NATO Article 5: A Cyber Attack on One is an Attack on All

NATO leaders gathered in Wales in early September to address a variety of security challenges, culminating on September 5th with the Wales Summit Declaration. It is no wonder that the summit of an alliance formed 65 years ago did not garner much media attention. With all of the current crises monopolizing the news cycle – the expanding powerbase of ISIS in Iraq and Syria, the Ebola outbreak in West Africa, and the tenuous ceasefire between Ukraine and Russia – little attention has been devoted to a potentially major policy shift within NATO that could have long-term global implications. For the first time, NATO has determined that cyber attacks can trigger collective defense. This shift is particularly important now since offensive cyber behavior is on the rise in Eastern Europe, and Georgia and Ukraine are still being considered for NATO expansion.

NATO’s influence and even existence have been questioned since the dissolution of the Soviet Union in 1991. With over a decade in Afghanistan, NATO largely shifted its focus to counterinsurgency capabilities, virtually rendering the collective defense aspect of NATO obsolete. NATO members have not prioritized the alliance, which currently boasts an old and decrepit infrastructure, as resources were devoted to Afghanistan and not Europe. Article 5 provides the bedrock of the alliance, explicating the notion of collective defense – an attack on one is an attack on all. As the below map demonstrates, over the last 50 years NATO collective defense has slowly crept toward the Russian borders, and now includes former Soviet states Estonia, Latvia, and Lithuania. This creeping expansion is often cited as inciting Russia to engage in a series of conflicts in Estonia, Georgia, and now Ukraine. Others also believe that Russian President Vladimir Putin and his megalomaniac infatuation with rebuilding the Russian empire fuel his expansionist appetite, including his wide use of the cyber domain to achieve political objectives. With the rising tensions and realpolitik emerging between Russia and several former Soviet states and satellites, NATO leaders have come to the realization that the modern international system now includes an entirely new domain that can’t be ignored – cyberspace.

Russia’s current adventures into Ukraine likely influence this timing, but the increased use of offensive cyber statecraft in Eastern Europe over the past several years has clearly crossed the tipping point such that policy is slowly catching up to the realities of international relations. The inclusion of cyber as a catalyst for collective defense brings to the forefront a series of technical and policy issues that must be parsed out in order to truly give this newest addition to Article 5 some teeth. On the policy front, the Wales Summit Declaration notes, “A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.” This extraordinarily vague criteria must be made more specific not only to assuage concerns of NATO’s Eastern European members, but also to signal externally what kind of cyber behavior may actually incur a kinetic response.

Signaling is just as important today as it was during the Cold War, and for policies to be taken seriously, there must be some sign of credible commitment on behalf of member states. The cyber domain is fraught with attribution issues, making the practical aspects of this even more challenging. The Russian group CyberVor has been linked to the theft of passwords and usernames, while a group dubbed DragonFly is possibly responsible for producing the malware Energetic Bear. Energetic Bear was created as a cyber-weapon, crafted to monitor energy usage and disrupt or destroy wind turbines, gas pipelines and powerplants. Energetic Bear, similar to other offensive cyber behavior in the region, exhibits characteristics that lead many to infer it is state sponsored, but proving that is extraordinarily difficult in cyberspace. It is important to note that Energetic Bear, unlike many more publicized examples of Russian state-sponsored cyber attacks, mainly targeted Western European countries. The notion of NATO collective defense against cyber is not solely an Eastern European problem.

All of this begs the question: Is it technically possible for NATO to create a cyber umbrella of collective defense around its members, just as the nuclear umbrella protected them during the Cold War? We’ll tackle this question in two additional blogs that address the technical difficulties associated with the cyber aspect of the Wales Summit Declaration. NATO’s inclusion of cyber attacks has long-term implications for the international system, signaling a return to major power politics and realpolitik. Instead of billiard balls crashing in an anarchic world system, we may now be moving to a world where power politics means binaries crashing in cyberspace.