EU countries have been encouraged to name and shame foreign states that sponsor cybersecurity attacks, in an unusually outspoken announcement from the European Commission.
The EU executive called for governments to publicly attribute blame for attacks, in a bid to discourage criminals.
“The EU and its Member States need to improve their capacity to attribute cyber-attacks, not the least through enhanced intelligence sharing. Attribution would deter potential aggressors and increase the chances that those responsible will be made properly accountable,” the Commission wrote in a report published on Wednesday (13 June).
The report describes the Commission’s strategy for coordinating EU-wide responses to so-called “hybrid threats”, such as the poison attack on former Russian spy Sergei Skripal and his daughter earlier this year in the UK.
“Member States are invited to continue their work on attribution of cyber-attacks,” according to the document.
The strategy also includes a plan to expand the Commission’s Stratcom East unit, which responds to Russian online “disinformation campaigns conducted by hostile actors”.
The call for EU countries to blame cyber attackers marks the first time that the Commission has encouraged such public attribution.
“Our policies on cybersecurity and disinformation help to protect our democracies from hostile and malicious threats,” Commission Vice President Andrus Ansip said in a statement on Wednesday.
Ansip previously served as Estonian prime minister during a massive attack on the country’s government networks, banks and websites in 2007.
“Given their scale and scope, people should name names if they can: attribution of blame will deter potential aggressors and increase the chances that those responsible will be made properly accountable,” he added.
But researchers say that determining the source of a cybersecurity attack is difficult, and governments may shy away from attributing blame to attackers out of fear of escalating tensions with foreign states.
“Attribution is really difficult for most states, so the question is, how sure do you have to be that a certain actor is behind it before you start publicly calling them out?,” said Sven Herpig, the director of the Transatlantic Cyber Forum at the Stiftung Neue Verantwortung, a Berlin-based think tank.
The Commission hopes that governments will be less willing to sponsor cyber attacks if they fear public blame. But Herpig is sceptical. He said it’s “uncertain what public naming really gets you at the end of the day”.
Russia has not refrained from hacking since the government was blamed for attacking US Democratic party officials ahead of the 2016 presidential election, Herpig added.
US intelligence agencies said that Russia was responsible for the 2016 operation.
Earlier this year, the US and UK governments publicly accused Russia of organising the NotPetya attacks that crippled websites in Ukraine and across Europe in summer 2017.
The Commission also admitted in Wednesday’s report that “the lack of a joint secure communications network across the European institutions is an important shortcoming” that is hampering its efforts to improve cybersecurity safeguards across the bloc.
Last September, the Commission proposed a legal overhaul that would give more power to the EU’s cybersecurity agency and create a system defining how different European authorities should communicate with each other and react when there is a serious attack. The bill is still going through legal negotiations.