For a long time, the topic of attribution was taboo in cybersecurity policy discussions. As a result, democratic countries have been under attack in cyberspace, without having any meaningful way to retaliate.
NotPetya, a state-sponsored attack that affected many public and private sector actors, caused hundreds of millions of euros in damages across Europe. It was also the incident that shifted EU discussions on attribution. On February 15, 2018, almost eight months after the NotPetya attack, both the UK and the U.S. attributed this attack to the Russian Federation. Many other European and global countries followed suit, supporting the assertion and creating the largest coordinated attribution to date. This sent a message that such attacks can no longer be conducted with impunity and since then we have seen several more cases of cyberattack attribution.
What has changed though? Has the government naming and shaming of state-sponsored cyber activities stemmed the tide of such incidents? The answer is no. In fact, attacks have been increasing, especially those that fall below the threshold of the use of force, such as attacks on democratic processes. However, attribution has increased the cost of malicious cyber activity.
What has become clear is that the path to digital peace must involve all stakeholders – government, industry, and civil society. No actor can stop these ever-growing attacks alone and governments cannot eliminate the risk of cyberattacks by themselves. Industry and civil society must play a role also, through initiatives such as the Paris Call for Trust and Security in Cyberspace and the Cybersecurity Tech Accord. We all have a responsibility to take steps to address state-sponsored attacks – and to support others in doing so also.
In June 2017, the Council of the European Union adopted the EU Cyber Diplomacy Toolbox, laying the foundation for a joint EU diplomatic response to deter malicious cyber operations. Then, on May 17, 2019, the Council implemented a framework allowing the EU to impose targeted restrictive measures when responding to cyberattacks that constitute an external threat to the EU or to individual Member States.
Cyberattacks that have “significant impact” will fall within the scope of this new sanctions regime. In practice, this means that, for the first time, the EU will be able to impose sanctions on persons or entities directly or indirectly responsible for cyberattacks. These measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities.
Establishing this framework for collective action is important and highly commendable. The path to digital peace demands deterrence. This addition to the EU Cyber Diplomacy Toolbox will advance the enforcement of international norms, and provides a vital framework to build upon in the future.