President Joe Biden has issued grave warnings that Russia might launch a cyberattack against the United States in retaliation for the punishing sanctions levied after Moscow’s invasion of Ukraine. He’s advised American companies to “accelerate efforts to lock their digital doors,” and many officials expect an attack against critical US infrastructure to be inevitable.
One way Biden and other Western leaders are attempting to deter potential Russian cyber retaliation during the Ukraine crisis is through NATO’s Article 5 collective defense pledge — that an attack on one is an attack against all. That’s because since the 2014 NATO summit in Wales (which, coincidentally, took place following another Russia-Ukraine crisis), the alliance has affirmed that Article 5 extends to cyberspace. In other words, a cyberattack against any NATO member could conceivably represent an attack against the entire alliance. The pledge is the embodiment of the allies’ security guarantee to each other and the beating heart of NATO.
After Russia invaded Ukraine, NATO Secretary General Jens Stoltenberg confirmed that NATO policy on collective defense and cyberspace holds strong, noting that NATO has “decided to make clear that a cyberattack can trigger Article 5.” And following an extraordinary meeting of heads of state and government on March 24, the alliance reinforced that it is “ready to impose costs on those who harm us in cyberspace.”
But despite this rhetoric, exactly how and when Article 5 applies to cyberspace remains unclear. This ambiguity is a problem — with potentially disastrous consequences. Staking the credibility of Article 5 to what often murky activities cyberspace threatens to generalize the principle of collective defense. We can’t risk fracturing the transatlantic alliance at a critical juncture in its history over a debate on what constitutes a major or minor cyberattack. For that reason, NATO should move quickly to clarify its policy on cyberattacks and explicitly state the threshold for what would trigger an Article 5 response. Furthermore, NATO members should commit to treating cyberattacks that do not rise to the level of a major attack as a national matter — not one for the alliance.
Such a shift might face some initial resistance, particularly in light of the Kremlin’s history of malicious cyber activities. One of the first state-initiated cyberattacks was perpetrated by Russia against Estonia, a NATO member, in 2007. In the intervening years, Moscow has its malicious cyber activities, such as the SolarWinds breach uncovered in December 2020 in which Russia gained access to a treasure trove of US data. Russian President Vladimir Putin’s maneuvers against NATO members, along with the annexation of Crimea in 2014, spurred the alliance to adopt a Cyber Defense Pledge in 2016 that recognized cyberspace as a military domain. Two years later, NATO created a Cyberspace Operations Center in Mons, Belgium to improve the situational awareness and coordinate cyber operations. Since then, the alliance has consistently reaffirmed the application of Article 5 to cyberspace. At the 2021 summit in Brussels, NATO committed to a new Comprehensive Cyber Defense Policy, with allies agreeing to employ the “full range of capabilities” at all times to “deter, defend against, and counter the full spectrum of cyber threats.”
Notably, NATO refined its language with last summer’s summit communique to account for the fact that some cyber incidents may not be individually determined, but nevertheless significant when viewed in the aggregate. Specifically, the allies recognized “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.” In practice, however, NATO leaders have avoided clarifying the conditions under which a cyberattack would trigger Article 5 and how NATO would respond. When pressed about Russian cyberattacks in the Ukraine context, Stoltenberg cautioned that, “we have never gone into the position where we give a potential adversary the privilege of defining exactly when we trigger Article 5.”
This equivocation is not surprising, for several reasons. The nature of cyberspace often confounds unequivocal deterrence declarations. States tend to operate in cyberspace with plausible deniability, which can make it difficult to rapidly ascertain responsibility for cyber incidents. Also, it can be challenging to understand the intent behind observed cyber behavior, and there is often a substantial time lag between when an initial penetration of a network occurs and when the target even realizes the breach. And the vast majority of cyber operations cause virtual, not physical, damage, complicating efforts to assess and evaluate the implications of the costs inflicted. Moreover, it can take time to develop and identify a way to infiltrate a network as well as the computer code that takes advantage of a vulnerability for malicious ends. This means states may lack a palatable cyber response option for retaliatory purposes at the desired time.
This creates a slew of practical problems if Article 5 was to be invoked for a cyberattack. From an implementation perspective, it would trigger deliberations within the North Atlantic Council, NATO’s primary decision-making body. Decisions made within the NAC require unanimity, which can be difficult to achieve for many issues but is especially burdensome for cyber ones, given all of the ambiguities outlined above. The most likely outcome of this process would be a long, drawn-out deliberation resulting in a alliance unable to agree on how or whether to respond. Quite simply, some allies War are unlikely to want to risk World War III for a cyberattack that disrupts the financial infrastructure, for instance, of another country but doesn’t lead to loss of life or sustained damage.
These challenges have major strategic implications for NATO. After years of publicly and repeatedly linking Article 5 to cyberspace and reinforcing that policy in response to the Ukraine conflict, a failure to achieve consensus and respond to a Russian cyberattack against a NATO member could imperil Article 5 in other areas. The disunity that is likely to be revealed during NAC deliberations would then cure the broader political cohesion that has, for the most part, been remarkably strong throughout the war in Ukraine. This would make it more difficult for the alliance to respond to other forms of Russian behaviour. As Biden emphasized at a press conference last month, “the single-most important thing is for us to stay unified … We have to stay fully, totally, thoroughly unified.”
NATO has achieved some strategic ambiguity with its current cyber policy, which may help to deter high-stakes Russian assaults during the present crisis. However, rather than an all-out Russian cyberattack, a far more plausible scenario is a lower-level attack carried out by the Russian government or a proxy group against one or more allies. In this case, the alliance’s interests — not to mention transatlantic security — would be better served by adopting nationally-tailored responses rather than pulling the Article 5 lever. Additionally, to prevent further escalation and reinforce the implicit firebreak that currently exists between cyber and conventional military operations, NATO allies should also agree to restrict any retaliatory response against Moscow to the cyber realm or non-military instruments of power.
With little chance of improved NATO-Russian relations any time soon, time is of the essence to get this right. The allies should begin the hard political legwork now to ensure members get on the same page before NATO’s June summit, if not sooner. Achieving consensus on significant cyber issues has previously taken time. NATO’s attribution of the Microsoft Exchange hack last summer to China was an important step for the alliance and sent a strong signal to our adversaries. But it took months to reach agreement on the statement; the hack was uncovered in March 2021 and the NATO statement was not made public until July. In the current crisis, the alliance will not have the luxury of waiting four (or more) months to agree on a response. To avoid incurring costs to NATO’s credibility and its deterrent powers, the allies should refine their cyber policy, now.