On 19 February 2018, Marietje Schaake submitted the following written questions to the Council on the attribution of the NotPetya attack:
Last week, Australia, New Zealand, Canada, Japan, the United States, Denmark and the United Kingdom formally attributed the NotPetya cyberattack to Russia. On the 17th June 2017 the Council adopted Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, which affirmed that “restrictive measures (..) are suitable for a Framework for a joint EU diplomatic response to malicious cyber activities”
1. Given these determinations of two EU Member States, and five EU-allies, is the EU Council ready to publicly attribute this attack to Russia? If not, why not?
2. What should be the consequences for this attack according to the Council?
Reply of the Council:
In its conclusions on malicious cyber activities of 16 April 2018, the Council expressed the EU's serious concern about the increased ability and willingness of third states and non-state actors to pursue their objectives by undertaking malicious cyber activities, and stated that the EU would continue to bolster its capabilities to address cyber threats. The EU firmly condemned the malicious use of information and communications technologies (ICTs), including in Wannacry and NotPetya, and stressed that the use of ICTs for malicious purposes is unacceptable(1).
Public attribution of the cyber attacks is based on all-source intelligence, and remains a sovereign political decision. The EU cyber diplomacy toolbox foresees the development of the relevant information sharing and consultation mechanisms among the Member States.