Julia Schuetze is an international cybersecurity policy project manager at Stiftung Neue Verantwortung.
For the first time in response to a state-sponsored cyber operation, Germany’s federal prosecutor issued an international arrest warrant in early May for a Russian national, Dmitriy Sergeyevich (dt.: Dmitrij Sergejewitsch) Badin. Badin is supposedly employed by the Russian Main Directorate of the General Staff of the Armed Forces (GRU) of the Russian Federation. The international arrest warrant was issued after Badin was indicted for compromising the IT-infrastructure of the German parliament in 2015. On May 13, Chancellor Merkel went on the record saying that there is “hard evidence” that points to Russia.
The chancellor argued to the German parliament that the cyber operation for which Badin was indicted is part of a broader Russian hybrid warfare strategy. She then said that although she will continue to work together with Russia, “the trustful relationship is disturbed.” When parliamentarians pressed her on the consequences Russia would face, Merkel answered vaguely, “of course we always reserve measures, also against Russia.” Although this did not specify what these measures would be, it signaled that other actions against Russia could follow Badin’s indictment.
While the indictment of Badin could get lost in the larger bilateral relationship, and other incidents such as the murder of a Georgian citizen in Berlin which could prompt another set of indictments, it is an important step. Germany has joined a growing list of countries willing to publicly attribute attacks to state-backed hackers and indict them. Moreover, and perhaps even more importantly, the Badin incident could lead to sanctions under the EU Cyber Sanctions Regime for the first time.
Indeed, the European Union (EU) possesses the ability to apply EU-level sanctions in response to cyber operations. Germany supported the European Council decision, adopted in June 2017, to establish the so-called EU Cyber Diplomacy Toolbox. The toolbox includes foreign policy levers such as banning persons from traveling to the EU and asset freezes. In order to operationalize this, the Cyber Sanctions Regime was passed by a European Council decision in 2019. However, in order for the EU to levy sanctions, all member states must agree.
Thus far, notable EU responses to cyber operations are public statements and European Council conclusions condemning cyber operations but refraining from attribution and sanctions. However, the Badin case is likely to be different and could lead to attribution and the application of the Cyber Sanctions Regime for four reasons. First, there were two European countries (Germany and the Netherlands) involved in collecting evidence that led to the attribution of the operation to the GRU. Second, this is not the first time GRU has been caught. EU member states have attributed multiple past cyber operations to the GRU, or persons affiliated with the GRU. For example, in 2018, Dutch intelligence caught four GRU agents trying to hack into the Hague headquarters of the Organization for the Prohibition of Chemical Weapons (OPCW), the international chemical weapons watchdog. Also, in 2017, five member states (Denmark, Lithuania, Estonia, Norway, Latvia, Sweden, and Finland) publicly attributed or supported the attribution of the NotPetya ransomware attack to the GRU. Third, the Cyber Sanctions Regime passed in 2019 states that it can be applied against persons or entities that are responsible for cyberattacks or attempted cyberattacks. Sanctions can also be imposed on persons or entities associated with them. The GRU or the individually indicted persons affiliated to the GRU would clearly fall under these categories. Fourth, the EU has previously sanctioned members of the GRU for their role in the Skripal case in 2018. This shows that sanctioning the GRU at the EU level is generally possible.
In February 2020, it was reported that the EU is considering sanctions against Chinese and Russian groups for hacking. This further suggests that the German indictment was indeed a first step that could be followed by EU sanctions. Moreover, even though the French government has thus far not attributed the 2017 Macron email leaks to the GRU, in February 2020, French President Macron signaled that France would likely be on board with an EU response by calling for using the sanctions regime against Russia for election meddling.
In effect, there are many indications that Germany’s indictment of Badin could prompt EU sanctions. Not only does the case use “hard evidence” that was collected by at least two European member states, but member states have also attributed multiple past cyber operations to the GRU, or persons affiliated with it. Moreover, cyberattacks clearly meet the threshold for justifying sanctions, as defined in the EU’s Cyber Sanctions Regime. Finally, the EU has sanctioned the GRU before for non-cyber incidents, and there is public support by EU leaders to use sanctions to respond to cyber operations. While sanctions will require agreement among all states, never an easy task, all signs point toward the EU applying the Cyber Sanctions Regime.