When would a cyberattack trigger a NATO response? It’s a mystery
Cyberattacks are increasingly a key part of modern warfare, but NATO’s treaty that says an attack on one nation represents an attack on all has not covered these aggressive actions.
Several NATO members have been hit with recent cyberattacks, but there has been no signal from NATO on when such attacks might ever trigger Article 5, which states that an act of war against a NATO member will prompt a response from the full alliance.
“Article 5 was written in the days when things were much clearer,” said James Lewis, a senior vice president and director with the strategic technologies program at the Center for Strategic and International Studies.
“We don’t have that clarity with cyberattacks,” he added.
Experts have been wondering why government officials have yet to clearly define what constitutes a major cyberattack and what the thresholds are for responding against one.
“I don’t believe we’re any closer today than we were five years ago in defining what a major cyberattack is,” said Paul Capasso, vice president of strategic programs at cybersecurity firm Telos.
“Without a clear definition, how do you determine what those thresholds are?” he added.
The experts, however, said that government officials are perhaps deliberately keeping the thresholds ambiguous because once they define and establish red lines, they have to follow through on it because failure to do so gives the enemy permission to continue the attacks with no consequences.
“Governments don’t like to define ‘cyberwar’ or even cyberattack because it ties their hands,” Lewis said.
NATO Secretary General Jens Stoltenberg has said that although cyberattacks against a NATO member can trigger Article 5, the alliance is reluctant to publicly disclose under what circumstances the article would be invoked.
“On cyber, we have stated that cyberattacks can trigger Article 5, but we have never gone into that position where we give a potential adversary the privilege of finding exactly when we trigger Article 5,” Stoltenberg told reporters in February at a press conference in Brussels.
By leaving the door open, it’s up to member states to determine whether a cyberattack was destructive enough to start the process of invoking the article with the full support from the alliance.
Albania, a NATO member since 2009, did consider invoking the article after it suffered a series of massive cyberattacks that targeted the country’s government websites and computer systems used by law enforcement. Ultimately, the Balkan nation refrained from it to avoid unnecessary escalation.
Although none of the member states invoked Article 5, the U.S. Treasury Department did sanction Iran’s intelligence ministry and its top intelligence official in response to the cyberattack.
“We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners,” said Brian Nelson, the under secretary of Treasury for terrorism and financial intelligence.
Albania is one of several NATO members this year that suffered cyberattacks likely launched by state-sponsored hackers. Lithuania, Estonia, Montenegro and most recently the United States. were all victims of a series of hacks that targeted government websites and critical infrastructure.
In Montenegro, the hackers targeted the country’s water supply systems, transportation services and online government services. Although the attack was major, it did not permanently damage state infrastructure, officials said.
The group also claimed responsibility for the cyberattacks in Lithuania and Estonia.
Experts said none of the recent cyberattacks that targeted the NATO members reached the level where the alliance would seriously consider triggering Article 5.
“Russia has been using cyber operations against NATO for decades and none have ever risen to the level of triggering Article 5,” Lewis said.
Although the thresholds are still unclear when it comes to cyberwarfare, Lewis said that a cyberattack would have to cause significant damage that is equivalent to an armed attack, including permanent destruction of critical infrastructure, casualties, and loss of life.
However, experts said even if those thresholds were met, there’s no guarantee that the alliance would immediately trigger Article 5. The member countries would still have to weigh the risks of invoking the article and determine whether the attack is worth going to war.
Melissa Griffith, a lecturer in technology and national security at the Johns Hopkins University School of Advanced International Studies, said that while it’s important to determine whether the effects of a cyberattack “meet the thresholds of an armed attack when considering whether to invoke Article 5, a far more [pressing] question is “what would a state gain and what would a state, and the alliance, be risking by making the decision to invoke [the article] in a specific instance?”’
Griffith added that whether to invoke Article 5 is a political and strategic move made by the member state attacked and the alliance, and hinges less on whether there are clearly defined thresholds.
“Countries want to preserve the right to decide when they go to war,” Lewis said, adding that “governments don’t want automaticity, they want discretion.”