Read on Twitter
<thread> Today the EU took a major step in strengthening its cyber diplomacy toolbox by imposing cyber-related sanctions for the first time. A few observations/comments: [1/x] https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/
Several of the targets listed today have already been sanctioned by the United States (e.g. Minin, Morenets, Serebriakov, Sotnikov), further limiting the ability of these actors to finance their operations and recoup losses outside of US markets [2/x] https://home.treasury.gov/news/press-releases/sm577
This also strengthens the signaling value of both EU and US cyber sanctions by demonstrating shared commitment to norms of responsible behavior in cyberspace and the egregiousness of the actions undertaken by the designated actors [3/x]
One notable point of departure: the EU has chosen to sanction two Chinese targets associated with APT10 and implicated in the “cloud hopper” attacks affecting companies like HPE, IBM, Fujitsu, NTT Data and others [4/x] https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/
The US has so far refrained from imposing sanctions in response to Chinese cyber-enabled economic espionage—only two Chinese nationals have been sanctioned under the US program, but even these designations were related to money laundering [5/x] https://home.treasury.gov/news/press-releases/sm924
One of the two Chinese nationals sanctioned by the EU has been the subject of an American legal indictment, and US authorities have alleged affiliation with the Chinese Ministry of State Security [6/x] https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion
The EU maintains that a sanctions listing ≠ attribution to a state actor, which requires consensus of member states, but several of chosen targets have state links. One is an actual government org: the GRU's Main Centre for Special Technologies. [7/x] https://ccdcoe.org/incyder-articles/european-union-establishes-a-sanction-regime-for-cyber-attacks/
The US, by contrast, faces fewer hurdles to making an attribution claim and has done so regularly. Of the 10 instances in which the US has imposed sanctions on malicious cyber actors, 7 have alleged some relationship between the sanctioned parties and state organs [8/x]
As the EU continues to implement its framework, the impact of multi-stakeholder sanctions on malicious cyber actors may become clearer. But policymakers should not see the persistence of these actors as evidence of the policy's failure [9/x]
Over time, the tool can potentially affect the calculus not just of individual cybercriminals but also of the states that orchestrate, enable, or fail to punish their behavior. The EU's listing is an important step in that direction [10/10] </thread>
