A forthcoming policy framework from the European Union will declare that cyberattacks from hostile actors can be considered an act of war that under the most serious of circumstances justifies a response with conventional weapons.
The Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities is intended to be a strong measure of deterrence against countries known for launching offensive cyber operations, such as Russia and North Korea, according to UK news outlet The Telegraph, which reportedly obtained a draft of the document.
The framework reportedly will also affirm that EU member nations that suffer a cyberattack not only can defend themselves under international law, but also are entitled to assistance from other EU governments, under Article 42(7) of the EU Treaty. Such coordinated responses would likely include diplomatic pressure, public condemnation, and sanctions.
The document will remain vague in defining the limits of coordinated aid and assistance operations; however, the Telegraph notes that the EU itself cannot wage war.
An EU source told the Telegraph that the framework "will make an attacker weigh the consequences of a cyberattack more carefully," adding that formalizing a response strategy "shows we are serious."
In a June 2017 press release, the EU's European Council announced its intention to develop the framework, noting that the EU "is concerned by the increased ability and willingness of state and non-state actors to pursue their objectives through malicious cyber activities."
"Such activities may constitute wrongful acts under international law and could give rise to a joint EU response," the release stated.
Nathan Wenzler, chief security strategist at security consulting company AsTech, said in an email interview that the framework is a “significant step" that "puts any aggressor nation or entity on notice that technology-based attacks can be viewed in the same way as a conventional physical attack..."
Wenzler expects that the policy could be very effective against some, but not all malicious actors: "For aggressor nations who are still participating in the global community and have the potential for great losses should sanctions or military actions take place, this may absolutely serve as a deterrent to continue conducing cyberattacks," said Wenzler. "However, for nations such as North Korea, who have little left to lose in the global community, this may be seen as simply another place to provoke other countries and force their hand into... having to back up what they've said they'll do if targeted by a cyberattack."
Kenneth Geers, senior research scientist at Comodo, commended the leadership of EU, as well as NATO, in an email interview.
"The EU and NATO have begun to collaborate closely on cybersecurity, in part due to the Snowden revelations, but even more so in response to Russia's invasion of Ukraine and interference in the U.S. presidential election," said Geers, also a senior fellow with the Atlantic Council and an ambassador with the NATO Cyber Centre. "The combined power of 28 sovereign democracies, including their network security, law enforcement, and counterintelligence agencies, fundamentally changes the game in cyberspace, and bolsters deterrence, investigation, and retaliation."