A regime for “cyber sanctions” is taking shape — and it could already hit mischievous election hackers in May.
The European Union is closing in on a procedure that would allow it to sanction foreign hacker groups when they target the upcoming EU election.
A plan drafted by the EU’s diplomatic service has been presented to national cyber experts and will be forwarded to foreign affairs attachés later this month, three officials briefed on the plan told POLITICO, asking not to be named because of the sensitivity of the ongoing talks.
The measures would not only allow EU countries to slap sanctions on hacker groups that succeed in intruding into IT systems, but also those attempting to get in, like the suspected Russian intelligence officers who allegedly plotted but failed to hack into the Hague-based Organisation for the Prohibition of Chemical Weapons last year, the officials said.
Once operational, the EU measures would target individual hackers as well as state-linked groups with commercial bans and financial restrictions, like freezing assets. It would allow the EU to finally flex its economic muscle against a rising threat of foreign cybersecurity attacks.
Diplomats still face two key questions before they finalize the regime: How severe a hack needs to be to merit sanctions, and how to actually nail down perpetrators of attacks.
“Having sanctions as one of the tools in the toolbox is important. We need to have a variety of tools,” said Chris Painter, a former U.S. State Department official who shaped a similar American regime under Barack Obama’s presidency. “You have law enforcement tools, you have diplomatic tools. But you have to have economic tools too.”
Diplomats working on the file added explicit language on sanctioning election hacks, the officials said, hoping the regime becomes operational before Europeans head to the polls in May for what is seen as Europe’s most hackable election ever.
National government leaders in October called on EU officials to speed up the work. In joint conclusions, heads of state denounced aggressive cyber action and asked to “work on the capacity to respond to and deter cyber attacks through EU restrictive measures.”
The draft plan also echoes much of what eight leading capitals wrote in a non-paper last fall. The eight countries said they want to make it possible to name the culprits and sanction them, following the rule book used for chemical weapons users.
But diplomats still face two key questions before they finalize the regime: How severe a hack needs to be to merit sanctions, and how to actually nail down perpetrators of attacks.
For the first issue, EU countries within NATO have already agreed massive cyberattacks could in principle constitute an act of war. But the EU is struggling to come up with a diplomatic response against all of the thousands of attacks targeting governmental organizations, companies, civil society groups and others in Europe every day — which, combined, constitute a serious threat to its economies and democratic systems.
The second issue stems from the difficulty of identifying perpetrators and making sure EU countries stick together on retaliation.
Many countries lack the technical ability to identify state-sponsored hacker groups. Others lack the political will to call out their sponsors. So-called attribution is a sovereign competence of national governments, but there would need to be some sort of consensus for sanctions to happen.
EU diplomats are expected to make sanctions possible if a country can provide criminal evidence against hackers, much like how the U.S. government releases indictments on hackers before following up with sanctions.
“Some countries aren’t susceptible to being named and shamed. That’s when sanctions and imposing other costs come into play. You have to follow up with something that is going to hit them and change their calculus,” Painter said.
The text was drafted by the EU’s diplomatic External Action Service. EU countries’ foreign affairs attachés tasked with managing sanctions regimes, and later ministers, would still have to approve it in the coming months.
The External Action Service’s press office said the Council is discussing outstanding questions, but that the discussions are confidential. It declined to comment on specific questions.