The Council of the European Union adopted for the very first time on Thursday 30 July restrictive measures against persons and entities responsible for or having participated in cyber attacks.
The sanctions concern six individuals - two Chinese involved in the ‘Operation Cloud Hopper’ cyber attack and four Russians who participated in the attempted cyber attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) - and three entities.
Thus, the Tianjin Huaying Haitai Science and Technology Development Company, based in China, which, according to the EU, “provided financial, technical or material support to ‘Operation Cloud Hopper’”, and the Chosun Expo company, based in North Korea, which also provided financial support to the ‘WannaCry’ cyber attack, are being sanctioned. Similarly, the Main Centre for Special Technologies (MCTST) of the General Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which the EU considers responsible for the ‘NotPetya’ cyber attack, is also subject to sanctions.
The measures adopted include a ban on entry into the EU and an assets freeze. EU persons and entities are also prohibited from making funds available to sanctioned persons and entities.
These are the first measures related to cybersecurity. Since May 2019, the EU has had a legal framework for restrictive measures against cyber attacks, which was extended on 14 May (see EUROPE 12487/31).
At the same time, the High Representative of the Union for Foreign Affairs and Security Policy, Josep Borrell, in a statement on behalf of the EU, recalled that malicious behaviour in cyberspace was “unacceptable, as it undermines international security and stability and the benefits offered by the Internet and the use of information and communication technologies (ICT)”.
In his view, the measures adopted reflect the commitment of the Union and its Member States to protect the integrity, security, social well-being and prosperity of their free and democratic societies, as well as the rule-based order and proper functioning of international organisations.
“We will continue to strengthen our cooperation to advance international security and stability in cyberspace, increase global resilience and raise awareness of cyber threats and malicious cyber activities”, the High Representative warned.
The EU and its Member States will therefore continue to “vigorously” promote responsible behaviour in cyberspace and to call upon each country to cooperate for international peace and stability, to exercise due diligence and to take appropriate action against actors engaged in malicious activities in cyberspace.
Mr Borrell also called on the international community to continue its contribution to the implementation of the existing consensus within the United Nations in the field of information and telecommunications in the context of international security (UNGGE) and to advance cooperation to strengthen this consensus. (Original version in French by Camille-Cerise Gessant)