The Case Against EU Cyber Sanctions for the Bundestag Hack

The German Ministry of Foreign Affairs informed Moscow on May 28 that the German federal prosecutor had issued a sealed arrest warrant for Russian military intelligence officer Dmitriy Sergeyevich Badin over the 2015 Bundestag hack. Among other items, the hack resulted in the exfiltration of 16 GB of sensitive emails and documents and necessitated a complete overhaul of the parliament’s information technology network to ensure the intruder was ousted. The ministry also announced that Berlin will press the EU Council to impose EU restrictive measures (so-called EU cyber sanctions) against Badin and anyone else involved in the Bundestag hack.

The German move is the first time the EU cyber sanctions regime has been invoked since its creation in mid-May 2019. But is it wise for the EU to use that regime in the current case?

Institutionally speaking, the German proposal is still in the early phase of the EU Council’s legislative procedure. On June 3, the Horizontal Working Party (HWP) on Cyber Issues within the council sat down to commence initial discussions on the German proposal to impose EU cyber sanctions over the Bundestag hack. As a preparatory body, the HWP is not a decision-making organ. Instead it serves as a cross-cutting working platform whose task is to help coordinate various work strands and prevent the fragmentation of EU cyber policy issues. Specifically, the HWP is responsible for enhancing the exchange and sharing of information, identify and exploit policy synergies, assist in setting the EU’s cyber priorities, and technically scrutinize government proposals.

Though the group has only begun initial discussions, three diplomats involved in the process spoke to Politico anonymously on June 3, claiming that “the EU is getting ready to slap sanctions on a group of Russian hackers.” The confidence behind their assessment is rather questionable, given that the HWP has not yet reported its discussion outcome to COREPER II—the main preparatory body responsible for EU foreign affairs. From there, the matter will be either passed down again to the HWP to achieve a compromise (if none is achieved) or passed up to the EU Council, which then has to reach a unanimous vote among the 27 member states for EU restrictive measures to be implemented.

Even a successful sanctions implementation would have some quirks. During the regime’s design process, the issue of attributing cyberattacks became so politically contentious among the EU member states that the language had to be changed to work around the problem. The end result is that the term “attribution” was entirely scrapped from the document and replaced with the technical terminology of “sanction listing”—meaning, to use the Badin case as an example, that the EU Council would list Badin under the cyber sanctions regime but would not officially attribute the Bundestag hack to Russian military intelligence or the Russian government. Given these verbal gymnastics, it is highly likely that some EU member states will claim that a sanction listing is tantamount to attributing the Bundestag hack to Russia, while others will say it is not. How Moscow and Washington will react to this intra-EU confusion is currently anyone’s best guess.

Another aspect of the regime’s design has now resulted in a curious dilemma for the German government if it aims to sanction Igor Kostyukov, the head of Russian military intelligence, for his role in the hack. The council essentially copy-pasted large parts of the already-existing EU chemical weapons regime—including limiting sanctions to the freezing of financial assets and imposing travel restrictions. Since January 2019, Kostyukov has been sanctioned by the EU under the chemical weapons regime for the Salisbury chemical attack. So if the EU Council wants to list Kostyukov under the cyber sanctions regime, it will essentially have to freeze his frozen assets again and impose the same travel ban on top of the already-existing one. Practically, this amounts to an act of political symbolism rather than an effective sanctions regime.

Though it is early in the process, Berlin’s political appetite to push for EU cyber sanctions will in principle receive widespread support from the majority of EU member states. The question, however, is not whether the union is willing to impose sanctions on Russia again—it has proved its willingness to do so on numerous occasions—but whether the EU cyber sanctions regime is the correct instrument for the case at hand.

First, the Bundestag hack was a clear case of political espionage. Over a period of three weeks, approximately 16 GB of data were exfiltrated, including several thousand emails of members of parliament. As far as open-source information shows, there was no attempt to wipe, alter or encrypt files to inflict damage on the Bundestag’s information technology network. Hans-Georg Maassen—then the head of Germany’s domestic intelligence agency—therefore declared in early 2016 that “the attacks on German state organisations and institutions were carried out to gather intelligence data.”

By imposing EU cyber sanctions for an act of political espionage, the German government would move outside the general practice of international law—as political espionage is not explicitly deemed illegal—and the EU and its member states would de facto create a new line in the sand that its own intelligence agencies will be held accountable to when spying abroad. This double standard on political espionage might create more practical problems for the individual EU member state governments than it aims to solve normatively on the level of the union as a whole. Similarly, if political espionage is deemed a bridge too far, then what kind of espionage activities are permissive in cyberspace? Only those that do not hurt the European Union? Or is all political espionage inacceptable?

Second, it is highly questionable whether cyber sanctions deter anyone, shame anyone, or in any way impose costs or restrict the abilities of adversarial cyber operatives to conduct their missions. Since April 1, 2015, the U.S. Treasury Department has implemented cyber sanctions against 96 individuals and companies hailing from Russia, Iran and North Korea. As far as the cyber threat landscape is concerned, none of the three countries in question has halted or significantly reduced its malicious activities in cyberspace. While this does not mean that cyber sanctions do not serve a distinct political purpose, the available evidence suggests that the desired practical effects are very limited—or perhaps nonexistent.

Third, because the Bundestag hack occurred five years ago, it might not be the ideal case for a test-drive of the EU cyber sanctions regime. Given that the objective of EU restrictive measures is not to punish but to bring about a “change in policy or activity” by the sanctioned entity, EU member states might be hesitant to impose sanctions now for an activity that occurred five years ago. The significant time gap will most likely also play a role when the EU Council reviews sanction listings every year. It is currently unclear whether a future delisting for political espionage is possible, given the sparse evidence of continuous cyber activities by a specific intelligence operative. In essence, if a listing for an individual’s activity five years ago is possible, but a future delisting of the individual is not, then EU cyber sanctions could be deemed a violation of human rights and be challenged before the European Court of Human Rights.

Time will tell how Brussels and Berlin will proceed on EU cyber sanctions once Germany takes over the rotary presidency of the EU Council in July 2020. The 27 member states should carefully weigh the pros and cons of imposing EU cyber sanctions over the Bundestag hack. Once it is done, there is no going back.