Ever since its formation in early 1949, the North Atlantic Treaty Organization (NATO) has been an important cornerstone of the national security strategy of the United States. This military alliance, once founded to counter the Soviet threat during the Cold War, constitutes a system of collective self-defense. All twenty-eight member states agree to mutual defense in response to an attack by any external party. This fundamental principle of collective security is formalized in Article 5 of the North Atlantic Treaty. However, threats to our security are increasingly becoming more diverse. The potential of cyber warfare is challenging the principles in Article 5.
According to NATO Secretary-General Jens Stoltenberg, “cyber is now a central part of virtually all crisis and conflicts”. In the 2014 Wales Summit Declaration the alliance especially focused on invoking Article 5 in case of a cyber-attack: “A decision as to when a cyber-attack would lead to the invocation of Article 5 would be taken by the North Atlantic council on a case-by-case basis” (ibid.). Apart from this rather indefinite statement, a comprehensive cyber doctrine concerning Article 5 is lacking.
Cyber-attacks by politically and criminally motivated actors top the list of security threats facing the United States. National intelligence director James Clapper testified before Congress that “Cyber threats to the US national and economic security are increasing in frequency, scale, sophistication and severity of impact”. The United States should take the lead right now. It is time to rethink Article 5.
First, the Alliance should consider reformulating Article 5 of the Treaty. Currently the article only speaks of ‘an armed attack’ against one or more of the members. Cyber-attacks do not necessarily ‘fit the picture’ of conventional, armed attacks. Therefore the definition should be changed. Collective self-defense mainly functions as a deterrent against potential adversaries. To maximize the impact of the deterrent, its underlying doctrine should leave no room for guessing. It should specifically include cyber-attacks.
Second, the Alliance should come up with a clear doctrine on what constitutes an attack that would qualify the invocation of Article 5, and what would be an accepted retaliatory action. Although this is important concerning conventional attacks as well, it becomes even more pressing for cyber-attacks. Everyone understands it is unacceptable to bomb a country as a reaction to petty cybercrime, but what if an actor succeeds in shutting down important parts of the economy of a country – for example the New York Stock Exchange? An option could be to openly formulate clear redlines to maximize the deterrent. Some however say that a dose of strategic ambiguity is more important, arguing that formulating clear redlines would invite potential adversaries to push up to the red line. In this case developing the doctrine is still important, but would then be for internal use only.
Third, the Alliance should further focus on information sharing and mutual assistance concerning the cyber domain. Putting cyber on top of the agenda will give a clear signal to all NATO members, especially those who are lagging behind. It is time to not only invest in our conventional capabilities; we have to start improving our cyber capabilities as well.
Whereas Article 5 mainly relies on deterring potential adversaries, it is important to understand the notion of deterrence in the cyber field. In the conventional field, deterrence is pretty straightforward: you just count the numbers of soldiers, rockets, tanks, fighter jets etc. In the cyber field this is more difficult; how do you actively show what you are capable of, without giving away strengths and weaknesses? That is why the three aforementioned steps are important: it makes clear NATO takes cyber threats seriously and will not hesitate to act.
Only when the Alliance collectively pursues an active cyber policy, they will be able to successfully prepare themselves for cyber threats to their national security. The idea of collective self-defense will only survive as long as it proves to be successful in defending its members against all possible threats. Cyber-attacks will be among the biggest challenges of the next decades. Let us make sure we are prepared.