As the North Atlantic Treaty Organization completes its new Strategic Concept, it should be resist expanding its guarantee of automatic response to include cyber and other unconventional attacks. Otherwise, it may fracture the alliance while, perversely, decreasing security against said actions.
In a February speech to the Atlantic Council, Secretary of State Hillary Clinton strongly suggested that attacks on allied cyber and energy infrastructures should be reconsidered attacks under Article 5 of the NATO Charter, declaring that “in the 21st century, the spirit of collective defense must also include non-traditional threats.” Under questioning, she added, “we have to be willing to get behind the new challenges that are posed to member states and be ready and willing and able to create not just a new strategic concept but the operational abilities to provide that collective defense.”
Last month, the Group of Experts, led by Clinton’s predecessor, Madeleine Albright, issued report concluding that “cyber assaults of varying degrees of severity” are among the three “most probable threats to Allies in the coming decade,” while the threat of conventional military attack was “slight.” Therefore, they concluded, NATO must rethink “its conception of what constitutes an Article 5 attack.”
The Group was cautious:
The next significant attack on the Alliance may well come down a fibre optic cable. Already, cyber attacks against NATO systems occur frequently, but most often below the threshold of political concern. However, the risk of a large-scale attack on NATO’s command and control systems or energy grids could readily warrant consultations under Article 4 and could possibly lead to collective defence measures under Article 5.
This, and other qualifiers in the report, indicate that the group isn’t suggesting that any cyber attack would be grounds for collective retaliatory action, merely that it’s conceivable a particular attack might.
That seems reasonable enough and is certainly a matter that deserves discussion within NATO. Indeed, I have it on good authority, it’s in fact being discussed frequently. But, while it makes sense for the allies to draw up contingency plans and reinforce their cooperation and capabilities in this burgeoning arena, we should stop short of formally declaring what precise set of circumstances would allow Article 5 to be invoked.
First, doing so would put the members in a bind. A cyber attack might technically meet the theoretical definition put forth in advance without the actual circumstances generating consensus for any number of reasons. Perhaps the aggrieved party will be perceived to have provoked the attack by belligerence—belligerence that would actually be encouraged by an a priori declaration of support.
Or perhaps the risks of retaliation simply outweigh the damage done by the attack because of complicating circumstances. This is hardly unthinkable given that the most probable nation-state aggressors are Russia and China.
Regardless, the allies would then be forced to choose between the credibility of NATO and their own short-term interests. It’s an untenable position far more likely to harm the alliance and its members than to ward off the cyber threat.
Second, there’s tremendous value in strategic ambiguity. This was commonly understood during the Cold War, when the United States refused to declare that it would not engage in first use of nuclear weapons. While our leaders almost certainly had no intention of launching a first strike, they knew that declaring this formally would make a conventional attack—which could be expected to escalate to a nuclear war—more likely.
In the cyber case, drawing a bright line for potential adversaries virtually invites actions just short of casus belli. By instead simply declaring that there may be circumstances in which NATO will consider a cyber attack on one of its members an attack on all—but not spelling out what those circumstances may be—those contemplating such an attack will have an additional risk factor to deter them.
The North Atlantic Council should simply come to an understanding that the charter’s 1947 language requiring an “armed attack” to invoke collective defense is dated and that flexibility is needed for emerging threats. Plus, they should agree to increase cooperation in this arena and streamline the process by which consultation under Article 4 can take place.
James Joyner is managing editor of the Atlantic Council. This essay originally appeared in The National Interest as "NATO’s Cyber Threat."