Facing an adversary that does not shy away from including cyber tools in its playbook, the time has come for NATO to substitute strategic ambiguity for clarity in formulating how the collective defense pledge plays out in times of cyber threats.
Russian aggression against Ukraine is taking place in cyberspace as well as on the ground. Ukrainian government sites have been attacked. In March, several NATO public sites were brought down by suspected Russian hackers as well. NATO’s Baltic members are nervous that they are the next on Moscow’s offensive line. . . .
Conceived long before the cyber domain made its way to statecraft, NATO’s Article 5 encompasses the concept of collective defense.
Central to NATO’s purpose, the provisions in Article 5 are based on the premise that an armed attack against one constitutes an attack against all the other Allies. The Article embodies a pledge to assist the attacked country in defending itself and restoring peace and security. The decision to invoke Article 5 is taken on case by case basis by Allied nations by political consensus.
NATO’s use of Article 5 following 9/11 attacks proved its functionally beyond its traditional interpretation. To activate Article 5, the attack does not have to be “armed” — in kinetic sense — with arms. In case of a serious cyberattack that results in casualties, NATO and the Allies can be called to invoke Article 5. Such attacks would include a cyberattack on the air traffic control system of a member state resulting in casualties and property damage from a plane crash or a cyberattack on critical infrastructure that results in mass casualties and destruction. . . .
NATO must move past its current cyber defense policy and provide operational capabilities to defend itself and its allies by collective preemptive and retaliatory actions. . . .
The United States and some of the other member states already have offensive cyber capabilities. The sharing of capabilities and best practices would help bridging the capability gap of Allies.
Klara Tothova Jordan is Assistant Director of the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center on International Security.