EU urged to seize assets of foreign hackers
-
New sanctions would go after individuals, instead of debating politics of country-level measures (Photo: Santiago Zavala)
The EU should impose visa bans and asset freezes on people guilty of cyber attacks, a group of member states has urged.
A "new restrictive measures regime" was "urgently" needed "to address malicious cyber activity," the group, including the British and the Dutch, as well as Estonia, Finland, Latvia, Lithuania, and Romania said.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
EU leaders should give a green light when they meet in Brussels next week given the gravity of the threat, they said in their informal paper on 8 October, seen by EUobserver.
"The pace of events has accelerated considerably, in particular over the past year, including those of last week," they said, referring to revelations that Russia had plotted cyber attacks on an international body in The Hague and further afield in Europe.
"It is only a matter of time before we are hit by a critical operation with severe consequences on the EU and member states" and with "thousands of victims in EU countries and significant financial and material damage", they added.
The new sanctions would target individuals, but they would strike at people with political weight, they said.
"Restrictive measures could be lifted in response to a change of behaviour, for example, if an organisation is shut down or a government starts taking stronger action against perpetrators in its jurisdiction," they said.
"They could also be lifted following a political pledge to cease activities", they added.
Draft EU summit conclusions, circulated on 8 October and also seen by EUobserver, did not mention cyber sanctions, but did call for greater resilience in the area.
Attacks like the Russian one in The Hague "strengthen our common resolve to further enhance the EU's internal security and disrupt hostile activities of foreign intelligence networks on our territories," the draft conclusions said.
Talks on "all cybersecurity proposals" should be "concluded before the end of the legislature" of the European Parliament next May, the conclusions said.
Chemical model
The cyber sanctions are meant to work like the EU's new chemical weapons measures, which the EU "welcomes" in the draft summit conclusions and "looks forward to early progress on the listing of relevant individuals and entities".
These blacklist people deemed guilty of chemical weapons violations no matter where they come from or whether they were ever convicted of a crime.
They also do it quickly in regular EU meetings, unlike country-specific sanctions, which require high-level political debate.
The group-of-seven did not name Russia in their informal paper.
But the UK and the Netherlands were recently attacked by Russia. The other five countries all border Russia.
They also nodded to Russia's hack-and-leak meddling in French, German, and US elections.
"In addition, we should consider including behaviours [in sanctions listing criteria] which seek to interfere in elections", the group said, ahead of the European Parliament elections next year.
"This is not targeted against Russia, it is targeted against the offence in itself, but if you look at the recent news then, obviously, you can't say Russia isn't on people's minds," a diplomatic source said.
Legal threshold
The new cyber sanctions proposal is the third of its kind in recent months.
It comes after a Dutch-led effort to impose visa bans and asset freezes on human rights abusers and after the chemical weapons sanctions accord.
The EU's counter-terrorism register, which dates back from 2001, also targets individuals instead of countries and lists them in behind-closed-doors meetings, where big member states have sometimes forced their way.
That has attracted criticism in the past, but the new sanctions would not be like that, diplomats said.
The cyber sanctions would go after "criminal actors who, in practice, are often beyond law enforcement", but people who were listed would have the right to judicial redress in the EU court, the informal paper said.
Public attribution of cyber-attacks was a "political" act often made hard by perpetrators' efforts to conceal their tracks, they noted.
But the behind-closed-doors EU method was a tried-and-tested one for joint scrutiny of classified or sensitive information, they said.
People would only be listed if "as a collective, we consider the evidence provided surpasses the legal threshold of a sufficiently solid factual basis," the paper said.