Would NATO Go to War Over a Cyberattack?
NATO summits are moments for the Alliance to reflect on past accomplishments and provide strategic direction for the future. While difficult issues ranging from Ukraine to Afghanistan will likely overshadow important developments in the cyberdefense arena at the Wales Summit, the heads of state of the Alliance are expected to approve a major change in cyberpolicy that will be a landmark step in the evolution of member states’ and NATO’s cyberstrategy.
In its new Enhanced NATO Policy on Cyber Defense, NATO will present a plan for improving the governance of cyberdefense, along with a new framework for its relationship with industry. It will also announce new cyber educational and training initiatives, and will introduce cyberdefense into its future operational planning.
The policy endorsed by NATO leaders will include the principle that a cyberattack can constitute an armed attack within the meaning of NATO’s Article 5, thus triggering its members’ obligations of collective defense. Certain NATO countries have pressed the Alliance to adopt and publicly acknowledge this principle to allay their fears arising from past cyberevents and recent geopolitical developments involving actors with malicious cybertools in their arsenals. The value of NATO’s acknowledgement of this principle is undeniable; it represents a statement of solidarity, deterrence and assurance long overdue.
NATO is expected to announce that Article 5 will not be implicated unless a cyberattack crosses the threshold of an armed attack, although the policy will likely not address the far more difficult question of whether a cyberattack must result in kinetic consequences in order to trigger the obligation of collective defense, where an attack against one NATO member is considered an attack against all.
NATO’s main focus appears to be on adoption of the principle, rather than on what the application of this principle may actually mean for the future of NATO in the cyber-realm. It is what states are actually willing to do in the event of a cyberattack triggering Article 5 that will make NATO’s adoption of this new cyberpolicy meaningful or not.
Invocation of Article 5 is not automatic. To invoke it will always be a political decision taken on a case-by-case basis. Once a consequential cyberattack occurs, allies must first consult and agree by consensus that this attack is considered serious enough to constitute an armed attack.
Deliberations on thresholds triggering Article 5 could prove particularly thorny, given the transatlantic divide in views on what consequences are necessary to constitute an armed attack.
For example, the United States may be willing to consider a lower threshold than its less eager European allies for whom only grave uses of force are considered an armed attack. A state’s view of this threshold may well depend on whether it is the victim of an attack or a member called upon to fulfill its collective-defense obligation.
Additionally, Article 5 does not define the nature of that commitment. The treaty allows a member state to take whatever action it deems appropriate to assist an attacked ally—it decides how it will respond in collective defense. A member state may interpret its obligation to respond expansively or in a far more limited manner. So by viewing its Article 5 obligation in a limited way, a member could determine that it is not required to respond with kinetic force to assist an attacked ally, even in cases of destructive cyberevents.
Given the capability, doctrinal and policy divide between NATO members in the cyberarena, an ally might limit its response to entirely nonkinetic measures, such as rerouting Internet traffic through its national network, monitoring networks for future attacks, crisis-management support or diplomatic statements on behalf of the attacked ally.
On the other hand, if NATO determines a cyberattack amounts to an armed attack and invokes Article 5, and undertakes responsive action against an aggressor, member states are not limited to cyber-responses alone; they may also choose to employ kinetic force in the collective defense of the attacked member state. Adoption of this cyberpolicy provides NATO states a wider range of potential options with which they may respond in cases of destructive cyberattacks. NATO allies may respond with cyber- or kinetic tools, or a combination of both, a fact that may help to ensure an Alliance-wide response.
Regardless of the political weight presently attributed to NATO’s expected policy statement, law and policy are inextricably intertwined in the interpretation of Article 5, and the subtleties of its real-world application may make it difficult for the organization to offer the assurances certain allies are seeking with respect to their defense against cyberattacks. As a result, the policy could fall far short of its intended goals.
NATO states could, however, decide to make adoption of its new cyberpolicy a true game changer, to ensure that it becomes a useful framework for addressing the rapidly changing security challenges posed in the cyber-realm.
NATO nations might begin this process by reexamining the threshold requirement for Article 5 application in response to cyberattacks. States could agree, for example, that although some cyberevents may well cause consequential kinetic results (and some of a truly horrific nature), in the cyberworld, requiring kinetic consequences in order to trigger application of the collective-defense requirement does not fully reflect the types of serious crises cyberattacks can trigger.