What the E.U.’s Move Means
The European Union (EU) recently sanctioned China, North Korea, and Russia for their alleged roles in cyber attacks against European targets. The landmark restrictive measures included freezing the assets and banning the travel of the following individuals and organizations identified as planning, supporting, and/or executing the attacks:
- Qiang Gao (Chinese cyber operator)
- Shilong Zhang (Chinese cyber operator)
- Alexey Minin (Russian cyber operator)
- Aleksei Morenets (Russian cyber operator)
- Evgenii Serebriakov (Russian cyber operator)
- Oleg Sotnikov (Russian HUMINT support)
- Tianjin Huaying Haitai Science and Technology Development Co. Ltd. (Chinese company accused of providing financial, technical, and material support)
- Chosun Expo (North Korean company accused of providing financial, technical, and material support to WannaCry ransomware attacks)
- Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Russian intelligence service accused of backing Russian cyber operations)
The sanctions are notable in that this is the first time the EU applied punitive measures in response to hostile cyber activities conducted by foreign countries. Chinese cyber espionage operations have been a global problem targeting all regions, and Europe is no exception. European organizations across all sectors and industries have been targeted by suspected Chinese cyber actors, causing the EU to consider delivering a formal response after the United Kingdom presented evidence of Chinese hacking.
Russian cyber activities targeting European countries have ranged from disruptive to destructive, with disinformation campaigns being a systematic and constant threat to social stability. North Korea has demonstrated interest in using cyber attacks as a source stealing money, targeting European banks and cryptocurrency exchanges, taking as much as USD 2 billion, per some estimates.
There is much symbolic significance in this application, as the EU decided as a collective body to levy sanctions, rather than leaving it up to the 27 member states to do them individually, if so desired. By doing this, the EU goes on official record that it recognizes that China, North Korea, and Russia are the orchestrators of hostile cyber operations, and that as a unified body (sanctions can only be implemented if all member states agree), it will no longer tolerate these activities without ramification. Further underscoring the seriousness of the imposition of sanctions is the fact that despite several members maintaining close trade and energy relations with China and Russia, they are willing to accept risking these relationships in favor of rebuking governments for their unacceptable behavior.
While sanctions are a step in the right direction, they in and of themselves are not guaranteed to deter future cyber attacks. However, they are a part of a “naming and shaming” strategy that attributes such activities to individuals, companies, governments, etc. By granularly identifying persons, a government demonstrates that attribution challenges in cyberspace may not be as insurmountable as previously believed, especially if one has access to the proper surveillance and monitoring technologies. In this way, sanctions may be more about putting governments on notice than really trying to impose economic consequence. The victim “shows” that it has the capability to detect and track the activity to the source if compelled to do so. While the offender can deny involvement, precise identification sends a clear message. The fact that all 27 member states have agreed to take this step certainly suggests that evidence has been shared, reviewed, and discussed to the point that all felt comfortable levying the very public sanctions.
The EU now joins the United States in using cyber sanctions as a punitive action for hostile cyber activity. For the period leading up to July 2020 when the U.S. charged two Chinese nationals for conducting a decade-long espionage campaign, the EU did not advocate this course of action. This was surprising given that the July U.S. indictment indicated that in addition to attacking U.S. targets, these two Chinese individuals had executed operations against companies in several European countries as well. Instead of getting support, the U.S. found it difficult to get countries to publicly back its position. Finally, whatever threshold was crossed, European governments have finally showed their discontent over Chinese, and other governments’, cyber malfeasance.
Most interesting is the timing. The EU sanctions come at a time when Beijing and Moscow have been aggressively using the cyber domain to further their respective interests, taking advantage of the global pandemic and governments’ focus on flattening their respective infection curves. During this time, China and Russia have been suspected of conducting a variety of operations including espionage against global organizations involved in COVID-19 research and propaganda efforts to influence audiences and sow unrest. More countries like Australia and the United Kingdom are becoming more comfortable admonishing China’s alleged cyber activities, a move that Washington no doubt hopes will snowball.
Whether this strategy works remains to be seen. One important unexpected development in levying sanctions is their potential in helping shape responsible state activity in cyberspace. For a long time, there have been efforts under way to establish cyber norms of behavior. Fora like the United Nations or the Open Ended Working Group have consistently failed to reach consensus on what that looks like, often getting tripped up on defining terms and meanings. However, the more that the global community implements sanctions against disruptive and/or destructive attacks, the more “norms” are being established, regardless of the signing of a consensual treaty.
Sanctions provide a nice bite to the bark, but more needs to be done to influence Chinese – and by extension – other nation state’s cyber activities that extend beyond “traditional” spying practices. Other regional and international organizations need to follow the U.S.’ and EU’s leads in sanction application. Taking away offending countries’ regional partnerships that would normally provide temporary relief from effects of sanctions may be the type of pressure to initiate a change of behavior. But sanctions alone are unlikely to accomplish a more lasting change, and ultimately will require a combination of diplomatic, economic, and even offensive cyber initiatives to productively make states like China, North Korea, and Russia rethink how they are operating, and while they are unlikely to stop all of their activities (states will conduct activities that support their interests), these measures may be enough to reduce their volume.