When the North Atlantic Treaty Organization (NATO) was founded in 1949, the idea of cyberwarfare did not exist.
Thus when the NATO signatories agreed that “an armed attack against one or more of them in Europe or North America shall be considered an attack against them all” in the Treaty’s Article 5, they were thinking about tanks rolling and bombs dropping.
Warfare has become more sophisticated in subsequent decades. While the realm of cyberwarfare is largely shrouded in national security secrecy, there can be no doubt that most of the world’s largest and wealthiest countries have some kind of capability to attack an opponent’s Internet or other infrastructure.
One of the most famous incidents of a cyberattack was the Stuxnet worm, believed to have been developed by the United States and Israel’s and deployed to cripple Iran’s nuclear centrifuges. Similarly, in December 2015, Ukraine’s power grid experienced massive disruption from an external cyberattack, typically attributed to Russia’s annexation of Crimea the year before.
In recent years, many diplomats, officials and cybersecurity experts have argued that NATO’s Article 5 is outdated, and should be extended to include attacks that occur in cyberspace. In 2014, the heads of state and government of the North Atlantic Council declared that “international law, including international humanitarian law and the UN Charter, applies in cyberspace. Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability….We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”
This policy, however, has never been invoked and, as Russia’s invasion of Ukraine this week illustrates, could lead to very thorny situations for NATO members. If, for example, Russia were to carry out cyberattacks on Ukraine, that could easily spill over to neighboring Poland, which is a NATO member. In theory, that scenario would pit all of NATO against Russia.
William Banks, a law professor at Syracuse University, points out that there are at least two barriers to such a scenario occurring. One is that NATO lacks a universal definition of what, precisely, constitutes a cyberattack. “A sound approach is to look at effects,” Banks said in an interview. “If the effects of a cyberattack approach the effects of a kinetic attack, that crosses the threshold. Stuxnet is the easy case.”
A related barrier, Banks argued, is that the United States and its European allies do not agree on what kind of cyber warfare would constitute an “armed attack.” The United States, Banks said, is “an iconoclast by equating use of force with armed attack, whereas our NATO partners have a higher threshold.”
Nonetheless, some scholars maintain that having a clear set of guidelines for how NATO would handle cyberattacks could act as a deterrent. In a 2016 paper, Stephen Jackson of George Mason University argued that “by adopting a set standard before a major cyber attack is used against a NATO member, NATO may curtail these potential attacks by offering non-NATO members a clear set of rules.”
Sign up for FIN, weekly news and analysis from award-winning financial journalist and former EIC of Inc. Magazine, James Ledbetter.