Sarah Wiedemar
Cyber Defense Researcher
Center for Security Studies (CSS), ETH
Zurich, Switzerland
On February 25, only one day after Russia's invasion of Ukraine, NATO Secretary General Jens Stoltenberg underscored NATO's commitment to collective defense in cyberspace. A cyberattack against one or more member states can lead to the invocation of Article 5, the cornerstone of the North Atlantic Treaty. Yet, he clarified that NATO would not weaken its position by giving a potential adversary the privilege of defining its red lines and response measures in cyberspace. Instead, the invocation of the right to individual or collective self-defense enshrined in Article 51 of the United Nations Charter would depend on a case-by-case assessment whether the cyberattack in question crosses the threshold of an "armed attack".
Cyber defense has been on NATO’s political agenda since 2002, but it was not until the unprecedented Distributed Denial of Service campaign against its member state Estonia in 2007 that the Alliance was confronted with the potential impact of cyberattacks on national security. For 22 days, Russian hacktivists targeted Estonia's public and private networks, including its e-government system, banks, and media outlets. This politically motivated cyber campaign was sparked by the Estonian government's decision to relocate the "Bronze Soldier of Tallinn," a World War II statue, from the city center. The Estonian request for assistance in the wake of the cyberattacks was a wake-up call for the Alliance. For the first time, discussions were held regarding the extension of Article 5 to cyberspace. This deliberation turned into action at the NATO Summit in Wales in 2014, when member states declared cyber defense to be part of NATO's core task of collective defense. The Allies recognize that cyberattacks can reach a threshold that threatens the prosperity, security, and stability of the Euro-Atlantic region. Two years later, at the NATO Warsaw Summit, the Alliance strengthened this commitment by designating cyberspace as a new operational combat area alongside air, land, and naval warfare. In 2021, NATO went a step further. The Brussels Summit Communiqué 2021 acknowledged that the impact of cumulative cyber activities might, under certain circumstances, amount to an armed attack. This shift came after a series of ransomware activities that affected nearly all critical infrastructure sectors in the United States and other NATO member states and indicates the growing awareness of how damaging cumulative cyber activities can be.
In the past, malicious cyber campaigns targeting or affecting NATO members have not triggered major public discussions on Article 5, with one exception. In July and September 2022, NATO member Albania was the target of an unprecedented malicious cyber campaign on its state and private networks. Investigators traced the destructive activities to four different advanced persistent threat (APT) actors linked to the Iranian government. The APTs aimed at the exfiltration, encryption, and destruction of data to maximize the disruptive effect. In parallel, the attackers carried out an information campaign that aimed at discrediting the Albanian government and the Iranian opposition group based in Albania. The offensive cyber operation took Albania by surprise and impacted daily life as it rendered government websites and public services unavailable. Albanian Prime Minister Edi Rama compared the assaults with the bombing of a country. In the wake of the attacks, the Albanian government considered invoking Article 5. While the Albania’s Prime Minister refrained from doing so, the incident spurred the discussion on Article 5 in cyberspace amid rising geopolitical tensions. Will a cyberattack ever be significant enough to trigger a full-scale NATO collective defense response? And if so, what measures would NATO take in response?
In practice, cyberspace involves an additional layer of complexity that exacerbates NATO's strategic ambiguity with respect to Article 5. Determining the threshold for an armed attack in cyberspace and a proportionate response measure is less straightforward compared to a kinetic attack, especially since cumulative malicious cyber activities are included in the Alliance’s assessment. Further, the ambiguity remains whether the attribution of cyberattacks to a state would reach the level of certainty to justify a political or even military response. Above all, the Alliance must find the necessary consensus within the North Atlantic Council to invoke Article 5.
Cyberspace continues to be a realm in which the threshold of Article 5 can be exploited, as attacks in cyberspace offer the possibility of deniability and often remain below the threshold of an armed attack. With Russia's invasion of Ukraine on 24 February 2022, NATO members are more exposed than ever to cyber threats. Therefore, it remains an open question whether, and under what circumstances, NATO would be willing to set a precedent and trigger Article 5 in response to malicious cyber operations.