Cybercrime

EU to offer military aid to member states hit by serious cyberattacks

Countries in the bloc will be able to appeal to mutual defense provisions in case of online aggression

The cyber-defense operations center at Deutsche Telekom.
The cyber-defense operations center at Deutsche Telekom.WOLFGANG RATTAY / REUTERS

The European Union is about to approve changes to its mutual defense rules that will allow members states targeted by cyberattacks to call on fellow countries for military assistance, according to a document seen by EL PAÍS.

Those changes are set to be ratified by Europe’s foreign affairs chiefs on Monday, and will see the European Union situating cyberattacks among the most serious form of threats facing the 28-member bloc.

European leaders know that modern-day battles are far more likely to involve cyberattacks than tanks

The new rules come in the wake of the detection of various incidences of online dissemination of disinformation designed to destabilize the EU, with the example of the Catalan crisis being just the latest example. As such, Brussels is placing “special emphasis on defending democratic values” in the context of global security.

The number of cyberattacks in the EU has quadrupled since 2015, according to European Commission data, and in some countries, half of all crimes are now cybercrimes. Many of those are purely economic in nature while others seek to destabilize Europe by altering election results or interfering in the functioning of critical infrastructure.

“There are daily attempts to interfere with the infrastructure in the EU,” said one source, who requested anonymity.

European leaders know that modern-day battles are far more likely to involve cyberattacks than tanks. For this reason, the EU is adapting its military strategies. The new text to be approved today will mean that “any particularly serious cyber incident or crisis could constitute sufficient motive for a member state to invoke the solidarity clause and that of mutual assistance.”

In reality it is almost impossible to prove that a government is behind a cyberattack

This is a reference to existing articles of the Lisbon Treaty that oblige EU member states to provide assistance when a fellow state is “the object of a terrorist attack or the victim of a natural or man-made disaster.”

This possibility has only been invoked once since the treaty came into force in 2009: when France called for assistance after the terrorist attacks of November 2015 in which 130 people lost their lives. Spain was one of the countries that offered help at that time.

The 18-page document to be approved on Monday does not mention Russia, the prime suspect in terms of external interference in European affairs. Sources say many of the cyberattacks come from Russia and North Korea but highlight this does not mean they are state-sponsored.

“Hackers take refuge there because it is easy to hide, as these countries do not cooperate. What we can say with certainty is that these governments do not help us to identify those responsible,” one expert explains.

The 18-page document does not mention Russia, the prime suspect in terms of external interference in European affairs

By making these new changes, the EU will be following in the footsteps of NATO, which also considers cyberattacks a sufficient cause to invoke the mutual-assistance clause among allies.

The EU also hopes to dissuade third parties from interfering in its affairs, with the changes to the defense protocols incorporating a European Commission proposal allowing for “restrictive measures that could be used to avoid cyber activities and to respond to them” – a reference to possible sanctions against countries carrying out activities considered damaging.

However, in reality it is almost impossible to prove that a government is behind a cyberattack. In addition, any sanctions – which require unanimity among member states – can only be adopted when there is clear evidence of these irregularities.

English version by George Mills.

More information