NATO needs to get serious about the potential for cyber conflict. That means formulating a clearly defined policy and deciding upon an appropriate response.
Fortunately, the North Atlantic Treaty Organization has taken the first step by announcing its intention to include cyber attacks in its Washington Treaty, the accord reached in August 1949 to form the alliance. Jamie Shea, the official in charge of emerging security threats, says NATO will “explicitly state that the cyber realm is covered by Article 5.”
This section of the treaty is the cornerstone of the alliance. It declares that an armed attack against one member nation is an armed attack against all, thereby justifying collective defense. The clause has only been invoked once: On Sept. 12, 2001, in defense of the United States after the 9/11 attacks.
Cyberspace has rapidly emerged as an attractive alternative for nations to pursue military objectives. The domain’s inherent anonymity offers opportunities that the physical world renders militarily and politically infeasible. NATO countries face significant cyber threats from many nations, notably Russia.
But recognizing cyberspace sabotage as an act of war is only halfway to a coherent policy. Shea continues, “We don’t say exactly which circumstances or what the threshold of the attack has to be to trigger a collective NATO response and we don’t say what the collective NATO response should be.” This attitude of “we’ll know it when we see it,” however, is not a strategy.
NATO’s objective should be to deter all aggression in cyberspace. A carefully worded clause in the treaty should be able to do that. It should define exactly what constitutes cyber aggression, and how NATO members, individually or collectively, will respond.
But as Thomas Rid of King’s College London rightly argues, cyber deterrence “needs to be practiced, not just announced.” In the absence of clearly articulated thresholds, it’s difficult to conduct war games against cyber attacks. Until the international community collectively signals the point at which an assault by ones and zeroes is considered an armed attack, nations will continue their rogue behavior in cyberspace.
It comes as no surprise that NATO is reluctant to draw red lines. Once a line is crossed, the alliance would be compelled to respond. But NATO should welcome the opportunity to set forth a policy. We’ve already witnessed significant cyber aggression dating to 2007, when Russia virtually bombarded Estonian government and private-sector websites over the relocation of a Soviet-era memorial in the capital city of Tallinn. Other NATO nations are bound to face serious cyber attacks, and a strong policy now will send a clear message to would-be aggressors.
A logical starting point for an Article 5 response would be cyber attacks that threaten loss of life or cause physical damage to infrastructure. These effects should be considered cumulatively over time and not just case by case.
Additionally, it is vital that NATO policy makers consider whether to invoke Article 5 after cyber attacks that are physically harmless but cause severe economic damage.For example, an adversary nation could wreak far more havoc by surreptitiously altering algorithms that control securities trading than if its cyber attack destroyed a few stock exchange computers.
As cyberspace threats evolve and international norms take shape, NATO will need to revisit its policy and refine its threat definitions. But setting the bar high initially would send an unambiguous message that NATO is ready to act against cyber attacks. That is more likely to deter an adversary than would a vague statement of policy.
Deciding on responses to an Article 5 attack is harder than defining thresholds. A response need not be confined to the cyber world, however, as long as it is proportionate to the attack. NATO should adopt the idea, championed by the United States, that attacks via cyberspace can be countered with physical retaliation from land, sea, and air forces.
The NATO summit in Wales next month is the right place to adopt a coherent policy on cyber attacks. The aftermath of a serious cyber strike is not the moment to begin the debate.James G. Stavridis is the dean of the Fletcher School of Law and Diplomacy at Tufts and the former supreme allied commander at NATO. Dave Weinstein is former strategic planner at US Cyber Command.