On May 17, 2019, the European Union (“EU”) adopted new legislation for imposing sanctions on persons engaged in cyber-attacks on the EU or its member states, effecting a long-standing initiative and continuing a series of policy and regulatory decisions by various governments—most notably the United States—relating to the threat of cyber warfare.
The EU Council has been discussing the possibility of using sanctions to respond to cyber-attacks for several years. On June 19, 2017, the EU Council adopted a framework for a joint EU diplomatic response to malicious cyber activities called the “Cyber Diplomacy Toolbox,”1 which expressed concerns about the increasing risks posed by malicious cyber activities. The implementing guidelines,2 which followed the Toolbox, indicated that a sanctions regime could be used to deter and respond to malicious cyber-attacks. This objective was echoed by the chiefs of state and government of the EU member states who, on October 18, 2018, called for the adoption of a sanctions regime by the end of the 2014–2019 EU legislature3. Council Decision (CFSP) 2019/797 and Council Regulation (EU) No. 2019/796 make that regime a reality.
Sanctions against whom?
Sanctions can now be imposed on individuals and entities who:
(i) Are responsible for “cyber-attacks” or attempted cyber-attacks on the EU or its member states;
(ii) Provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging these attacks or facilitating them whether by action or omission; or
(iii) Are associated with the natural or legal entities mentioned in (i) and (ii).
Specifically, cyber-attacks are defined as actions involving access to or interference with information systems or interference with or interception of data that are either unauthorized or otherwise unlawful under EU or member state law.
The sanctions are targeted at significant cyber-attacks that pose an external threat to the EU and its member states. “Significance” is determined by a range of factors, such as the scope, scale, impact or severity of disruption caused and the amount of data loss or economic loss. “External” means the attack is carried out, or supported, from outside the EU.
For member states, this includes attacks affecting information systems relating to critical infrastructure that is essential for the maintenance of vital functions of society; services necessary for the maintenance of essential social or economic activities, such as the financial, energy and transport sectors; critical state functions, in particular in the areas of defense, governance and the functioning of institutions; the storage or processing of classified information; or government emergency response teams.
For the EU, it includes attacks on the EU's institutions, bodies or offices, its delegations to third countries or to international organizations, its common security and defense policy operations and missions, and its special representatives.
Note that where sanctions are deemed necessary to achieve common foreign and security policy objectives in line with Article 21 of the Treaty on European Union, the restrictive measures may also be imposed in response to cyber-attacks with a significant effect against third states or international organizations.
What kind of sanctions?
Targeted individuals and entities are subject to asset freezes, which (i) freeze all funds and economic resources that either belong to them or are owned, held or controlled by them and (ii) prohibit making funds or economic resources available directly or indirectly to them or for their benefit. These sanctions are subject to certain limited exceptions, which are common across other EU asset freeze regimes. Targeted individuals are additionally subject to travel bans, meaning that a member state must prevent such individuals from entering or transiting its territory.
Parallel US cyber-related sanctions program
The United States has implemented a similar sanctions regime. Specifically, on April 1, 2015, President Barack Obama issued Executive Order (“EO”) 13694, which authorized the imposition of sanctions against persons determined to be responsible for or complicit in, to have engaged in (directly or indirectly), or to have materially assisted in malicious cyber-related conduct. EO 13694 was subsequently amended by EO 13757 in December 2016 to include prohibitions specifically addressing cyber interference in US elections.
The US regime imposes targeted sanctions on individuals or entities for engaging in or attempting to engage in the following conduct:
(i) Various “cyber-enabled activities” originating from, or directed by persons located outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
(ii) The receipt or use for commercial or competitive advantage or private financial gain outside the United States of trade secrets misappropriated through cyber-enabled means, where this misappropriation is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy or economy of the United States; and
(iii) Materially assisting; sponsoring; or providing financial, material or technological support for, or goods or services to or in support of, any activity described in (i) and (ii) above.
If an individual or entity is determined to have engaged in any of the conduct described above, the US cyber-related sanctions program authorizes the imposition of “blocking” sanctions, under which such persons are designated on the US Department of the Treasury’s Office of Foreign Assets Controls’ “SDN List.” This designation has effects similar to the EU asset freezes—individuals and entities on the SDN List are effectively prohibited from using the US financial system, and any assets they have within US jurisdiction are frozen or “blocked.” Moreover, US persons are prohibited from engaging in virtually all activities or dealings with such persons. It is important to note that individuals and entities determined to be owned by, controlled by or acting for or on behalf of any person designated on the SDN List under EOs 13694 and 13757 are also subject to being designated on the SDN List.
Additionally, the Countering America’s Adversaries Through Sanctions Act of 2017 authorizes sanctions against any person determined to have knowingly engaged in significant activities undermining cybersecurity against any person on behalf of the Government of the Russian Federation.
Why is this important?
Although the nature of the sanctions themselves is not new—travel bans and asset freezes—but who they target is. Traditionally, EU sanctions have been directed at persons associated with sanctioned countries or involved in terrorism. At the beginning of 2018, the EU branched out to create a framework for imposing sanctions on persons involved in the proliferation of chemical weapons (Council Decision (CFSP) 2018/1544 and Council Regulation (EU) 2018/1542).
These sanctions are also the latest event in a flurry of regulatory activity relating to the threat of cyberattacks generally.4 Apparent Russian interference with US elections and, more recently, concerns of a number of countries with respect to potential malign capability of Huawei technology have brought the threat of politically motivated cyberattacks to the front pages of newspapers globally.
These provisions on cyber sanctions go into an unusual amount of detail to define the kinds of “cyber-attacks” that are caught, relative to the sort of definitions provided in other sanctions legislation. Although, on the one hand, this narrows the scope to “significant” attacks in particular, it also casts the net widely over the potential targets of these attacks, whether that be infrastructure, government functions or even whole economic sectors. This reflects how, in the modern interconnected world, any part of society can be subject to cyber-attack. And while the sanctions are not directed only at state-sponsored actions, that is clearly a major concern underpinning them, given the emphasis on “external” threats and the application to persons involved in supporting cyber-attacks—although notably the recitals to the Decision expressly differentiate the sanctions from “the attribution of responsibility for cyber-attacks to a third State.”
Going forward, it will be interesting to see how the sanctions are deployed in particular cases, especially where the targets are suspected to be proxies for third states.
4. See, among others, the recent disclosure of the French Military Cyber Strategy on January 18, 2019 (quoted here: https://warontherocks.com/2019/04/a-close-look-at-frances-new-military-cyber-strategy/).