Raising the stakes: NATO says a cyber attack on one is an attack on all

A new policy includes cyber attacks under Article 5 of the NATO charter, which—if invoked—could require member states to respond collectively.

NATO’s new cyber defense policy will consider cyber attacks that threaten a member’s security to be on par with traditional attacks – and may now provoke collective defense from the alliance’s 28 members.

The new policy means that a significant cyber attack on any member of the alliance could be viewed as an attack on all, per Article 5 of the NATO charter. The change to NATO’s policy was endorsed by NATO ministers in June, and was ratified last week at a summit held in Wales, United Kingdom.

“Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO's core task of collective defence,” according to a declaration issued by participating heads of state. “A decision as to when a cyber-attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”

Article 5, which calls for member nations to come to the aid of any member subject to armed attack, has traditionally focused on non-digital attacks. The clause has only been invoked once – following the September 11, 2001 attacks.

In the past, a NATO ally under cyber attack could convene a group to consult on the attack, but not call on allies to respond. With cyber attacks now falling under Article 5, NATO members could now have the option of doing so.

While highlighting the possibility of military action against cyber-attacks could have a potential deterrence effect on would-be state sponsored hackers, the unclear nature of the new policy raises many questions.

For instance, the threat level of a cyber attack that could trigger a collective military response is vague and could make it difficult to agree on a unified response. With cyber attacks ranging from cyber espionage on commercial companies to attacks on governments and militaries, government officials around the world are still hotly debating what sort of attack could elicit a military response. It’s also unclear what that response could entail, and could include conventional or digital counter attacks.

Attribution also remains a significant problem. Not all hackers are state-sponsored, and many are working for personal gain rather than as a part of a state-sponsored program. The ability to identify government hacking groups remains difficult – only in the past couple of years have private companies been able to pinpoint specific military groups, such as Comment Panda and Putter Panda in China. 

The Defense Department has been trying to work out many of the same problems since it declared in 2011 that cyber attacks could constitute an act of war. That report also did not address what kind of attacks could spark military action or whether the Pentagon could be certain of attributing attacks -- sparking heated debate at the Pentagon.