A picture taken on October 17, 2016 shows an employee walking behind a glass wall with machine coding symbols at the headquarters of Internet security giant Kaspersky in Moscow.

A picture taken on October 17, 2016 shows an employee walking behind a glass wall with machine coding symbols at the headquarters of Internet security giant Kaspersky in Moscow. KIRILL KUDRYAVTSEV/AFP via Getty Images

When Does a ‘Cyber Attack’ Demand Retaliation? NATO Broadens Its View

A set of “malicious cumulative cyber activities” may now amount to an armed attack.

In the 14 years since NATO first declared that a “cyber attack” could amount to an assault requiring collective action, alliance members have never made it quite clear what would constitute such an attack. But now they appear to be broadening the still-hazy definition.

Since the Wales Summit of 2014, analysts have largely worked under the assumption that a cyberattack would have to be as destructive as a kinetic attack to reach the legal threshold that would trigger defensive actions. This view was reinforced throughout the years by NATO’s use of the grammatical singular, i.e., “a cyberattack,” and the equivalency drawn between a kinetic attack and the effects and scale of a cyberattack. 

At the Cyber Defense Pledge Conference in 2018, for example, NATO Secretary General Stoltenberg said, “NATO leaders agreed that a cyber-attack could trigger Article 5 of our founding treaty. Where an attack on one Ally is treated as an attack on all Allies.” As recently as June 7, Stoltenberg told the Atlantic Council: “In a way it sends a message that a kinetic attack can of course cause a lot of damage, and so can of course a cyberattack. It does not matter whether it is a kinetic attack or a cyberattack. We will assess as allies when it meets the threshold for triggering Article 5.”

With the publication of the NATO Brussels Summit Communique on June 14, the alliance fundamentally re-conceptualized how and what kind of adversarial activities can lead to crossing the threshold of an armed attack. The most important change: the insertion of the word “cumulative.” 

According to paragraph 32 of the Communique, allies now recognize that “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.” Asked to clarify the insertion of the term ‘cumulative,’ the NATO press office responded that (a) the term was indeed used deliberately, and (b) the reason for using it is because the alliance has recognized that the cyber threat landscape is evolving, and that several low impact cyber incidents by the same threat actor can have the same impact as a single destructive cyberattack. The Estonian Ministry of Defense added via email that “it is paramount that we would also take into account long-term cyber operations and attacks that might cause cumulative damage equal to what a single cyber-attack could cause.” 

The Communique itself still battles with the grammatical singular of “a cyberattack,” saying, “We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.” But gone is the sole equivalence to a kinetic attack. In addition, the alliance now also recognizes the impacts of “ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.”

This means that NATO is finally inching away from cyberattacks as the metric of choice, and will hopefully move toward the more relevant unit of cumulative cyber activities – or in other words adversarial cyber campaigns. It is also positive to see that the threat of ransomware is receiving recognition as a security threat within the alliance. And it is good that NATO starts considering systemic effects resulting from malicious cyber activities – of which some might occur outside the alliance’s geographic area of responsibility. The 2012 attack against Saudi Aramco for example, could have posed a systemic threat to the majority of alliance members if oil and gas shipments were severely disrupted over a longer period of time. 

But it remains unclear how NATO’s “cumulative” approach will work. What falls into this accumulation? Non-state ransomware campaigns? Non-destructive state-sponsored cyber espionage activity? And do these adversarial cyber activities have to occur in parallel, within a limited time, or are they continuously accumulated?

NATO’s press office has said the move toward “cumulative cyber activities” should not be seen as lowering the threshold for triggering Article 5, because (a) there is no clearly defined threshold to begin with due to NATO’s strategic ambiguity, and (b) triggering Article 5 will be discussed by the alliance members on a case-by-case basis – meaning ultimately it is a political decision. This argumentation is of course debatable and hinges upon how member states will calculate cumulative cyber activities and which member state will push for a precedent.

Notably, the French Ministry of Defense and the UK government support the “accumulation of events” theory in their respective statements on international law applicable to cyberspace. The UK government states that adversarial cyber activities that “cease almost instantaneously or within a short timeframe” may nevertheless be part of “a wider pattern of cyber activities [that] might collectively constitute an internationally wrongful act justifying a response.” The French Ministry of Defense interprets international law similarly by arguing that cyberattacks which in isolation do not reach the threshold for an armed attack could qualify as such if the accumulation of their effects reaches a threshold of sufficient severity, or if they are carried out concurrently to operations in the physical domain that constitute an armed attack by the same entity or different entities acting in concert. It remains unclear why the other 28 NATO members agreed to include the accumulation of events theory into the Brussels Communique, and what their individual interpretation of the word ‘cumulative’ actually is.

Time will tell how the alliance members will posture themselves in practice. Some members might be seizing the opportunity to drive the discussion deeper by bringing up preemptive or preventative self-defense in and through cyberspace. Others might entirely ignore the word “cumulative” due to their very different interpretations of international law applicable to cyberspace. And finally, it is inherently unclear whether adversaries understand this change in the alliance’s posture, whether they care enough, and whether they should take it seriously. NATO leaders should recognize the need for clearer statements on the matter.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.