Russia dodges bullet of EU sanctions on cyber — for now

EU summit shows capitals are divided on how to counter a growing cyberthreat from Moscow.

Artwork of cyberespionage group Fancy Bear on the computer of the photographer during a session in the plenary hall of the Bundestag | Sean Gallup/Getty Images

If there ever was a window for European leaders to name and shame Moscow for carrying out cyberattacks against networks in the EU, Thursday’s Council meeting would have been it.

They chose to let the chance go by.

In joint conclusions after the EU summit, heads of state denounced aggressive cyber action but stopped short of signaling a move toward decisive EU deterrence against Russia.

While the United Kingdom and the Netherlands pushed for swift action following an attack on the Organisation for the Prohibition of Chemical Weapons in The Hague that was widely attributed to Russia, other countries balked. Italy and France were among the countries wary about calling Russia out on its alleged hacking attempts, diplomats said.

The final conclusions only repeated pledges made more than a year ago by EU capitals, leading critics to slam the text as lacking a sense of urgency to counter a growing threat from the East.

Thursday’s discussions on cybersecurity were overshadowed by EU leaders’ squabble over Brexit.

“Some member states apparently do not see the urgency of the need to stop the digital arms race and are ready to run the risk of more cyberattacks in the near future,” said Marietje Schaake, lead MEP on cybersecurity and member of the Global Commission on the Stability of Cyberspace.

The failure to come up with tougher language comes months before European politicians head into the European Parliament election — which is widely expected to come under pressure from Russian disinformation and cyber intrusion campaigns aimed at derailing the vote.

“We cannot afford to wait any longer,” said Schaake.

What an EU regime would look like

Thursday’s discussions on cybersecurity were overshadowed by EU leaders’ squabbles over Brexit, and hot-button issues like migration. The text on sanctioning cyberattackers passed without much discussion on the substance, several people briefed on the talks said.

And yet, a group of eight countries led by London and The Hague, and including the Baltic states, Finland, Denmark and Romania, had tried to convince others in the past few days that sanctions need to come quickly.

“New cyber sanctions regimes would help to deter hostile countries from malicious cyber activities,” Edvinas Kerza, deputy minister for national defense of Lithuania, told POLITICO. “Lithuania alone has experienced 55,000 cyber attacks last year.”

A paper floated by these eight suggested approving a sanctions regime modeled after the EU’s procedures on punishing countries and entities for chemical attacks. “We urgently need to implement a similar regime to address malicious cyber activity,” they said in a joint “non-paper” outlining their ideas.

The EU has brainstormed on how to impose sanctions on states and organizations conducting cyberattacks since June 2017, when ministers signed off on the idea that the EU’s diplomatic and economic “toolbox” could help deter countries like Russia, North Korea, Iran and China, which have championed cyber capabilities like malware, network penetration and disinformation campaigns.

The issue, the discussion Thursday showed, is that EU capitals are divided on how these sanctions for cyberattacks should work. Several countries backpedaled on mandating an EU sanctions regime.

Europe divided on how to act

Italy led the opposition, two sources briefed on the discussion said. Rome had been calling to scrap existing economic sanctions on Russia in past weeks, arguing the measures are hurting European economies just as much as the Russian one.

But the resistance to a cyber sanctions regime didn’t just come from Italy, or other capitals considered favorable to the Russian government, like Cyprus or Austria, diplomatic sources said.

France, too, is wary of publicly slamming Russia for misbehaving in cyberspace, according to three sources.

In short: It could take a while before the EU gets to sanctioning Russia based on public evidence of massive cyber intrusions.

When the election campaign of now-President Emmanuel Macron was hacked just days before the vote last year, the action was later linked to Russian intelligence — but never so by Macron himself.

“We’re all kind of feeling our way in this,” said Chris Painter, who was the U.S. State Department’s point person on cyber diplomacy under President Barack Obama. “This is part of a process to get more comfortable with calling people out.”

Other diplomats pointed to another problem: Some European countries, especially bordering Russia, could have political interests in attributing cyberattacks to Moscow without having the technical capabilities of proving the crime.

An EU official, who isn’t authorized to speak on the record, said “the fact that Russia isn’t mentioned by name isn’t a drama … Plus, France supports [the conclusions], which is important.”

Diplomats in the External Action Service, Commission and Council will now start work on sketching out the practical details of a future sanctions regime.

“We are launching discussions with member states on a legal framework to operationalize restrictive measures linked to malicious cyber activities,” said Maja Kocijancic, Commission spokeswoman for foreign affairs.

“As always, a range of options is available for the Council to consider, and any decision is to be taken by unanimity,” Kocijancic said, adding that the “use of restrictive measures falls within the scope of possible common foreign and security policy actions that can be activated if EU member states [unanimously] decide to do so.”

In short: It could take a while before the EU gets to sanctioning Russia based on public evidence of massive cyber intrusions.

Jacopo Barigazzi contributed reporting.

Tags: