International Relations/Political Science
21 April 2020

Improving the Effectiveness of the EU Cyber Sanctions Regime

Thomas Biersteker, Gasteyger Professor of International Relations/Political Science and Director for Policy Research at the Graduate Institute, and Patryk Pawlak, Head of the Brussels office of the EU Institute for Security Studies, have coedited a Chaillot Paper on the EU’s newly established cyber sanctions regime. Taking account of the lessons derived from former sanctions regimes, the volume addresses a number of key issues relevant for ensuring the new regime’s maximum effectiveness, such as the problematic nature of attribution, state responsibility in cyberspace, listing and de-listing criteria, the principle of due diligence and the potential impact of cyber sanctions on the physical world. Professor Biersteker provides more information in this interview.

What triggered you to edit this paper on the EU’s cyber sanctions regime?

I have worked with the EU’s Institute for Security Studies (EUISS) in the past, so when I was approached by their head of cyber research, Patryk Pawlak, to co-chair a task force on the new EU cyber sanctions policy, I was pleased to accept. The task force was composed of scholars from both International Law and International Relations – including Erica Moret of the Graduate Institute’s Global Governance Centre – and met on several occasions in Brussels and Paris to discuss the analytical issues involved and to learn about the issues facing EU policy practitioners working on cyber and sanctions policy. We produced the Chaillot Paper to offer an independent scholarly commentary on the new EU policy that was officially adopted in May of 2019.

What contributions does this paper make to the discussions on cyber-related policymaking in the EU?

The paper makes a number of original contributions, particularly with regard to the due diligence responsibilities of states, the challenges of attribution, and the central role of the private sector in the governance of the issue. It also offers 13 novel recommendations in its conclusion. It contains information on every known cyberattack of significance to date and the extent to which sanctions have been applied to address them. It also draws on comparative sanctions research to caution that the existing toolbox of sanctions policy instruments at the EU’s disposal is unlikely to prove effective on its own.

Based on the findings and the recommendations of the paper, what are the future avenues of cybersecurity research that are of concern to the EU?

The challenges of attribution are clearly at the forefront of the cybersecurity research agenda, and we know that attribution requires both technical and political analysis. Neither, taken alone, is sufficient. The governance of cybersecurity is also particularly challenging, largely due to the fact that the very states that are required to govern the issue domain are themselves engaged in the practice of cyberattacking one another. At the same time, many other states lack the technical capacity to make attribution decisions on their own. This is why it is important to engage the private sector – not just firms, but also research scholars and policy think tanks – in the governance of the emerging policy domain.

Do other international and regional organisations, such as NATO, react in similar ways to cyber threats?

The US was the first to employ sanctions in response to cyberattacks, dating back to the 2014 attack attributed to North Korea against Sony Pictures. The US has since used restrictive measures (asset freezes, travel bans, criminal indictments, and limited sectoral measures) against individuals and corporate entities (not only firms, but also government agencies). The UN has added web hosting of terrorist recruitment sites to the criteria for individual designations in its counterterrorism efforts (totalling more nearly 40 to date). Notably, there have been no sanctions applied against an entire government for a cyberattack, something the EU was particularly sensitive to in the design of its policy.

Lastly, how did the publication process work?

The process was very smooth, thanks largely to the guidance and experience of Patryk Pawlak. He knows the EUISS publication process well, and I credit him with the creative graphics employed throughout the 100+-page paper, not to mention the metaphorical references to Guardians of the Galaxy (a film which, I must confess, I had not seen until after the publication of the task force report). We edited in parallel off line on each of the chapters, worked across disciplinary lines, and drew on our respective specialisations on cyber and sanctions to produce an integrated document.

*  *  *

Full citation of Professor Biersteker’s coedited paper:
Pawlak, Patryk, and Thomas Biersteker, eds. Guardian of the Galaxy: EU Cyber Sanctions and Norms in Cyberspace. Chaillot Paper 155. Paris: European Union Institute for Security Studies (EUISS), 2019.

Karine Bannelier, Nikolay Bozhkov, François Delerue, Francesco Giumelli, Maarten Van Horenbeeck and Erica Moret, Senior Researcher at the Graduate Institute’s Global Governance Centre, who wrote three chapters:

  • “Navigating the Stars: Ten Questions to Make Cyber Sanctions More Effective”, 13–20
  • Space Exploration: Mapping the EU’s Cyber Sanctions Regime, 33–42
  • Galactic Collision: Cyber Sanctions and Real-World Consequences, 79–86.

Interview by Bugra Güngör, PhD Candidate in International Relations and Political Science; editing by Nathalie Tanner, Research Office.
Banner image: excerpt from an image courtesy of NASA/JPL-Caltech/E. Churchwell (University of Wisconsin).