NATO Ponders Using Article Five for Cyber Attacks

NATO photo

The North Atlantic Treaty Organization in July announced its endorsement of a “new concept” for cyber defense to counter a rise in threats to member nations and the alliance as a whole.

Threat actors are increasingly seeking “to destabilize the alliance by employing malicious cyber activities and campaigns,” according to a NATO communiqué issued during the organization’s recent summit in Vilnius, Lithuania. “We are countering the substantial, continuous and increasing cyber threats, including to our democratic systems and our critical infrastructure, as well as where they are part of hybrid campaigns,” the release said.

In response to these threats, the new security measures will “enhance the contribution of cyber defence to our overall deterrence and defence posture,” the release said. The concept “will further integrate NATO’s three cyber defence levels — political, military and technical — ensuring civil-military cooperation at all times through peacetime, crisis and conflict, as well as engagement with the private sector, as appropriate.”

Marta Kepe, a senior defense analyst at the RAND Corp., said the concept represents the next step in NATO’s gradual buildup of its cybersecurity capabilities since the organization recognized cyberspace as a domain of operations in 2016.

NATO is seeking to give itself and “its member states more tools or instruments that they can use in case they are needed” to deter or defend and mitigate against cyber attacks, Kepe said in an interview.

While the concept itself is classified, it is clear “NATO is trying to find a way how it could shape the cyber environment better,” similar to how it tries to shape other operational environments like the land or air domains, she said.

“NATO is moving towards having a bigger role, doing more in terms of building resilience [through] peacetime activities, but also building response capabilities,” she said. “So, response, mitigation, helping member states that have been affected by cyber attacks to recover.”

Kepe said much of the activity for building resilience has fallen under NATO’s 2016 Cyber Defence Pledge. The communiqué from Vilnius said the organization is enhancing the pledge, along with committing “to ambitious new national goals to further strengthen our national cyber defences as a matter of priority, including critical infrastructures.”

To counter active threats, NATO has introduced its Virtual Cyber Incident Support Capability to boost “national mitigation efforts in response to significant malicious cyber activities,” the release said.

Announced during NATO’s summit in Madrid last June, the capability was “piloted” during the Vilnius summit with 11 countries participating, Kepe said. The United States and the United Kingdom were not among the participants in the pilot program, she added.

The capability is a “voluntary mechanism, where a member state — and only member states — can reach out and ask for assistance … in case they are having a cyber attack, and they can ask for assistance without invoking Article Five” of the Washington Treaty, which requires all NATO member states to provide assistance if one of the members is the victim of an armed attack, Kepe said.

She described the capability as an additional tool in NATO’s cybersecurity toolbox that “member states can use if there’s a cyber attack that nationally they’re maybe not able to deal with very effectively.”

An example of such an attack was when Iranian state cyber actors targeted Albania last year, she said. In July 2022, the state actors “launched a destructive cyber attack against the government of Albania which rendered websites and services unavailable,” followed by another wave of attacks that September, according to a joint cybersecurity advisory released by the FBI and the Cybersecurity and Infrastructure Security Agency.

Following the attacks, Prime Minister of Albania Edi Rama said in an interview with Politico that he considered invoking Article Five. Albania did not do so, but the incident is “just one example where … a country may be overwhelmed or may be seeking the assistance of other countries when it needs to mitigate cyber attacks,” Kepe said.

In the release from Vilnius, NATO said: “A single or cumulative set of malicious cyber activities could reach the level of armed attack and could lead the North Atlantic Council to invoke Article Five of the Washington Treaty, on a case-by-case basis.”

While Kepe said it’s difficult to pinpoint exactly what it would take for Article Five to be invoked based on a cyber attack, it is “telling” that NATO noted a cumulative set of activities could reach that level “when you think about potential scenarios.”

“I think probably the effects of these cyber attacks are specifically important” to the potential application of Article Five, she said. Other factors will include how easy it is to attribute the attacks to someone, and “what the affected countries and what the alliance also thinks would be the best mitigation response,” she added.

The organization announced it will be holding its “first comprehensive NATO Cyber Defence Conference in Berlin this November, bringing together decision-makers across the political, military and technical levels.” The conference could be a window into learning more about the new cyber defense concept and how “NATO as an organization looks at cooperating with the civilian sector,” from large cyber-based companies to medium and small businesses, Kepe said.

“Based on some of the statements from NATO officials, I would expect that there will be more structured and targeted cooperation specifically between NATO as such and key civilian actors in cyberspace,” she said.

“We’re talking about large companies like Microsoft, for example, or any other players, and I would expect that there will be perhaps more structured cooperation,” similar to how NATO has revamped its partnership with the defense industrial base, she said. ND

Topics: Global Defense Market, International