"An attack on one is an attack on all": Article V as an important tool for deterring cyber-attacks against NATO member states

With U.S. President Donald Trump gone, NATO is no longer under the threat of devolving into “brain death”—how French President Emmanuel Macron described member state’s waning commitment to transatlantic values in 2019.[i] Now, reviving the North Atlantic Treaty Organization is a highly demanded task—not least because of a number of countries and non-state actors that have attempted to exploit the vulnerabilities and temporary weakness of the Alliance and, in particular, because of the rapidly changing nature of warfare, which no longer provides time for reflection.

Article 5 of the North Atlantic Treaty says that in case of an “armed attack” on any member state, all thirty NATO states will consider it as “an attack against them all” and “will assist” up to and “including the use of armed force.” It goes without saying that this rule is the centerpiece of member countries’ stability and is not disputed—at least in cases in which it is simple to understand a missile or a bomb being fired as an act of war. However, today NATO members have to pay attention to new and more intricate challenges that are coming from abroad, like malicious cyber activity, to ensure effective deterrence in the age of cyber warfare.

Seeing that threats from traditional weapons are clearer in our minds and their threat is (more or less) not confusing, the haze of cyber activity, with the lines between war and peace more blurred, causes indecisiveness, generated by the lack of visibility and understanding. Nevertheless, this new threat is not theoretical, and such attacks span across gadgets, sectors, and jurisdictions to launch a blow. Some experts in Western countries claim that acts of this kind may be state-run or sanctioned, with Russia, China, or Iran behind them.[ii]

Although the involvement (or the level of involvement) of these states still stirs controversy among Western actors, it must be noted that some coincidences might not be accidental—as it happened in 2007, when Estonia (a NATO member since 2004) fell victim to a destabilizing cyber-attack that followed the relocation of a Soviet-era statue in Tallinn.[iii] What is more, as argued by experts that posit that the Russian state does engage in offensive cyber operations, the technical tactics and sophistication of Russian cyber operations have evolved since then, and today primarily focus on advanced intrusion tactics like credential harvesting and infiltrating critical service provider platforms.[iv] Allegedly, these operations are often associated with Russian Chief of the General Staff, General Valery Gerasimov. According to the Carnegie Foundation, this is “a whole-of-government concept that fuses hard and soft power across many domains and transcends boundaries between peace- and wartime.”[v]

While Western countries have been pointing at cyber and disinformation as the domains in which Russia has recently caused the most damage, pursuing its own political objectives (not limited to the Estonian case), Moscow representatives consistently deny any Russian government involvement in cyberattacks: “We emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime,” Russia’s Embassy in Washington has recently claimed in a Facebook post.[vi] The Kremlin has lately described allegations of its involvement as “baseless”.[vii] Russian experts routinely criticize NATO for “tilting further in the direction of raising stakes and showing no interest of NATO in playing its own or at least supportive role in military de-escalation in Europe”, as Alexey Gromyko, Director of the Institute of Europe of the Russian Academy of Sciences, wrote in his “Comments on the Brussels Summit Communique”, where cyber activities and the possibility of invocation of Article 5 were also mentioned.[viii] Direct connections between the governments mentioned above and whoever is mounting the attacks are vague at best, thanks to the usage of non-state actors, which allows governments to deny responsibility. Meanwhile, the weapons of cyber warfare spread like wildfire, showing an unseen level of technical sophistication and taking national borders in stride. One of the most notorious cyber weapons in history, the malware known as NotPetya, caused approximately U.S. $10 billion in damage and affected not only Ukraine, its country of destination, but also many global companies from NATO member states, as well.[ix] Unlike the rapid and resolute response against the invention of weapons of mass destruction (Geneva Protocol of 1925 or Nuclear Non-Proliferation Treaty of 1968), the surge of cyber weapons today often leads to confusion and indecisiveness.[x] Countries (and their politicians) often do not agree on who is to blame for the growing problem and how to react in a case in which a joint response is required. The idea of collective retaliation is still nascent.

At the Prague Summit in 2002, NATO for the first time recognized that the Alliance should “strengthen our capabilities to defend against cyber attacks.”[xi] At the 2016 Warsaw Summit, NATO officially recognized cyberspace as a domain of operations: “[we] recognize cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. This will improve NATO’s ability to protect and conduct operations across these domains and maintain our freedom of action and decision, in all circumstances.”[xii]

As U.S. Secretary Antony J. Blinken recently mentioned at the National Security Commission on Artificial Intelligence’s (NSCAI) Global Emerging Technology Summit, “At the NATO summit, NATO reaffirmed that a cyber attack could trigger Article V – “an attack on one is an attack on all” – and that’s an important step too in deterring those attacks and protecting our national security in the cyber age.”[xiii] Today, when more and more complex suspicious activities against NATO systems are registered every day, it is definitely a timely decision “to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law”, as the Brussels Summit 2021 communiqué says.[xiv]

On July 15, 2021, the President of the United States and the Chancellor of Germany affirmed in the Washington Declaration that they “underscore the need to build upon our alliances and partnerships for the challenges that lie ahead – including cyber threats.”[xv] The next question is how to blend cyber with traditional political and military power. The Alliance has to find clearer solutions to deal with “Cyber Article 5” events. The process of making policy on cyber attacks has already started, but it has to be developed and tested. The most vivid example of cooperation and deepening the relationship is probably from the UK, which has maintained high-end interoperability with the United States in a multi-domain setting across hybrid, cyber, and hyperwar challenges.[xvi] The European Union and member states have also made good progress in tackling hybrid threats through establishing a so-called “hybrid fusion cell” (within the EU Intelligence and Situation Centre (EU Intcen) to provide strategic analysis to European decision-makers to deter and respond to cyber-attacks.[xvii]

It seems, however, that this process will take quite a long time, since the development is fraught with difficulties. Cyberwarfare is an integral part of hybrid warfare, which “combines military and nonmilitary as well as covert and overt means, such as disinformation, economic coercion, lawfare, corruption, and irregular and regular forces.”[xviii] When the current rules of war are no longer conventional tactics and nobody claims responsibility for attacks, allies diverge in their policies and disagree on their goals and the ways and means to achieve them.[xix] Even the term “cyber attack” is often used loosely used in discussions—not least because the differences in types of malicious operations are often blurry. Finally, when Allies develop some new initiatives to tackle hybrid tactics, cybercriminals develop new means of attack, and new cybersecurity solutions are no longer the tools for definite victory but more the means to maintain a fragile parity.

Furthermore, as it was said earlier, associating the attack with any specific state could be difficult, since injurious actions are often conducted by private cyber companies, and the role and responsibility of the adversarial government is rather vague.[xx] In addition to questions of attributing responsibility, even if the attack was successfully intercepted and attributed, launching a counter-attack is dangerous, because the preceding evaluation might turn out to be inaccurate, and retaliation may result in the country becoming an aggressor.[xxi]

The question on how NATO can best counter adversaries in the field of cyber warfare depends on updating its defense doctrine and revising Article 5. On the one hand, reinterpreting Article 5 could be achieved through modifying each use of the words “armed attack” with adding “or cyberattack”. On the other hand, the challenge is to reach a real understanding of the physical and cyber limits that could invoke Article 5, to define what is a proportional response after an attack on critical sectors (and what are these sectors), and to incorporate the myriad of these ideas into an updated joint defense doctrine.[xxii] The necessary decisions, being political by nature, will definitely require better research and understanding of the cyber domain and its development through the joint efforts of all political actors involved.[xxiii]

An important step, although a more theoretical one, has already been taken. Point 32 of the Brussels Summit communiqué announcing NATO’s Comprehensive Cyber Defence Policy (CCDP) asserts that “significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack” and “reaffirm[s] that a decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”[xxiv] However, this does not make NATO’s crisis management policy less muddled; it is unclear how exactly severe a cyberattack (or, for instance, a series of attacks by different actors) would need to be in order to trigger Article 5. There are too many other open questions, such as if the Alliance has to use a cyber counter-attack that inflicts equal damage on the attacking state or respond with conventional military weapons. After all, what falls into the accumulation of “cumulative cyber activities”?

Despite these difficulties, because of the rapid tempo of cyber operations, the pace of strategic changes should be accelerated. There are many who may question the need for the Alliance in today’s high-tech world amid other new challenges that require maintaining robust deterrence. NATO has already provided for the security of its member states in case of an(y) “armed attack” with Article 5 for more than 70 years. Today, after declaring cyber as an operational domain, just like air, sea, and land, the Alliance will have not only to modify Article 5 but also develop a comprehensive and joint cyber doctrine. Though this is easy on the surface, it will require addressing a number of questions. These solutions offer ways to help NATO stay as relevant tomorrow as it was when the Alliance was created.

Notes

[i] https://www.economist.com/europe/2019/11/07/emmanuel-macron-warns-europe...

[ii] https://icds.ee/en/a-defence-of-defence-natos-response-to-low-grade-cybe...

[iii] https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInform...

[iv] https://www.fpri.org/article/2021/07/understanding-russias-cyber-strategy/

[v] https://carnegieendowment.org/2019/06/05/primakov-not-gerasimov-doctrine...

[vi] https://www.facebook.com/RusEmbUSA/posts/1628363307374053?_rdc=1&_rdr

[vii] https://news.sky.com/story/vladimir-putin-where-is-the-proof-russia-is-w...

[viii] https://russiancouncil.ru/en/analytics-and-comments/comments/comments-on...

[ix] https://slate.com/technology/2019/11/sandworm-andy-greenberg-excerpt-not...

[x] https://balkaninsight.com/2021/08/04/nato-cannot-cede-the-new-art-of-mod...

[xi] https://www.nato.int/cps/en/natohq/official_texts_19552.htm?

[xii] Warsaw Summit Communique, 9 July 2016

[xiii] https://www.state.gov/secretary-antony-j-blinken-at-the-national-securit...

[xiv] https://www.nato.int/cps/en/natohq/news_185000.htm

[xv] https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/15/...

[xvi] https://www.atlanticcouncil.org/wp-content/uploads/2021/08/The-UK-France...

[xvii] https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2788

[xviii] https://cepa.org/hybrid-warfare-of-the-future-sharpening-natos-competiti...

[xix] https://hcss.nl/report/nato-allies-offensive-cyber-policy-a-growing-divide/

[xx] http://www.nrdc-ita.nato.int/db_object/www_nrdc-ita_nato_int/usr/file/ER...

[xxi] https://www.scconline.com/blog/post/2021/08/07/cyber-attacks/#_ftn21

[xxii] https://balkaninsight.com/2021/08/04/nato-cannot-cede-the-new-art-of-mod...

[xxiii] https://www.diva-portal.org/smash/get/diva2:1119569/FULLTEXT01.pdf

[xxiv] https://www.nato.int/cps/en/natohq/news_185000.htm

Image: https://www.nato.int/cps/en/natohq/news_149233.htm

This publication was co-sponsored by the North Atlantic Treaty Organization.