On July 30, the European Union (EU) imposed its first-ever sanctions against cyber attacks. North Korea, along with China and Russia, was one of the countries targeted. The EU’s autonomous sanctions related to North Korea’s nuclear and WMD programs were extended for an extra year on the same day. North Korea is also due to be slapped with sanctions for its human rights violations as soon as the EU approves its own version of a “Magnitsky Act.” With the EU-DPRK dialogue frozen since 2015 and EU aid to North Korea almost grinding to a halt, it seems clear that Brussels now sees sanctions as its tool of choice to deal with Pyongyang. The EU is under no illusions that sanctions alone will change North Korean behavior. But Brussels hopes they can help bring Pyongyang to the negotiation table and steer it away from its nuclear program and other unwanted actions.
Cyber Sanctions: A New Front in Brussels’ Pressure Campaign
The EU’s cyber sanctions on North Korea are part of its so-called “cyber diplomatic toolbox,” agreed to in June 2017. Essentially, the toolbox calls for diplomacy and negotiations to address cyberspace disputes but, crucially, acknowledges that sanctions may be necessary when cyber attacks take place. The cyber sanctions framework itself was adopted in May 2019.
In the case of North Korea, the EU sanctioned Chosun Expo for:
…[providing] financial, technical or material support for and [facilitating]…a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States.
There are two crucial points here, which suggest how the EU might deploy cyber sanctions against North Korea in the future. First, the EU can target entities or individuals suspected of supporting a cyber attack even if they are not directly accused of conducting it, broadening the scope of potential targets. Second, Brussels can deploy cyber sanctions even if the cyber attack does not directly target an EU entity. In the case of Chosun Expo, it is suspected of having facilitated a cyber attack on the Polish Financial Supervision Authority, as well as the WannaCry cyber attack that also affected Europe.
But the EU also justifies sanctioning this entity due to its cyber attacks on American, Bangladeshi and Vietnamese entities. Indeed, the EU’s cyber sanctions framework explicitly states that attacks against third parties that impact its foreign policy goals can also lead to cyber sanctions. This is a very loose definition. In a globalized world and with the EU as the second-largest economy in the world, it is difficult for a cyber attack not to affect Europe’s foreign policy interests.
Certainly, the EU’s cyber sanctions regime remains underdeveloped compared to the US’ framework. But a closer look at the EU’s sanctions suggests that it has taken a cue from America’s own North Korea cyber sanctions. The entities targeted and the types of sanctions (i.e., travel bans and asset freezes) are similar, as well as the justification for imposing the sanctions. Indeed, the US Department of the Treasury had already imposed sanctions on Chosun Expo for its involvement in the WannaCry ransomware attack. In Brussels, the expectation is that cyber sanctions cooperation with the US government will only increase.
Potential Human Rights Sanctions: Values Become Weaponized
Developing a sanctions regime targeting entities and individuals accused of human rights violations is a priority for the EU. The COVID-19 pandemic has slowed down progress in adopting a so-called EU Global Human Rights Sanctions Regime, but the expectation is that the Working Party on Human Rights will now accelerate work to come up with the regime.
Once the EU can legally impose human rights sanctions, North Korea will be one of its first targets. The EU has a long track record of co-sponsoring the UN Human Rights Council and General Assembly resolutions condemning North Korea for its human rights record. The European Parliament—a key driving force behind the EU’s human rights regime under negotiation—has repeatedly accused North Korea of gross human rights violations. And improving the human rights of the North Korean population remains one of the EU’s three official goals in its policy towards the North.
As in the case of cyber sanctions, the US has a comprehensive range of North Korea human rights sanctions that the EU will no doubt follow. Unlike Washington, however, Brussels is likely to be more consistent in its approach to human rights violations once its sanctions regime is approved. This is because it takes a long time for EU member states to agree on foreign policy action, but once they do those actions tend to remain official policy for many years. There is little possibility of a new president of the European Commission or Council overhauling foreign policy, as President Donald Trump has done in the US—including essentially ignoring human rights in its North Korea policy.
For the EU, human rights sanctions are a way of making its values more central to its foreign policy. Certainly, the EU has a long history of condemning human rights abuses across the world. But with a human rights regime in place, it will be able to impose travel bans and asset freezes on those it accuses of human rights violations. This will have a material impact that condemnations lack.
The EU’s North Korea Sanctions Campaign
Together, the EU’s existing nuclear, WMD and cyber sanctions on North Korea, and the likely addition of human rights sanctions, make for a comprehensive sanctions campaign. This is the result of a decisive EU shift away from engagement and towards pressure, which can be traced back to North Korea’s 2016 nuclear tests and barrage of missile tests. Even though there are EU member states which advocate engagement alongside sanctions, so far there is only agreement that sanctions should continue to be in place.
Since last year, the EU has made moves towards becoming more “geopolitical.” This means that Brussels will use all the tools at its disposal to advance its own interests. In the past, critics have accused the EU of focusing too heavily on diplomacy and multilateralism—at the expense of coercive measures. Its renewed focus on sanctions suggests that this is not the case.
In the case of EU-DPRK relations, Brussels will continue to prioritize the use of sanctions. Only a sustainable diplomatic process and North Korean steps towards denuclearization, which the EU would consider meaningful, will change this. But even if these steps occur, the use of cyber and, potentially, human rights sanctions shows that Brussels is now taking a more holistic view of North Korean affairs, and that pressure is a central component of this approach.