New Technologies in International Law / Tymofeyeva, Crhák et al.

requirement is even more problematic in the case of cyber sanctions due to the fact that the cyberspace is in principle an anonymous sphere where obtaining relevant evidence is not without difficulties. Thus, attribution of cyber-attacks to particular actors to establish the necessary nexus might be problematic, even if the evidentiary standards are of a lower threshold (sufficiently solid factual basis) as opposed to the one in criminal cases (beyond reasonable doubt). Furthermore, no less problematic is the fact that the evidence in cyber context is essentially confidential, normally provided by the intelligence authorities of the specific member state. However, member states may decline to share the evidence with the Council for national security reasons in light of the rule of originator control. In fact, there have already been cases in which the member states refused to share the intelligence data for sanctions listings. 538 By and large, the main problems with respect to cyber sanctions could be summarised in the following way: first, the presence of issues of transparency and procedural rights; second, and in connection with the first issue, the lack of intelligence sharing prevents a proper justification during judicial review; third, inconsistencies in the application of cyber sanctions – in the case of Bundestag hack and Cloud Hopper (where espionage was involved) restrictive measures were imposed, whereas in other similar cases the EU refrained from taking any action 539 ; four, as seen in the WannaCry and NotPetya cases, the speed of imposition could compromise the effectiveness of sanctions. 540 With respect to the consequences of cyber sanctions imposed by the EU (or other states, such as US, UK…) for international law, they constitute relevant state practice and do contribute to the development of rules of international law, in particular in the field of customary international law. As Iryna Bogdanova and Callo-Muller contend, the imposition of cyber sanctions could be understood as “ signalling red lines in cyberspace. Thus, cyber sanctions should be studies: they could substantiate the crystallization of customary international law regarding responsible state behaviour in cyberspace .” 541 In the next part, we shall look into the unresolved question from the perspective of international legal norms.

538 Miadzvetskaya Y, ‘Cyber sanctions: towards a European Union cyber intelligence service?’ ( College of Europe Policy Brief , 2021) . There is indeed a growing call for more effective coordination between the intelligence agencies of member States, cooperation between the EU and private sector or even a more ambitious proposal to create an EU intelligence authority. 539 See e.g., Soesanto S, ‘After a Year of Silence, Are EU Cyber Sanctions Dead?’ ( Default , 26 October 2021) accessed 31 December 2023. 540 Bendiek A and Schulze M, ‘Attribution: A Major Challenge for EU Cyber Sanctions’ ( Stiftung Wissenschaft und Politik (SWP) ) accessed 31 December 2023, pp. 34–36. 541 Bogdanova I and Vásquez Callo-Müller M, ‘Unilateral Cyber Sanctions: Between Questioned Legality and Normative Value’ (2021) 54 Vanderbilt J. Transnat’l L. 4, pp. 922–923.

126