On 16 May 2022, the Council of the EU (the Council) decided for the third time to prolong its restrictive measures against cyber-attackers threatening the EU, its Member states or its allies. The measures are set to remain in place for a further three years until May 18, 2025. The Council’s press release on this is available here.

As mentioned in our previous post on the topic, the EU set up a cyber diplomacy toolbox (Toolbox) that enables the EU and its Member states to trigger measures from the Common Foreign and Security Policy (CFSP). The CFSP is the foreign policy framework of the EU, whereby Member states agree common positions on defense diplomacy and common positions on how to respond to security threats. This enables the Council to impose restrictive measures in order to prevent, discourage, deter and respond to malicious cyber activities that target the integrity and security of the EU and its member states. If necessary, the CFSP and the toolbox permit the Council to impose sanctions on those responsible for cyber-attacks from third counties or international organizations.

Sanctions were first imposed in July 2020, following an attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) by those publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’. Later that year, in October 2020, sanctions were imposed on two individuals and one entity for a cyber-attack against the German Federal Parliament in 2015. Those responsible were suspected to be working for Russian military intelligence. To date, eight individuals and four entities are subject to the Council’s sanctions regime that includes asset freezes, travel bans and bans on EU persons making funds available to them. This list will be re-assessed on May 18, 2023.

The purpose of this new extension is to send out a strong signal to hackers; cyberattacks are not tolerated.

They have been almost a decade in the making, but have finally arrived: new U.S. export controls on “cybersecurity items,” including products and technology involving “intrusion software” and IP network communications surveillance.  Published today but effective January 19, 2022, the interim final rule from the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) amends the Export Administration Regulations (“EAR”) to add these new cybersecurity export controls.  The interim final rule is highly technical and complex, but ultimately contains a mix of good news and bad for the cybersecurity community.  BIS states in its press announcement that the rule is only intended to restrict “malicious cyber activities,” but it nonetheless imposes compliance obligations and costs even when activities ultimately are not restricted.  At least in this sense, the rule will impact the entire cybersecurity sector.

Continue Reading Cybersecurity Community Beware: US Finally Enacts “Intrusion Software” Rule

The Council of the European Union (the Council) on May 17, 2021 agreed to prolong, for the second time, the sanctions framework concerning restrictive measures against cyber-attacks threatening the European Union (EU) or its Member States for another year, until May 18, 2022. The Council’s press release is available here.

Cyber sanctions are part of the EU cyber diplomacy toolbox and seek to prevent, discourage and respond to malicious cyber-attacks that have a significant impact on the EU. This framework was adopted in May 2019 under Council Decision (CFSP) 2019/797 and Council Regulation (EU) 2019/796, and is reviewed by the Council on a yearly basis. It allows the EU to sanction persons and entities deemed to be involved in major cyber-attacks threatening the EU or its Member States by imposing asset freezes or travel bans against those listed in the Council’s legal acts. The EU can also target those involved in attempted cyber-attacks with a potentially significant effect.

Continue Reading The EU Keeps Its Ability to Sanction Cyber Attackers for One More Year

On 9 November the German Presidency of the Council of the EU and representatives of the European Parliament reached a provisional political agreement on the review of the EU Dual-Use Regulation. The EU’s current export control framework for dual-use items, set out in Regulation (EC) No 428/2009, has been in place since 2009. The regulatory process to review this system and to adapt it to the changing technological, economic and political circumstances has been ongoing for several years.

The revision of the EU Dual-Use Regulation aims at further strengthening EU action on the non-proliferation of WMD, including their means of delivery; contributing to regional peace, security and stability; and helping ensure respect for human rights and international humanitarian law. Most notably, the EU institutions agreed to expand the scope of the framework to cover cyber-surveillance technology with the stated aim of preventing human rights violations and security threats linked to the potential misuse of such technology.

The agreement now needs to be endorsed by EU Member States’ ambassadors sitting on the Permanent Representatives Committee (Coreper). The European Parliament and the Council of the EU will then be called on to adopt the proposed Regulation at first reading.

Continue Reading Provisional Agreement Reached on Review of EU Dual-Use Regulation, Including Rules on Cyber-Surveillance Items

On 17 May 2019, the Council of the EU established a framework against external cyber-attacks which constitute an external threat to the EU or its Member States. The new rules, which reportedly follow a diplomatic push by the UK and the Netherlands, provide for a strong legal instrument to deter and respond to cyber-attacks against the EU or its Member States. The new framework enables the EU for the first time to impose sanctions against persons, entities and bodies because of cyber-attacks. While no names have been added to the sanctions list yet, the new mechanism is expected to allow the EU to move quickly in the future. However, the new framework does not help companies that are under attack. Victims of cyber-attacks are on their own when it comes to fighting off a cyber-attack.

Sanctions under the new framework are country neutral. In other words, they do not target specific third countries but specific malicious actors. Member States are free to make their own determinations with respect to the attribution of responsibility for cyber-attacks to third countries but such determinations have no impact on the EU sanctions. Continue Reading New EU Framework to Target Malicious Cyber-Attacks from Outside the Union

On June 19, 2017, Anthony Rapa was featured on Steptoe’s Cyberlaw Podcast  to discuss the Senate’s adoption of tough Russia sanctions last week.  While there has been a lot of emphasis on the fact that this bill would codify the Obama administration’s Russia sanctions into law, Anthony explains how tough the bill could be on investors in Russia’s energy sector, including European and other third-country firms.  The passing of this bill shifts pressure to the House, where the Republican majority has been more reluctant to support harsher Russia policies.   

For more information, please visit Steptoe’s Cyberlaw Podcast on the Steptoe Cyberblog.

Obama Expands Cyber Sanctions to Cover Election Hacking, Then Uses it to Sanction Russian Intelligence Agencies and Others

On December 29, 2016, the President amended Executive Order 13964, which was originally issued in April 2015, to explicitly authorize sanctions on those found to be “tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.”   See our earlier advisories, here and here, for more information about the original executive order and the related regulations.

At the same time, the President used this newly expanded authority to sanction a number of Russian individuals and entities.  Notably, the President sanctioned the two primary intelligence agencies of the Russian Federation, the GRU and the FSB.  This is the first time the US Government has used the cyber-related sanctions authority in that executive order.  Continue Reading New US Cyber Sanctions on Russia