The Ministry of Foreign Affairs of Ukraine issued a statement stating that since 2015, a number of powerful cyber attacks have been carried out by the Russian Federation against the national critical infrastructure facilities and government institutions of Ukraine. It actively uses information and communication technologies to wage an aggressive hybrid war. Particularly cynical in this regard are Russia’s attempts to push for international initiatives for the peaceful use of cyberspace on international platforms. Ukraine advocates prosecuting those who deliberately organize and carry out cyberattacks. Geostrategy analysts have analyzed hacker attacks from Russia in various countries around the world.
German Foreign Ministry State Secretary Miguel Berger summoned Russian Ambassador to Germany Sergiy Nechayev to protest sharply against the hacker attacks on the German legislature, the Bundestag. According to the German government, Russian hackers attacked the Bundestag in 2015. The German media reports that the Russian Ambassador was informed that Germany will advocate in Brussels for the imposition of cyber sanctions against Russia – the new EU remediation regime approved by the EU Council in May 2019.
In addition, in October 2018, Russian hackers also attempted to hack the system of the Organization for the Prohibition of Chemical Weapons in The Hague, the body that investigates the case of the Skrypal’s poisoning. After this case, discussions intensified about the need to develop a new type of restrictive measures – cyber sanctions.
Geostrategy reminds that this is not the first attack by Russian hackers, which could turn into the first unprecedented decision of the European Union to impose cyber sanctions against Russia after the development of a new EU sanctions mechanism. According to diplomatic sources, the EU Mission in Moscow in 2017 also experienced a massive attack by Russian hackers, which promulgated a large number of working documents of EU-diplomats.
And, if then, at the level of all 28 EU member states, it was decided not to make information about the cyberattack on the EU Mission public (so as not to worsen the already bad relations with Russia), the attack on the Bundestag has every chance to become the first case of EU cyber sanctions against the third country.
New EU sanctions regime for cybercrime
In 2018, at the initiative of Denmark, Estonia, Finland, Latvia, Lithuania, the Netherlands, the United Kingdom, and Romania, the European Union began preparing a package of restrictive measures to be imposed on foreign groups of hackers interfering in the European elections in May 2019.
The European Union had enough information that outside actors – primarily Russia, but also China – would try to influence the course of the European elections. The motive of the Russians was quite clear: they needed to get members of the European Parliament who would begin to question the feasibility of maintaining a sanctions regime against Russia, introduced after the aggression in the Crimea and Donbas in 2014.
By the way, cyberattacks not only cause political damage to the European Union (preconditions are created for political manipulations and the coming to power of populists) but also lead to direct economic losses. It should be recalled here the attack on the global logistics campaign from Denmark A.P. Moller-Maersk, which suffered economic losses of 200 to 300 million euros as a result of large-scale cyber attacks.
To prevent cyberattacks, Brussels decided to play ahead. The idea of introducing cyber sanctions was a continuation of the EU Cybersecurity Strategy: Open and Safe Cyberspace, which was adopted in February 2013 and the Cyber Security Package approved by the European Commission in September 2017 to strengthen the resilience of EU cyberspace.
Finally, in May 2019, the Council of the European Union decided to set the parameters necessary to implement restrictive measures in response to external cyberattacks that threaten the activities of the EU institutions and its Member States, as well as third countries and international organizations.
Geostrategy analysts believe that the provision in the EU Council decision on cyberattacks against third countries gives Ukraine grounds to discuss with the European Union the introduction of cyber sanctions against hackers who attack critical infrastructure in Ukraine.
What punishment can be expected for victims of cyberattacks? This issue is quite clearly regulated in the decision of the EU Council, in particular, it concerns the following restrictive measures against cyber criminals:
- Seizure of bank accounts of criminals placed in the banking systems of EU member states.
- Ban on entry to the European Union.
EU regulations also define quite clearly the concept of “cybercrime”, which includes those that:
- are developed and implemented externally, or for those who use infrastructure located outside the European Union;
- implemented by persons and/or organizations located outside the European Union;
- are implemented with the support of individuals and/or organizations operating outside the European Union.
Today, the European Union is only approaching its first case, when a cybercriminal, having committed a crime against a member state of the European Union (in this case – against Germany), can fall under EU cyber sanctions.
If this happens, Ukraine will have the prospect of punishing those behind the cyberattacks on Ukrainian state institutions.