The Cyber Dimension of NATO's Article 5

By THO Team Member, Alyssa Kuraishi

During the most recent NATO summit, in July 2021, Allies discussed the rising challenge posed by China, as well as the continued threat from Russia. Within this context, NATO made a decision at the summit to redefine the definition of Article 5 of the Washington Treaty to make it more easily triggered by cyberattacks. In the context of increasing cyberattacks by Russia, China and other adversaries, this indicates NATO’s view of cyberattacks as a growing danger and its willingness to respond. 

Article 5 represents the principle of collective defense, defining “an attack against one Ally… as an attack against all Allies.” Originally, an attack was defined as one against an Ally’s territory or forces, and assistance was deemed as whatever the assisting Allies deemed necessary. Article 5 was intended to counter the risk of the Soviet Union expanding towards Western Europe but was first invoked after the 9/11 attacks, and collective defense measures have been put in place after Russia’s annexation of Crimea and in response to ISIL attacks, among others. 

Recent cyberattacks have increased in both severity and frequency, including attacks on the Colonial Pipeline, Kaseya, the Republican National Committee, and the Scottish National Health Service. They have given impetus to the West’s need to prepare a response, especially since many of the severe attacks seem to come from adversaries like Russia and China or from groups within those countries that are unhindered by authorities.

The NATO 2021 Summit in Brussels offered NATO allies the perfect opportunity to formulate a collective response in the context of its new NATO 2030 initiative, meant to strengthen the alliance. Former President Trump previously refused to support Article 5 explicitly given many Allies’ failure to meet their spending targets for NATO. In contrast, Biden called Article 5 a ‘sacred obligation.’ Additionally, the final communique of the summit raised attention for referring to China as a ‘challenge’ when it had been barely mentioned in previous communiques. It also listed Russia as a threat, describing various forms of Rusisan aggression. The existence of common threats and Biden’s explicit support for NATO created the conditions for the Alliance to unify their defense policy. 

Given that multiple recent cyberattacks seem to have originated from Russia and China, it was unsurprising that NATO would respond in some way. However, it was surprising that NATO went to the extent of expanding the definition of an ‘armed attack’ as would trigger Article 5. Cyberattacks have been included in Article 5 previously, but was only in the case that a singular cyberattack was as destructive as a kinetic attack. In the new communique, the definition has expanded so that multiple cyberattacks can constitute an armed attack. 

In the short-term, this hopefully indicates that NATO will pay more attention to potential cyberattacks and the impact they could have. Russia and China will likely be the primary states at the focus of NATO’s attention, given Russia’s alleged enabling of cybercriminals in its territory and China’s alleged state-sponsored attacks.2 NATO will also accelerate its cyber-defense capabilities within its ‘deterrence and defense’ posture. Its Cyber Defense Policy outlines NATO’s plan to support deterrence and defense as well as enhance resilience by increasing preparedness for hybrid threats, improving cyber defenses and focusing on ‘Emerging and Disruptive Technologies.’

NATO’s renewed attention on cybersecurity, exemplified by its expanded definition of Article 5, leaves questions that are yet to be answered. In terms of the criteria for an ‘armed attack,’ would the attacks have to be from the same actor, and how many attacks on what kind of targets would trigger an attack? For example, would a series of uncoordinated attacks by different actors on a variety of targets trigger a response? Would coordinated attacks on multiple Allies by a non-state actor trigger a response? Additionally, it is unclear what kind of response would be triggered given that the response is technically up to each ally to respond. The communique declares that the response need not be limited to cyber, suggesting that a cyber, hybrid, or solely armed response could be possible. This question is similar to the debate playing out in the United States about how to respond to the recent cyberattacks mentioned earlier. 

Most importantly, NATO’s new focus on cybersecurity, coupled with its explicit mentions of the threat from Russia and China, will undoubtedly have an impact on Alliance relations with those two countries. Biden, among other state leaders, have placed the blame for the Colonial Pipeline hack, among others, on Russia for enabling cybercriminal groups, and the blame on China for another recent hack of Microsoft servers. Whether Russia and China will pull back from cyberattacks or double down and continue remains to be seen.