By Franklin Holcomb, for CEPA
The Kremlin uses its cyber toolkit to spread political disunity, delegitimize and destabilize national governments, and compromise European security. Russia’s operations target everything from European civil society and state institutions to energy and transport companies and banks. European states and EU institutions are hardening their cyber defenses but the Russian government has yet to be deterred.
Germany has recently taken the lead in the EU in responding to Russian cyber aggression. On May 13, Angela Merkel revealed that hackers linked to the GRU (Russian military intelligence) breached the parliament in 2015. The German leader noted that “every day I try to build a better relationship with Russia and on the other hand there is such hard evidence that Russian forces are doing this.” Her government followed up its attribution of the 2015 attack by triggering a 2019 EU sanctions mechanism designed to help deter cyberattacks targeting European elections. If approved by all EU member states, the head of the GRU and the individual who orchestrated the 2015 attack would face European sanctions and travel bans.
Europe has become increasingly focused on improving cyber resilience through national action. Some European states, such as Estonia in 2007, were awakened to the risks posed by hostile cyber activity earlier than others and have implemented comprehensive cybersecurity doctrines. Others began to improve cybersecurity after observing Russia’s attack on the Ukrainian power grid in 2015, its targeting of U.S. elections in 2016, and the NotPetya attack 2017. Though aimed at Ukraine, this had severe cascading effects on global economic and civil institutions worldwide. Georgia suffered a major disruptive attack in 2019.
National efforts have included the establishment of cybersecurity centers, such as those in Lithuania and the Czech Republic, the creation of cyber defense doctrines and policies, and the creation of civilian cyber militia to supplement state defense capacity in a time of crisis. Yet the Euro-Atlantic community lacks unity in responding to hostile cyber-attacks. NATO has indicated that it would treat a “serious cyberattack” as a potential trigger for activating its collective defense. A wide range of disruptive operations are below this threshold, though.
The EU sanctions mechanism — if implemented promptly and effectively — is a key component in building European cyber defenses and deterring attacks. EU states should demonstrate their resolve and rapidly approve Germany’s request to implement sanctions. Other European states targeted by Russian hackers in recent years, including Poland, Latvia, and the Czech Republic, should follow Germany’s lead in triggering this EU mechanism.
American and European approaches are converging. The U.S. already implements sanctions against Russian cyber actors for their malign and destabilizing cyber activities. Coordinated transatlantic sanctions will have a greater chance of success than when either side applies them unilaterally. Such an approach will not just deter Russia. It also sends a clear message about the Euro-Atlantic community’s resolve to respond to cyber action by any other hostile actor.
By Franklin Holcomb, for CEPA
Franklin Holcomb is a Transatlantic Leadership Fellow at CEPA with a focus on Russian and Eastern European security and political analysis.
Europe’s Edge is an online journal covering crucial topics in the transatlantic policy debate. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.