Cyberattacks Can Invoke NATO Defence Clause

The ability to communicate in real-time with friends, family, and random internet strangers thousands of miles away falls nothing short of spectacular. Every rose has its thorn, and every computer system can be a victim of a cyberattack. In a world ever-connected, “Everything is reliant in some form on digital capabilities,” said Michael Daniel, CEO of the Cyber Threat Alliance and a former cybersecurity official during the Obama administration. This means there are many “different avenues to create disruptions… for the West.”

Amidst the war in Ukraine, concerns over cyberattacks across the globe threaten the security of countries and alliances. A cyberattack on any NATO member state would trigger Article 5, the collective defense clause, which says that an act of war against any member will trigger a response from the full alliance. No lines have been marked as to where cyberaggression falls in the spectrum of “acts of war,” but a NATO official said last week that the allies might consider significant malicious cumulative cyber activities as an armed attack.

United States Senate Intelligence Committee Chairman Mark Warner posed a hypothetical case in which they and other NATO allies would have to retaliate against Russian cyber warfare. If a Russian cyberattack on Ukraine impacts Poland, a NATO member, and the attack triggers power outages that result in hospital patients dying or knocking out traffic lights that cause fatal road accidents involving U.S. troops, then NATO would have to intervene. 

Most officials agree that the chances of a Russian cyberattack, either directly or indirectly against the U.S., are very low due to the exponentially escalating nature of doing so. The U.S. and Western Europe have already taken severe unprecedented financial measures against Russia by cutting the country off from roughly $600 billion in reserves held by the Central Bank of Russia, according to a Reuters article. NATO members also banned Russian state banks from using a bank messaging system to conduct international transactions. Despite all of the sanctions and financial misery the U.S. and Europe have imposed on Russia, Vladimir Putin has demonstrated cyber restraint.

The question is not whether Russia can “Carry out cyberattacks against Europe or the United States,” said Melissa Griffith, a senior science and technology innovation program associate at The Wilson Center. Rather it is what Russia would gain and risk “By carrying out cyberattacks against the United States and Europe.”  

Warner thinks that is soon to change. “I think we will probably see that in the coming days and weeks as Putin tries to lash out against the crippling level of sanctions we’ve put on him,” Warner said. 

He is not alone in his fears. Last week, the Cybersecurity and Infrastructure Security Agency (CISA) updated the “Shields Up” guidance to urge businesses and organizations to prioritize their cybersecurity. 

“While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on the Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies,” the CISA guidance states. “Every organization — large and small — must be prepared to respond to disruptive cyber activity.”

Daniel, the CEO of the Cyber Threat Alliance, expects retaliation to come in the form of cyberspace. Daniel posited that many people “In the industry expect that some form of retaliation will come through cyberspace because it’s an area where the Russians have a lot of capability, and it’s one where the West has a lot of vulnerabilities.” What has been the greatest accomplishment of the 21st century is now the biggest weak spot in the West, as the U.S. and Western Europe are digitally dependent societies where life is unimaginable without the internet.

However, our social media accounts and school emails aren’t likely targets for Russian cyberattacks. Cyber experts expect the oil and gas industries are the most vulnerable because they are not mandated by law to invest in cybersecurity. Meanwhile, President Biden has urged critical infrastructure in the financial, energy, and health care sectors to strengthen their cyber defenses.

Western European countries are the likely targets of Russian cyberattacks. James Lewis, a senior vice president and program director at the Center for Strategic and International Studies, said the U.K, France, and the Baltic states must remain vigilant in their cyber defense. He predicts Russia will save its ammunition for France until the presidential election is held in mid-April in order to interfere with the process.

If France or any other NATO country falls victim to Russian cyberattacks, there is no guarantee yet on whether article five will really be invoked. “We will not speculate on how serious a cyberattack would have to be in order to trigger a collective response,” said the NATO official. “Any response could include diplomatic and economic sanctions, cyber measures, or even conventional forces, depending on the nature of the attack.” There are no clear guidelines on how NATO would respond if called to defend a member country from a cyberattack, said Warner.

No one knows if or when a cyberattack from Russia is on the timeline, but Lewis said that “Cyberattack is now part of everybody’s military planning.”