By Robin Vandendriessche
The European Union Agency for Cybersecurity (ENISA), in its threat landscape report of 2021, stated that cyberattacks have continued to increase in terms of numbers and impact. These threats have become more brutal and sophisticated, as the Chinese cyberattacks on European hospitals in 2020 or the Russian cyberattacks targeting politicians ahead of the German election in 2021 have proven. Nevertheless, threats such as these take place in a legal vacuum as they are not severe enough to trigger article 5 of NATO or the mutual defense clause in the EU treaties but still threaten the Union’s security and democratic integrity.
In 2017, the Council agreed to develop a framework for a joint EU diplomatic response to cyber-malicious activities. The cyber diplomacy toolbox enables the Union to use several measures within the Common Foreign and Security Policy, including the imposition of sanctions. The legal framework was adopted in May 2019, and in July 2020 the EU imposed its first-ever sanctions related to cyberattacks. In October 2020, a second, and so far last, package of sanctions was adopted following a cyberattack on the German parliament. In total, an astonishing eight persons and four entities have been slapped with sanctions in response to several high-profile cyberattacks attributed to various foreign government agencies.
The toolbox, which is currently under revision, could be seen as an attempt to prioritize sticks over carrots in EU foreign policy. However, restrictive measures are only one possibility and the EU seems reluctant to use them. By comparison, since 2015, the United States has imposed cyber-related sanctions on 99 individuals and 59 entities.
The first challenge to agreeing on collective measures, is that cyberattacks must be attributed to specific actors. This process is highly sensitive as it is influenced by both technological and geopolitical factors. Attribution requires a comprehensive collection of intelligence, but for various reasons, member states remain reluctant to exchange information. Voluntary intelligence-sharing remains the rule which is problematic as this prevents comprehensive assessment of a cyber threat and the building of trust in each other’s attributions to agree on common measures.
In response to this, the European Commission proposed creating a Joint Cyber Unit (JCU) to facilitate member state information-sharing. In its conclusions of October 2021, the European Council adopted a typically vague position, stating that “member states are invited to explore the potential of a Joint Cyber Unit” while at the same time calling for a revision of the cyber diplomacy toolbox. The European Council has a point in emphasizing the importance of streamlining existing cyber structures as various groups, taskforces and networks already exist. Nevertheless,it needs to realize that calling for the improvement of the toolbox needs to be accompanied by enhanced intelligence-sharing. Indeed, according to the EU treaties, intelligence remains the purview of the member states, but such a provision should not prevent national, diplomatic and cyber communities from proactively operating together, especially when tackling massive cyber incidents.
The second challenge to agreeing on collective measures consists of the lack of a common EU cyberthreat perception. In September 2020, a Russian cyberattack, called Ghostwriter, was launched against Poland. The country sought to address this at the EU Foreign Affairs Council in June 2021, but no subsequent action was taken. Three months later, Germany faced the same attack, followed by a condemning statement by High Representative Joseph Borrell just nine days later. This exemplifies the lack of a common EU threat perception and common European security culture. Member states agree that their security is threatened by cyberthreats but do not share the same priorities as national threat perceptions are rooted in history and geography and cannot be changed into a common perception overnight.And still, there is hope as the ongoing discussions involving the EU Strategic Compass could further contribute to a common understanding of security priorities in the cyber field and clear guidelines on what attacks are severe enough to be dealt with at the EU level. Frequent war games that use realistic scenarios about cyberattacks and use the full potential of the EU cyber diplomacy toolbox could undoubtedly help to further stimulate a common understanding of priorities in the cyber field. Being technically capable of attributing an attack to a specific actor is one thing, but agreeing on a common diplomatic response is quite another. Political decisions as these are complicated, especially when 27 member states with different interests and priorities decide unanimously in these matters.