The Secretary-General of NATO, Jens Stoltenberg, stated all 29 member countries would respond to a serious cyberattack against any of the nations in the coalition. The pressing question is will NATO work together with combined forces when one of the members is attacked in an asymmetrical manner with digital technology?
When it comes to cyberattacks, there are many grey-zones that could be manipulated in ever-increasing escalations of warfare. NATO’s Article 5 in the founding charter is known as the “collective defence” commitment which states that an attack on one shall be considered an attack on all. Historically, it has a high threshold. The first time the criteria was met was the 9/11 terrorist attacks of 2001 against the United States.
There is a lot of ambiguity in the shadows of bits and bytes. Does shutting down the banking system or mercantile logistics count as an Article 5 attack? Would significant and prolonged communications and internet disruption count? What if the power was shut off by another nation-state and it caused harm to people? How about disrupting the transportation networks or other critical infrastructure? Such attacks can be localized or nationwide, can cause annoyances or lives to be lost, and could undermine the trust and control of a representative government. There are currently no thresholds of what should be considered to reach the level of an ‘attack’ by another nation.
Identifying the aggressor is another significant problem. The requirements to determine attribution or accountability for the source of any digital attack is highly subjective. It is easy to attribute the origin of tanks, planes, ships, and advancing soldiers to another country. Tracking malicious packets, origins of destructive code, and owners of crypto accounts is not simple. In the electronic world, it is easy to mislead, masquerade, conceal, or implicate others. The question becomes if an attack was merely criminals or if it was sponsored/coordinated by the government of another nation-state, which is extremely difficult.
All the variables and hidden truths must be uncovered before discussion about equitable response options can be explored. The first fundamental order-of-business will be to determine if collective reactions are limited to the digital domain or if physical attacks can also be part of the joint reaction.
The first fundamental order-of-business in which NATO needs to determine is if the collective reactions are only limited to the digital domain or if physical attacks are permitted. This decision must be clearly understood as it may have even greater ramifications if it leads to an escalation of conventional or nuclear warfare.
Presently there are too many unanswered questions, unknown factors, and doubt. This results in an ineffective policy position.
It is time for NATO to codify the criteria, validation requirements, and allowable responses. Only then can cross-nation training and coordination begin in earnest. There is so much to be done. Until then, Article 5 for cyber attacks is just an idle threat of solidarity. It will take tremendous teamwork to make this a clear and effective deterrent for the NATO coalition.