hackers shows a “a new level of maturity”.
Member states will still need the intelligence to attribute attacks to perpetrators.
“Some countries might have had the ability to attribute beforehand but how do you coordinate that across national boundaries?” Maurer said.
“We’re now reaching a mature point where the coordination is in place, technical abilities are in place and there is an ability to attribute malicious activities across borders,” he added.
The toolbox shows that EU member states are now willing to work in unison although cybersecurity issues have often sparked mistrust between countries in the bloc.
Some experts warn that there is a risk that EU countries’ efforts could fall flat if they don’t use their new powers when they are attacked.
“The toolbox will create a presumption that some malicious cyber operations will be met with these tools. The threat is there will be words but no meaningful response,” said Liis Vihul, CEO of Estonia-based consultancy Cyber Law International.
“It’s a question of perception. The EU might seem weaker in its ability to deal with malicious cyber activities than it would without it.”
The EU’s move to outline its responses to cybersecurity attacks is likely to attract attention because it shows a group of countries agreeing on measures to stop or react to hackers.
In June, negotiators at the UN failed to agree on cyber defence measures and response tools to malicious acts when they were opposed by Russia, China and Cuba.
Vihul said the EU cyber diplomacy toolbox carries more weight because the UN talks collapsed.
EU sanctions are the most drastic response on offer in the cyber diplomacy toolbox. After Petya and WannaCry, some cybersecurity observers question whether hackers behind such rapid and widespread attacks can be dissuaded by sanctions.
Maurer argued that sanctions might be the most proportionate way to respond to cybersecurity attacks that cause a new kind of damage that governments are still trying to understand.
“Some of the effects are below the threshold of causing physical damage or harming a person, yet they cause a lot of economic harm. It’s a grey zone that didn’t exist before,” he added.