Article 5 of the NATO Charter says, “an attack on one, is an attack on all” and was designed to prompt a swift and unified response to any aggression on any member. However, does that include a cyberattack?
It’s a serious question, and one that could invoke serious consequences as such an attack by Russia is a very real possibility given the crisis in Ukraine.
Of course, when NATO was formed in 1949 and the Article 5 defense clause drafted, cyberattacks were not even a thing. However, the military alliance has for years now made it clear that a serious cyberattack could trigger the clause. But such a scenario has so far been largely hypothetical.
“Allies also recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack,” a NATO official who wished to remain anonymous told Reuters.
“We will not speculate on how serious a cyberattack would have to be in order to trigger a collective response. Any response could include diplomatic and economic sanctions, cyber measures, or even conventional forces, depending on the nature of the attack,” the official said.
Whether or not a cyberattack met the threshold of an attack large enough to trigger Article 5 was a “political decision for NATO Allies to make,” the official added.
Britain and the United States have warned of potential cyberattacks on Ukraine, which could have international consequences should, for example, malicious software designed to target networks in Ukraine start to spread elsewhere.
There has also been concern among cybersecurity experts that Russia could team up with some of the gangs and people who release malicious software, such as malware used to hold Colonial Pipeline to ransom in the United States last year.
US Senate Intelligence Committee Chairman Mark Warner said there were no clear guidelines on how NATO should respond, should such an attack take place.
“These are things that have been in hypothetical discussion for a decade, but because we’ve not come to any universal conclusion on what those standards should be, what level of attribution is needed, we’re kind of in a very grey area,” he told Reuters.
He posed the hypothetical case of a Russian cyberattack on Ukraine that impacts NATO member Poland, triggering power outages that result in hospital patients dying or knocking out traffic lights, causing fatal road accidents involving US troops deployed there.
“The West may have wanted strategic ambiguity in this area, and that may still be the right choice,” he added.
“But have we sufficiently made clear to the Russians the red lines on cyber or frankly to the NATO public, the American public, on red lines on cyber? I don’t think we’ve done that.”
Warner said he was “pleasantly surprised” a massive Russian cyberattack has not yet occurred. But he added that such an attack “becomes even more dangerous with Putin elevating the readiness of his nuclear weapons.”