Malicious cyber activities are on the rise. States and other relevant actors need to constantly adapt to the evolving cyber threat landscape, including by setting up effective deterrence mechanisms. This is what the European Union (EU) has done through the adoption of Common Foreign and Security Policy (CFSP) Decision 2019/797, which allows it to impose targeted sanctions to deter and respond to cyberattacks that constitute an external threat to the EU or its member states. However, in contrast to other horizontal regimes of restrictive measures in force within the EU, foreign governments are not included as potential targets of cyber sanctions. Moreover, the recital of the Decision specifies that the adoption of restrictive measures does not involve attribution of international responsibility for cyber-attacks to a third State. This article aims at identifying the rationale behind the inclusion of these distinctive features. It starts by considering the legal uncertainty that surrounds attribution of international responsibility for cyber operations. Next, it explains why the EU is not well placed to invoke third-State responsibility, and the reasons behind its reluctance to do so. It will then illustrate the risks inherent in the lack of a clear legal framework to attribute the responsibility of cyber-attacks to third countries. This may have serious consequences in terms of legal certainty when a cyber-attack amounts to a breach of the prohibition on the use of force in international relations. Then, we explore recent developments in EU legislation in the area of cyber security and the possibility to strenghten the powers of the European Union Agency for Cybersecurity (ENISA). We draw two conclusions: first, the Union might develop the capacity to attribute cyber attacks to specific actors and there is an interest to do so. However, Member States are probably still reticent to take this step. Two, despite the advantages of establishing a reliable attribution mechanisms, it is submitted that the majority of States prefers to take advantage of a regulative gap that allows them to react to cyber incidents as they see fit.

The Rationale and the Perils of Failing to Invoke State Responsibility for Cyber-Attacks: The Case of the EU Cyber Sanctions

Sommario, Emanuele
2023-01-01

Abstract

Malicious cyber activities are on the rise. States and other relevant actors need to constantly adapt to the evolving cyber threat landscape, including by setting up effective deterrence mechanisms. This is what the European Union (EU) has done through the adoption of Common Foreign and Security Policy (CFSP) Decision 2019/797, which allows it to impose targeted sanctions to deter and respond to cyberattacks that constitute an external threat to the EU or its member states. However, in contrast to other horizontal regimes of restrictive measures in force within the EU, foreign governments are not included as potential targets of cyber sanctions. Moreover, the recital of the Decision specifies that the adoption of restrictive measures does not involve attribution of international responsibility for cyber-attacks to a third State. This article aims at identifying the rationale behind the inclusion of these distinctive features. It starts by considering the legal uncertainty that surrounds attribution of international responsibility for cyber operations. Next, it explains why the EU is not well placed to invoke third-State responsibility, and the reasons behind its reluctance to do so. It will then illustrate the risks inherent in the lack of a clear legal framework to attribute the responsibility of cyber-attacks to third countries. This may have serious consequences in terms of legal certainty when a cyber-attack amounts to a breach of the prohibition on the use of force in international relations. Then, we explore recent developments in EU legislation in the area of cyber security and the possibility to strenghten the powers of the European Union Agency for Cybersecurity (ENISA). We draw two conclusions: first, the Union might develop the capacity to attribute cyber attacks to specific actors and there is an interest to do so. However, Member States are probably still reticent to take this step. Two, despite the advantages of establishing a reliable attribution mechanisms, it is submitted that the majority of States prefers to take advantage of a regulative gap that allows them to react to cyber incidents as they see fit.
2023
File in questo prodotto:
File Dimensione Formato  
GLJ, 2023, Poli_Sommario.pdf

accesso aperto

Tipologia: Documento in Pre-print/Submitted manuscript
Licenza: Creative commons (selezionare)
Dimensione 247.53 kB
Formato Adobe PDF
247.53 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11382/554852
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 2
social impact