Reexamining Article 5: NATO's Collective Defense in Times of Cyber Threats

Facing an adversary that does not shy away from including cyber tools in its playbook, the time has come for NATO to substitute strategic ambiguity for clarity in formulating how the collective defense pledge plays out in times of cyber threats. Russian aggression against Ukraine is taking place in cyberspace as well as on the ground. Ukrainian government sites have been attacked. In March, several NATO public sites were brought down by suspected Russian hackers as well. NATO's Baltic members are nervous that they are the next on Moscow's offensive line. The Ukraine crisis is a reminder that the time has come for NATO to substitute strategic ambiguity for clarity in formulating how the collective defense pledge plays out in times of cyber threats for the sake of bolstering the confidence among the Allies and in the interest of physical and functional self-preservation of the organization. Conceived long before the cyber domain made its way to statecraft, NATO's Article 5 encompasses the concept of collective defense. Central to NATO's purpose, the provisions in Article 5 are based on the premise that an armed attack against one constitutes an attack against all the other Allies. The Article embodies a pledge to assist the attacked country in defending itself and restoring peace and security. The decision to invoke Article 5 is taken on case by case basis by Allied nations by political consensus. NATO's use of Article 5 following 9/11 attacks proved its functionally beyond its traditional interpretation. To activate Article 5, the attack does not have to be "armed" -- in kinetic sense -- with arms. In case of a serious cyberattack that results in casualties, NATO and the Allies can be called to invoke Article 5. Such attacks would include a cyberattack on the air traffic control system of a member state resulting in casualties and property damage from a plane crash or a cyberattack on critical infrastructure that results in mass casualties and destruction. Instantaneous destructive cyberattacks, akin to 9/11 attacks, aren't the only conceivable scenarios that can trigger application of Article 5. It is more likely that a protracted, dynamic cyber campaign would fulfill the criteria of scope, duration, and intensity to qualify for its applicability. The future cyber conflict will play out in unexplored waters. Cases of economic disintegration, with devastating and deadly economic disruption, will have to be considered and accommodated in the collective defense mission in the future. Beyond the futuristic scenarios, the contours of application of Article 5 to a cyberattack amounting to armed attack are laid out, NATO and allied leaders must move to operationalize the concept. If a cyberattack amounts to an armed attack, NATO would be able to respond in kind by cyber means. Room for retaliation by cyber means may, however, not exist or would be ineffective and the response will be carried out by traditional means of methods or the combination of the two. By looking at the similarities between a confrontation involving cyber capabilities and traditional ones, rather than at their differences, NATO could formulate how to employ the full spectrum of its authorities to such engagement. Preparedness for cyberattacks reaching a level of armed attack must become an integral part of collective defense, crisis management, and cooperative security in NATO. NATO nations have to make the mental leap from treating it merely as a technical issue to a one to which traditional authorities to act with military means within the Alliance exist.

NATO must move past its current cyber defense policy and provide operational capabilities to defend itself and its allies by collective preemptive and retaliatory actions. If the availability of capabilities becomes an issue, Allies have a framework -- the organization itself -- for sharing their resources. The United States and some of the other member states already have offensive cyber capabilities. The sharing of capabilities and best practices would help bridging the capability gap of Allies. Challenges in attribution of cyber incidents, the issue that have been clouding a pronounced position to NATO's potential reactions to cyber incidents, must be tackled. NATO must move toward a comprehensive attribution approach; one that does not use purely technical parameters for assigning responsibility for an attack but considers wider geopolitical indicators and warnings. Just as in a traditional crisis, a major cyberattack won't be an isolated incident. Support for the development of improved attribution regime through investment in forensic research and capabilities -- both at the level of the organizations and the individual member states -- should complement the shift in the approach to attributing the attack. Attribution regime and capabilities notwithstanding, NATO has a framework to act in collective defense in response to a deadly and destructive cyberattack. Policy consensus on responses must follow suit. In this century, the spirit of collective defense must include clear approaches to cyber and other nontraditional threats.