But despite this rhetoric, it remains unclear exactly how and when Article 5 applies to cyberspace. This ambiguity is a problem—with potentially disastrous consequences. Relying on the credibility of Article 5 for what is often questionable activity in cyberspace threatens to undermine the broader principle of collective protection. We cannot risk splitting the transatlantic alliance at a critical juncture in its history over a debate over what counts as a major or minor cyber attack. For this reason, NATO should quickly clarify its policy on cyberattacks and clearly indicate the threshold at which an Article 5 response can be invoked. In addition, NATO members should commit to treating cyberattacks that do not reach the level of a major attack as national question, not as an alliance question.
Such a shift may face some initial resistance, especially in light of the Kremlin’s history of malign activities in cyberspace. One of the first state-initiated cyberattacks was carried out by Russia against NATO member Estonia in 2007. SolarWinds hack discovered in December 2020 in which Russia gained access to a treasure trove of US data. Russian President Vladimir Putin’s maneuvers against NATO members, as well as the annexation of Crimea in 2014, prompted the alliance to issue a Cyber Defense Commitment in 2016. which recognized cyberspace as a military domain. Two years later, NATO launches Cyber Operations Center in Mons, Belgium, to improve situational awareness and coordination of cyber operations. Since then, the alliance has consistently reaffirmed the application of Article 5 to cyberspace. At the 2021 summit in Brussels NATO Committed to New Comprehensive Cyber Defense Policywhile allies agree to use “the full range of capabilities” at any time to “deter, protect and counter the full range of cyberthreats.”
Notably, in last summer’s summit communiqué, NATO refined its wording to take into account the fact that some cyber incidents may not be critical in isolation, but are nonetheless significant when viewed collectively. In particular, the Allies acknowledged that “the impact of significant malicious cumulative cyber-activities may, under certain circumstances, be considered as an armed attack.” In practice, however, NATO leaders avoid explaining the conditions under which a cyberattack would trigger Article 5 and how NATO would respond. When press about Russian cyberattacks in the context of UkraineStoltenberg warned that “we have never taken the position that we give a potential adversary the privilege of determining exactly when we enact Article 5.”
This ambiguity is not surprising for several reasons. The nature of cyberspace is often confounds unambiguous statements about containment. States tend to operate in cyberspace with plausible deniability, which can make it difficult to quickly establish responsibility for cyber incidents. In addition, it can be difficult to understand the intent of the observed cyber behavior, and there is often a significant time lag between the moment the network is initially penetrated and the moment the target even becomes aware of the breach. And the vast majority of cyber operations inflict virtual rather than physical damagewhich complicates efforts to assess the impact of the costs incurred. In addition, it may take time to develop and determine how to penetrate the network, as well as computer code that uses the vulnerability for malicious purposes. This means that States may not have an acceptable cyber response option for retaliation at the right time.
This creates many practical problems if Article 5 is applied to a cyber attack. From an implementation point of view, this will entail discussion within North Atlantic Council, NATO’s main decision-making body. Decisions made within the NAC require unanimity, which can be difficult to achieve on many issues, but especially burdensome on cybersecurity, given all the ambiguities described above. The most likely outcome of this process will be long, drawn-out discussions that leave the divided alliance unable to agree on how and whether to respond. Simply put, some allies are unlikely to be willing to risk World War III with a cyberattack that disrupts the financial infrastructure of, say, another country, but does not result in loss of life or sustained damage.
These challenges have significant strategic implications for NATO. After years of publicly and repeatedly linking Article 5 to cyberspace and strengthening this policy in response to the conflict in Ukraine, failure to reach consensus and respond to a Russian cyber attack against a NATO member could threaten Article 5 in other areas. The disunity that is likely to emerge during the NAC deliberations will undermine the broader political cohesion that has for the most part been surprisingly strong throughout the war in Ukraine. This will make it harder for the alliance to react to other forms of Russian behavior. As Biden stressed at a press conference last month“The most important thing for us is to remain one… We must remain completely, totally, completely one.”
NATO has achieved some strategic uncertainty in its current cyber policy that could help deter serious Russian attacks during the current crisis. However, a much more likely scenario is not an all-out Russian cyberattack, but a lower-level attack by the Russian government or a proxy group against one or more allies. In this case, the interests of the alliance – not to mention transatlantic security – would be better placed to respond in a nationally sensitive manner, rather than the leverage of Article 5. In addition, to prevent further escalation and reinforce the implicit fire barrier that currently exists Between cyber operations and conventional military operations, NATO allies must also agree to limit any retaliation against Moscow to the cyber sphere or non-military instruments of force.
Since there is little chance of improving relations between NATO and Russia in the near future, time is of the essence in order to do it right. Allies must start the hard political work now to ensure that members reach an agreement before the June NATO summit, if not sooner. It used to take time to reach consensus on important cyber issues. NATO attributing last summer’s Microsoft Exchange hack to China was an important step for the alliance and gave a strong signal to our adversaries. But it took months to come to an agreement on the application; the hack was exposed in March 2021 and the NATO statement was not released until July. In the current crisis, the alliance does not have the luxury of waiting four (or more) months to agree on a response. In order not to undermine NATO’s credibility and deterrence, Allies must improve their cyber policy now.