EU Issues Its First-Ever Cyber Sanctions

The European Union announced its first-ever cyber-related sanctions on Thursday, designating malicious actors from Russia, China, and North Korea. The designations provide an opportunity to bolster transatlantic cooperation to hold accountable hostile actors that use cyber means to threaten global security.

Using a new cyber sanctions framework created in May 2019, Brussels imposed asset freezes and visa bans against six individuals and three entities, including a cyber unit of Russia’s military intelligence directorate, or GRU, and four of its operators. Brussels designated them for attacks on Ukraine’s power grid in 2015 and 2016, the destructive NotPetya attack in 2017, and an attempted attack in 2018 on the Organization for the Prohibition of Chemical Weapons, which at the time was investigating chemical weapons use in Syria and Russia’s attempted assassination of defector Sergei Skripal in the United Kingdom using a lethal nerve agent.

The European Union also designated two Chinese hackers and their employer, Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for their roles in China’s state-backed corporate espionage campaign called Operation Cloud Hopper. Finally, the European Union designated North Korean company Chosun Expo for supporting Pyongyang’s cyber operations, including the 2017 ransomware attack known as WannaCry.

Last week’s sanctions add teeth to European condemnations of significant cyberattacks. Sanctions, the European Union explained, are part of the bloc’s “comprehensive cyber diplomacy toolbox to prevent, deter and respond to malicious behavior.” Washington’s Cyberspace Solarium Commission similarly concluded that cyber sanctions on hostile governments and their operatives “generat[e] credible costs and benefits for norms enforcement,” which “reduce the likelihood and effectiveness” of attacks by changing cost/benefit calculations. For example, the Commission contends, when malicious actors know that they face a unified coalition, “they anticipate that bad behavior is likely to be more severely punished.”

The EU sanctions mirror U.S. efforts to isolate malicious cyber actors from the global financial system. Washington also sanctioned Chosun Expo as well as the same GRU operatives and the GRU itself. Collectively, these U.S. and EU sanctions make it nearly impossible for the designated actors to move money through the formal financial system, and signal that Washington and Brussels have sufficient forensic evidence to defend their attributions in a court of law.

Unlike the European Union, Washington has yet to sanction the Chinese hackers responsible for Operation Cloud Hopper despite having indicted them in December 2018. In fact, despite numerous indictments, Washington has not sanctioned any Chinese cyber operatives working for the Chinese Communist Party. These EU sanctions begin to close that gap. Now Washington should bring its sanctions in line with Brussels’ by designating these Chinese actors.

For its part, Brussels should expand sanctions to include other Russian, Chinese, and North Korean operatives sanctioned or indicted by the United States. In addition, Brussels should ensure that Iranian cyber operatives also come under scrutiny. While Iran has not successfully launched a global operation on the scale of NotPetya, Cloud Hopper, or WannaCry, Brussels will want to send a clear message that Tehran’s attempted cyberattacks on Israeli water infrastructure – and attempted attacks on any critical infrastructure – will result in swift censure.

Moving forward, Washington and Brussels should increase coordination on sanctions and attribution, including through joint sanctions announcements. While unilateral sanctions, particularly U.S. financial sanctions, have a significant impact on their targets, multilateral sanctions have a norm-enforcing benefit and make it difficult for malign actors to exploit differences in sanctions regimes. Likewise, coordinated attribution efforts, as the United States and its allies demonstrated in response to the WannaCry and NotPetya attacks, not only boosts technical cooperation but also signals unity and resolve.

Annie Fixler is deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. For more analysis from Annie, Trevor, and CCTI, please subscribe HERE. Follow Annie and Trevor on Twitter @afixler and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.