A picture taken on October 17, 2016 shows an employee walking behind a glass wall with machine coding symbols at the headquarters of Internet security giant Kaspersky in Moscow.

A picture taken on October 17, 2016 shows an employee walking behind a glass wall with machine coding symbols at the headquarters of Internet security giant Kaspersky in Moscow. KIRILL KUDRYAVTSEV/AFP via Getty Images

When Does a ‘Cyber Attack’ Demand Retaliation? NATO Broadens Its View

A set of “malicious cumulative cyber activities” may now amount to an armed attack.

In the 14 years since NATO first declared that a “cyber attack” could amount to an assault requiring collective action, alliance members have never made it quite clear what would constitute such an attack. But now they appear to be broadening the still-hazy definition.

Since the Wales Summit of 2014, analysts have largely worked under the assumption that a cyberattack would have to be as destructive as a kinetic attack to reach the legal threshold that would trigger defensive actions. This view was reinforced throughout the years by NATO’s use of the grammatical singular, i.e., “a cyberattack,” and the equivalency drawn between a kinetic attack and the effects and scale of a cyberattack. 

At the Cyber Defense Pledge Conference in 2018, for example, NATO Secretary General Stoltenberg said, “NATO leaders agreed that a cyber-attack could trigger Article 5 of our founding treaty. Where an attack on one Ally is treated as an attack on all Allies.” As recently as June 7, Stoltenberg told the Atlantic Council: “In a way it sends a message that a kinetic attack can of course cause a lot of damage, and so can of course a cyberattack. It does not matter whether it is a kinetic attack or a cyberattack. We will assess as allies when it meets the threshold for triggering Article 5.”

With the publication of the NATO Brussels Summit Communique on June 14, the alliance fundamentally re-conceptualized how and what kind of adversarial activities can lead to crossing the threshold of an armed attack. The most important change: the insertion of the word “cumulative.” 

According to paragraph 32 of the Communique, allies now recognize that “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.” Asked to clarify the insertion of the term ‘cumulative,’ the NATO press office responded that (a) the term was indeed used deliberately, and (b) the reason for using it is because the alliance has recognized that the cyber threat landscape is evolving, and that several low impact cyber incidents by the same threat actor can have the same impact as a single destructive cyberattack. The Estonian Ministry of Defense added via email that “it is paramount that we would also take into account long-term cyber operations and attacks that might cause cumulative damage equal to what a single cyber-attack could cause.” 

The Communique itself still battles with the grammatical singular of “a cyberattack,” saying, “We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.” But gone is the sole equivalence to a kinetic attack. In addition, the alliance now also recognizes the impacts of “ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.”

This means that NATO is finally inching away from cyberattacks as the metric of choice, and will hopefully move toward the more relevant unit of cumulative cyber activities – or in other words adversarial cyber campaigns. It is also positive to see that the threat of ransomware is receiving recognition as a security threat within the alliance. And it is good that NATO starts considering systemic effects resulting from malicious cyber activities – of which some might occur outside the alliance’s geographic area of responsibility. The 2012 attack against Saudi Aramco for example, could have posed a systemic threat to the majority of alliance members if oil and gas shipments were severely disrupted over a longer period of time. 

But it remains unclear how NATO’s “cumulative” approach will work. What falls into this accumulation? Non-state ransomware campaigns? Non-destructive state-sponsored cyber espionage activity? And do these adversarial cyber activities have to occur in parallel, within a limited time, or are they continuously accumulated?

NATO’s press office has said the move toward “cumulative cyber activities” should not be seen as lowering the threshold for triggering Article 5, because (a) there is no clearly defined threshold to begin with due to NATO’s strategic ambiguity, and (b) triggering Article 5 will be discussed by the alliance members on a case-by-case basis – meaning ultimately it is a political decision. This argumentation is of course debatable and hinges upon how member states will calculate cumulative cyber activities and which member state will push for a precedent.

Notably, the French Ministry of Defense and the UK government support the “accumulation of events” theory in their respective statements on international law applicable to cyberspace. The UK government states that adversarial cyber activities that “cease almost instantaneously or within a short timeframe” may nevertheless be part of “a wider pattern of cyber activities [that] might collectively constitute an internationally wrongful act justifying a response.” The French Ministry of Defense interprets international law similarly by arguing that cyberattacks which in isolation do not reach the threshold for an armed attack could qualify as such if the accumulation of their effects reaches a threshold of sufficient severity, or if they are carried out concurrently to operations in the physical domain that constitute an armed attack by the same entity or different entities acting in concert. It remains unclear why the other 28 NATO members agreed to include the accumulation of events theory into the Brussels Communique, and what their individual interpretation of the word ‘cumulative’ actually is.

Time will tell how the alliance members will posture themselves in practice. Some members might be seizing the opportunity to drive the discussion deeper by bringing up preemptive or preventative self-defense in and through cyberspace. Others might entirely ignore the word “cumulative” due to their very different interpretations of international law applicable to cyberspace. And finally, it is inherently unclear whether adversaries understand this change in the alliance’s posture, whether they care enough, and whether they should take it seriously. NATO leaders should recognize the need for clearer statements on the matter.