NATO is now taking cyber threats as seriously as the Russian tanks and nuclear weapons it was created to deter. But the alliance has a long way to go just to shore up its own network defenses, and it explicitly eschews any role on the offense. NATO has not even written a formal policy on how it would deter a cyber attack. The net result is a certain degree of strategic ambiguity — but then NATO has survived and even thrived on ambiguity for decades.
The crucial development: September’s NATO summit declaration that the alliance’s hallowed Article 5 — which says an attack on one member is an attack against all — applies equally to virtual attacks as to physical ones.
“[In] linking cyber defense to collective defense and Article 5, the declaration says that cyber attacks…could be as harmful to modern society as conventional attack,” said Amb. Sorin Ducaru, NATO’s assistant secretary general for “emerging security challenges.”
That said, the Romanian diplomat emphasized at an Atlantic Council panel this week, “there’s no predetermined threshold,” no defined “red line” beyond which a cyber attack counts as an act of war. But then NATO never defined an automatic trigger for conventional or nuclear conflict either, even during the height of the Cold War. Article 5 only commits a NATO member to “assist” allies under attack by “such actions as it deems necessary, including the use of armed force” — which leaves vast amounts of wiggle room.
There was always doubt whether the United States would really risk nuclear escalation against its homeland to defend West Germany, and, for that matter, whether West Germany would stick with the alliance once wartime commanders started using tactical nuclear weapons on its soil to slow the Soviet horde. Yet despite these uncertainties, the Soviets were ultimately still deterred.
So when it came to cyber, Ducaru said, “there was a conscious decision by the allies in this policy that there is benefit in keeping flexibility and ambiguity.”
“Article 5 was by design something that should be invoked politically by [member] nations in a specific context, on a case by case basis,” Ducaru said. “Article 5 was never designed to be triggered by a certain threshold. [In fact,] the only time it was invoked was after 9/11, which was a scenario that had never been contemplated by the founding partners.
Despite that one area of (arguably inevitable) strategic ambiguity, the NATO summit made the situation in cyberspace much clearer, argued Christopher Painter, the State Department’s cyber coordinator. Beyond Article 5, “the NATO leaders’ declaration [stated] that international law including the UN Charter, the Law of Armed Conflict, international humanitarian law, etc. applies in cyberspace just like it does in the physical world,” Painter said at the Atlantic Council event. “This is a clear statement that this is not a lawless space — [and] there was some doubt before. There was some thought you had different rules entirely for the cyber world than the physical world, which made no sense and in fact would be very destabilizing.”