Berlin has good chances to get a green light from the EU Сouncil concerning sanctions for responsible for the hacker attack on the Bundestag, including Russian Dmitriy Badin. This is an opinion of Paul Ivan, senior policy analyst of the European Policy Centre. In an interview to Promote Ukraine, he shared his expertise in the EU’s diplomatic response to cyber-crimes from third countries.
Berlin wants to ask the EU Council to authorize sanctions for the hacker attacks on the Bundestag. What are the chances to get a decision in favour of such sanctions?
Germany has good chances if it provides necessary proofs to the other member states, and Berlin has stated that it has these proofs. If sanctions are adopted, it would be the first time the EU would list individuals under the new cyber sanctions regime. The regime exists since last year, but so far nobody has been sanctioned, no one was added to the sanctions list. Now for the first time an EU member state publicly announced that they would ask for listing, they will ask for individuals and maybe entities to be added to the sanctions list. Obviously, it is not an easy decision, it depends on how the discussions among the member state will go, and who they will want to add to the sanctions list.
There are countries that, to a certain degree, support Russia: for example, Italy or Greece. Do you think that they can vote against this decision?
I would not say that they support Russia. There are a number of EU member states that traditionally had better relations with Russia than other EU countries, but that does not mean that they support illegal behavior, the sort of behavior that Germany refers to. So I would not expect them to be against the listing in that sanctions regime of some individuals who would be clearly linked to the attacks on the Bundestag.
What about the EU cyber diplomacy toolbox? How does it help to fight with hackers?
The toolbox contains a series of possible steps that the EU can take: preventive and confidence-building measures, awareness-raising, capability building in third countries, cyber dialogues, and others. So there are a number of measures, some of them already existed before this toolbox was created. It just brings together a sort of action that the EU can take to respond with diplomatic tools to malicious cyber activities. The regime was adopted in 2017, then in 2019 there were added more legal tools to actually implement the restrictive measures that we already discussed. So it is still quite early days for the EU in what concerns this issue: using diplomatic tools to react to cyber-attacks coming from outside the EU.
Can you give us some examples of how this toolbox is implemented?
For example, there are confidence-building measures or cyber dialogues that the EU has been having with a number of countries over the years. This dialogue on cyber issues should contribute to confidence-building and to maintain good relations in this field. We know that over the last year the number of cyber-attacks and their gravity has increased quite a lot. Obviously, there are also limitations to what you can reach through these tools. It depends very much on the other side, it depends on their political decisions, but the EU tools are supposed to help.
So they are a sort of attempts that the EU does, so that the situation does not escalate, that there are not major attacks against the EU. Through the use of such diplomatic tools, the EU can transmit diplomatic messages, protests, demarches. We saw one in this case done by Germany, on a bilateral basis, with the calling of a Russian ambassador. The EU can also transmit some of these messages through its diplomats in third countries, from whose territories these malicious practices can come from. The restrictive measures, the sanctions are the strongest measures from this toolbox, but there are a number of other diplomatic tools. For example, the EU has also condemned past attacks, there are also Council conclusions condemning various attacks. So, the tools have various degrees of assertiveness.
What is the best way to deal with cyber-attacks from Russia? Is it dialogue? Or perhaps counterattacks? What are the best tactics?
It is not an easy question. You mentioned counterattacks. In the EU toolbox, there is nothing in terms of offensive operations, and the EU institutions do not have a mandate to use such capabilities. Capabilities in that sense exist at the level of EU member states, and most of the work that has been done in terms of cybersecurity, cyber defense, and capabilities are at the level of EU member states, not at the level of the EU institutions.
In this case of the 2015 hack of the Bundestag, the EU has started to work, and a diplomatic, political signal was sent to the Russian leaders to stop malicious cyber practices. Soon we will see if individuals will also be listed on the sanctions list. Now, what member states might or might not do in terms of responding to cyber-attacks is a different thing.
How can Brexit influence EU capabilities to fight with cyber-attacks?
In a bad way, in the sense that the UK was one of the EU’s member states with very developed cybersecurity capabilities. Obviously, losing such a capable member states with a global network is not helpful for the EU. Of course, cyber cooperation will not cease, it will continue, but it would be done in other frameworks, in different ways. Moreover, the UK has been one of the member states that have pushed the most for the adoption of the toolbox. The UK generally has pushed for stronger EU responses to cyber-attacks; it has also taken public positions in terms of attributing cyber-attacks. So Brexit will not help the EU’s capacity to react to cyber-attacks.
How does cooperation with NATO help to fight cyber-attacks?
A number of steps have been taken, this dialogue is much stronger than it used to be some years ago, but EU-NATO cooperation on cyber is still work in progress. NATO and the EU participate in each other’s cyber exercises, there is cooperation, and there are arrangements on cyber defense. In the end, the majority of the member states in the EU and NATO are the same, so we are talking largely about the same group of countries.
This is also linked to the previous question: the fact that the UK will continue to be a NATO member country will obviously matter. NATO is a political and defense alliance, it is more geared towards cyber defense. The EU has a broader view on cybersecurity, it engages in a number of actions, working with a private sector, working with wider issues of cybersecurity in the economy.
It was proposed to create the Cybersecurity Competence Community. What does it envisage?
This is part of a number of proposals to strengthen cybersecurity, put forward by the European Commission. It is part of a larger proposal that also aims to create a Network of National Coordination Centres and a European Cybersecurity Industrial, Technology and Research Competence Centre.
We are talking about mechanisms and processes to stimulate European technological, industrial research in cyber issues, to coordinate and to pull together resources at the EU level. The EU has been investing in cybersecurity for a number of years. We have the cybersecurity strategy for already 7 years, in 2016 we had a major piece of legislation – the Directive on Security of Network and Information Systems (the NIS Directive) that created among others a network of the national CSIRTs – computer emergency response teams. So this competence community and the competence centre are new steps in which the EU tries to improve EU cybersecurity capabilities, the dialogue between EU member states and other actors active in the field, to bring together and support innovation in EU cybersecurity.
What is the current state of play: is the fight against malicious cyber-attacks effective in the EU or not?
It will never be effective enough, in the sense that there will always be cyber threats. These are diverse and are coming from many different sources – individual hackers, hacktivists, criminal networks, state-sponsored groups, etc. We mostly focused part of our discussion on cyber threats, coming from state-sponsored groups, but they are a minority, even if a highly-skilled one. As digitalization increases, as a lot of the economy is digitalized, so the number of threats is increasing. We see this also in the context of COVID-19, that even more things moved online. So, also the risks are increasing in that environment.
So it is not a question where you can receive a straight answer about how effective the response is. We do see the EU member states and the EU institutions investing more in cybersecurity. In the EU context, most of the capabilities and also the responsibility lies with the member states. Some are doing better than others, some have more developed capabilities, and are more capable to defend against some of the threats, others less so.
Thus there is still a lot of work to be done both in terms of the development of cyber capabilities on the level of institutions, in the EU member states developing capabilities and human resources, maintaining those capabilities, investing in research, etc. There is also a lot more to do in terms of European cooperation.
You mentioned that some countries are doing better, some countries are doing worse. But can you say what countries?
Generally, the bigger countries have better capabilities, they can afford to have more substantial resources being put to this. But it is not strictly linked to size. For example, the Czech Republic has good capabilities, Estonia, and others.
There is a lot of investments that still need to happen, not only in terms of capabilities but also developing the institutional know-how, the procedures of how to deal with some of these issues. I am referring also to the political response, where there is a need to create a better link between the technical level and the one of the decision-makers. Decision makers need to understand this domain much better than they do now. So there is a lot to work to do.
If it was up to you, what would you do in this field?
I think I gave an indication, in the sense that we should really try to put more resources, invest more in the development of capabilities and in the strengthening of cooperation between the different countries that, in the end, are affected. Many of these attacks hit computer networks in much more than one country, so the need for cooperation is vital. For example, the NotPetya and WannaCry attacks in 2017 hit businesses, networks of hospitals, factories, and other computer networks across the EU and the whole world.
Some of the work I mentioned is happening, but the very fact that we see these activities, the development of new tools in this field is a reaction to an increasingly contested cyberspace.
Natalia Richardson