Attribution: a major challenge for EU cyber sanctions; an analysis of WannaCry, NotPetya, Cloud Hopper, Bundestag Hack and the attack on the OPCW

Abstract

The attribution of cyberattacks is a sovereign act by the EU Member States. However, these all have different technical and intelligence capabilities. This leads to a lack of coherence in European cyber diplomacy, for exam­ple when imposing cyber sanctions. Analysis of policy responses to the WannaCry, NotPetya, Cloud Hopper, OPCW, and Bundestag hack cyber incidents reveals the following problems: Attribution takes a long time and relies on intelligence from NATO partners; the technical realities and the legal facts for classifying and pros­ecuting cyberattacks do not always match; the weighting of the criteria for establishing what constitutes a crime is unclear. Cyber sanctions should be proportionate, targeted measures and destructive attacks, such as WannaCry or NotPetya, should result in harsher punishment than everyday cases of cyber espionage, such as Cloud Hopper or the Bundestag hack. The EU must adapt its tools accordingly. The EU should tighten the legal criteria and harmonise the standards of evidence for attribution. The EU Joint Cyber Unit and EU INTCEN, part of the European External Action Service, should be strengthened to improve the exchange of forensic information and to coordinate attribution policy more effectively. EU Member States and their allied partners should better coordinate political signalling to condemn cyberattacks. To this end, it would make sense to allow qualified majority voting for the adoption of cyber sanctions. (author's abstract)