In the absence of clear international law on state-led or sponsored cyber activity, cyber norms are surrounded by ambiguity and different interpretations. Cyber sanctions are a relatively new tool the EU has to promote norms on appropriate state behaviour in cyberspace and clarify such ambiguity. However, the EU has to be careful in its application of cyber sanctions to avoid accusations of double standards and to create a system with enough clarity and buy-in to effectively communicate cyber norms.
With no clear path to an international cyberspace treaty, cyber norms are increasingly important in setting expectations for state behaviour in cyberspace. In 2019, the EU established its cyber sanctions regime through Council Regulation (EU) 2019/796 (the Regulation) and Council Decision (CFSP) 2019/797 (the Decision), imposing sanctions on malicious cyber activity. The EU’s latest Cybersecurity Strategy has reaffirmed the bloc’s commitment to “a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values”. The EU’s cyber sanction regime is arguably the most efficient tool the union has for promoting its normative vision for the Internet. Yet, the sanctioning regime has been critiqued for upholding double standards for cyber espionage and for a lack of clear signalling.
In response, the EU must clarify why cyber sanctions are necessary for promoting norms in cyberspace and ensure its signals are clear, effective and legitimate. There are three specific things the EU can do to achieve this: provide greater clarity about when cyberattacks amount to a significant effect; work with international partners to jointly implement sanctions; and acknowledge that cyber sanctions, while useful for promoting norms, are less useful in directly impeding attackers.
From International Law to International Norms
In the face of increased state-backed cyberattacks and the absence of an international cyberspace treaty, norms are gaining relevance in the governance of state cyber activity.
The absence of an international treaty for cyberspace is sometimes viewed as providing states manoeuvring through cyberspace with desired ambiguity. While online criminal activity is already condemned and regulated by domestic law enforcement and treaties such as the Budapest Convention, this is not the case for state-led nor state-sponsored cyber activity. Although the 2015 UNGGE report noted that international law does apply to cyberspace, how exactly remains a source of disagreement.
In the absence of a holistic legal framework covering state behaviour in cyberspace, the focus has been on understanding how existing international law applies to cyberspace as well as on the development of agreeable cyber norms. The UNGGE and Open-Ended Working Group (OEWG), in particular, has produced two separate reports (published in March and Summer 2021) resolving some of the disagreements in the debates about the norms, rules and principles of responsible state behaviour in cyberspace. Yet this process of international norm development has still not resulted in clearly defined norms. These groups do little to establish how cyberspace norms should be interpreted and implemented, providing vague guidance. The reflections of the OEWG Chair’s Summary make clear that, despite the consensual nature of the report, differences among the states still exist — even though both the UNGGE and Open-Ended Working Group reports note that states should adhere to a common understanding of norms and reaffirm General Assembly resolution 73/27. This resolution holds that states should work together to ensure ICTs are not used for criminal or terrorist activity or to break international law, and that states should ensure that their territories are not used for attacks against critical infrastructure. However, little work is done in interpreting and implementing such norms. In short, the clarification of norms and their successful diffusion among the international community leaves much to be desired.
In addition, an increase in state-sponsored attacks has increased the urgency of getting clarity about state interpretation of specific cyber norms. Notable attacks which triggered responses include the 2014 data breach at the Office of Personnel Management, the 2015 hack of the Bundestag Network, the 2017 WannaCry ransomware attack, the 2016/2017 Petya and NotPetya attack, the 2017 Operation Cloud Hopper attack against managed service providers, the 2018 attempted hack of the Organisation for the Prevention of Chemical Weapons, the 2020 SolarWinds attack and the 2021 Colonial Pipeline ransomware attack against a US oil pipeline system The surge in state-sponsored cyberattacks in particular, coupled with the uneven implementation and interpretation of cyber norms in international forums, highlights the need for clear norms to govern state behaviour in cyberspace.
Norms and the EU Cyber Sanction Regime
To understand the criticism of the EU sanctions regime and identify areas of improvement, it’s first necessary to review the definition of norms and outline the regime itself. The UNGGE’s 2021 report defines norms as “the expectations of the international community, [which] set standards for responsible State behaviour”. Applying this definition to cyberspace, cyber norms are the international community’s expectations about what cyberspace activities states may and may not engage in, with a particular focus on cross-border cyber activity. While states may agree on norms defined in the abstract, there are likely to be disagreements about their meaning and the conditions of their application. The surge in state-sponsored cyberattacks in particular, coupled with the uneven implementation and interpretation of cyber norms in international forums, highlights the need for clear norms to govern state behaviour in cyberspace. These signals determine, in turn, how other states understand the EU’s approach to cyber norms.
The EU’s cyber sanctions are one of the tools of the Joint EU Diplomatic Response to Malicious Cyber Activities, referred to as the Cyber Diplomacy Toolbox. Specifically, travel bans and asset freezes may be imposed on individuals or bodies found to be responsible for cyberattacks or attempted cyberattacks. Such attacks must pose a significant or potentially significant effect constituting an external threat to the EU or its member states to be sanctionable. The cyber regime defines cyberattacks as actions involving: “(a) access to information systems; (b) information system interference; (c) data interference; or (d) data interception”. Significant effect refers to the “scope, scale, impact or severity of disruption caused”, specified as the level of economic damage, the effect on essential services and critical state functions, the number of entities and member states affected and the type and nature of data stolen.
Critiques, Responses and Areas for Improvement
The wording of the Regulation and the Decision clearly uphold established cyber norms against criminal and terrorist activity in cyberspace. Yet, in defining cyberattacks as involving access to information systems and data interceptions, the EU appears to promote a norm against cyber espionage as well. This has led to accusations that the EU is upholding a double standard, imposing sanctions in response to the activities of adversarial state intelligence agencies while turning a blind eye to those of allies. This perceived lack of legitimacy hinders successful norm promotion. For example, the rationale behind imposing sanctions in response to the Bundestag attack highlighted its significant effect, noting that the parliament’s information system was attacked and a “significant amount of data was stolen” and that the accounts of MPs and the Chancellor were affected. However, classifying such an attack as traditional intelligence gathering makes it appear that, in words and actions, the EU is sending the message that cyber espionage violates a norm — but only when it is conducted by adversaries, not allies.
Furthermore, the signalling aspect of the EU’s cyber sanction regime has been undermined, as it is an indirect response. That is, travel bans and asset freezes do not directly impede the ability of actors to persist in malicious cyber activity.
Responding to these two critiques requires recognising that the nature of cyberattacks is rarely traditional intelligence gathering and reconsidering the purpose of norms, particularly with respect to cyber espionage. The following three points respond to these critiques in detail, and suggest ways the EU might improve its cyber sanctions regime.
First, cyber espionage rarely means simple traditional intelligence gathering. Gaining access to a system is always a first step in impeding its ability to operate. Compromising the integrity of an information system, even if only to gather data, means an external actor has some degree of control of the system itself. For example, the EU sanctions against the individuals responsible for the Bundestag hack note that the attack “affected its operation for several days”. Therefore, cyber sanctions imposed by the EU do not necessarily impose a double standard, as cyber espionage compromises operability. Additionally, commentators have argued that the Bundestag attack was not a traditional intelligence gathering operation because of the strategic context of the hack. Russia’s role as the alleged perpetrator suggests that such activity aligns with its efforts to undermine democracy and to increase Russian influence on democratic states’ election processes. Furthermore, while there is no international treaty regulating espionage, espionage remains an illegal domestic activity. The EU’s sanctioning of individuals and institutions engaged in cyber espionage is akin to domestic consequences, such as imprisonment, that would be imposed upon actors conducting espionage or trading state secrets in a member state’s territory. As cyberattacks normally occur within a state’s territory but originate outside of it, the application of sanctions is comparable to the domestic application of laws against espionage.
To further refute claims of a double standard, the EU could work to clarify what makes certain cyber espionage attacks worthy of a diplomatic response. Laws and norms are, in part, based on state practice and the EU can make clear which types of cyber espionage do and do not merit sanctions to promote consistent norms for cyber espionage and cyberspace more broadly. For example, the Bundestag attack resulted in sanctions, but comparable attacks did not. Clarifying what is a “tolerable” cyber espionage attack versus one that breaks a norm is necessary to deter attacks of the latter kind, and such a distinction is especially important to ward off perception of a double standard. This can be done by distinguishing between cyber hacks and “cyber eavesdropping”, which is conducted by intercepting data transmissions rather than by infiltrating a network itself, thereby not directly inhibiting operability. This is comparable to bugging phones and is arguably more like traditional intelligence. Therefore, each application of sanctions should make it clear how the nature of the attack amounted to posing or having a significant effect. For example, the EU could make clear that the threshold for significant effect is always met when government information systems are targeted and rendered inoperable. Clarity and consistency are essential to ensure sanctions are included in a malignant actor’s cost-benefit analysis for a cyberattack.
Second, for norms to be successfully diffused, large buy-in is needed. The EU cyber sanction regime allows sanctions to be imposed in response to attacks against third states and international organisations. The sanctions imposed against the individuals responsible for “Operation Cloud Hopper” were, in part, because of its “significant effect against third States”. The EU might consider formalising this process by engaging more with like-minded states to better diffuse a shared set of norms internationally. This could be achieved by EU engagement through plurilateral and bilateral initiatives, and by creating a coalition where a violation of a cyber norm against one state triggers sanctions from all states, even those not directly impacted. Similar cases have occurred in the past when the EU has jointly added sanctions alongside the US and Canada. Establishing a common international framework for when to apply cyber sanctions boosts the legitimacy of the EU cyber sanction regime and the effectiveness of sanctions, thereby increasing the costs for potential attackers.
Third, the current sanctions regime is not the most effective in defending against cyberattacks. Travel bans and asset freezes can raise costs but do not directly impede an actor’s ability to infiltrate networks. Sanctions are a signalling device and the impact of signalling is partly a function of making clear that retaliation can occur. Retaliation that increases costs but does not directly impede the undesired action is unlikely to be as effective in changing behaviour as retaliation which achieves both. However, norms are meant not to directly punish but to create an expectation of when punishment will occur. As such, other facets of the EU, such as the EU CERTs and ENISA, should be used to respond directly to and defend against cyberattacks. As these EU bodies engage directly in cybersecurity and not normative discourse, the strength of the EU’s cyber sanction regime lies in its ability to promote norms and influence state behaviour, rather than in its ability to directly protect the bloc against cyberattacks.
Thumbnail Image credits: @jan_huber on Unsplash.
