In recent years, cyberattacks have become more targeted and very sophisticated. Hackers are no longer a threat to just individuals and businesses, but to the very fabric of societies.
Recent cyber-attacks have demonstrated their ability to threaten democracies. The Russian meddling in the 2016 U.S., the French and the German elections has caused a number of states to rethink the way they approach cybersecurity. The very instruments that were created to stimulate economies and globalizations are now vulnerable to manipulation and tampering. In light of the increasing number of cyber-attacks in severity and in quantity, the North Atlantic Treaty Organization (NATO) has declared cyberspace as another domain of operation in addition to air, space, and land.
NATO announced that a cyber-attack against any of its members could trigger Article 5. According to NATO, the principle of collective defense is the central piece of NATO’s treaty. NATO members are committed to defend and protect each other against attacks on any of the members. This principle of collective defense is incorporated in Article 5 of the Washington Treaty. After the terrorist attack on 9/11 against the U.S., NATO invoked Article 5 for the first time since it was formed in 1949.
NATO has been working with its members to enhance its defense capabilities. NATO has warned that it might invoke Article 5 if a cyber-attack would be directed at any of its members due to the increased cyber threats from Russia, China, Iran, North Korea, and other terrorist organizations. In a German newspaper interview, The NATO Secretary General, Jens Stoltenberg stated that “a severe cyberattack could trigger Article 5.” He also added that “that will depend on the severity of the attack.” Cyberspace is a unique domain due to a number of issues it presents. The attribution problem where the perpetrator is able to completely stay anonymous is probably one of the biggest challenges cyberspace introduces.
In the cyber realm, identifying the offender might be the biggest challenge states face as it is extremely hard to identify the attacker and in a timely fashion. A cyber attacker can easily conceal his or her identity and location by masking his or her IP and MAC addresses with the use of anonymizing tools. Furthermore, there are many different groups that are capable of launching a cyber-attack, from individuals to state-sponsored actors to non-state sponsored actors. Each of these groups has different goals and intentions.
Some are politically motivated, while others might be motivated by monetary gain or other motivating factors. Under the law of armed conflict (LOAC) rules, a cyber-attack can be qualified as an act of war only if: a) it was done in conjunction with a military attack; b) it can be linked to a specific country and government; and c) if such cyber-attack caused harm and injury to human life. Furthermore, according to the Tallinn manual, which is the most comprehensive analysis of how existing international law applies to cyber operations, stated that “the International Group of Experts agreed, therefore, that any cyber operation which rises to the level of an ‘armed attack’ in terms of scale and effects pursuant to Rule 13, and which is conducted by or otherwise attributable to a State, qualifies as a ‘use of force’. However, cyberattacks vary in the level of severity but most do not rise to the level ‘use of force’.
This makes invoking Article 5 hard to achieve because states or alliances are only justified in taking defensive action against a threat if “the use of force” rises to the level of “armed attack”. Due to the uniqueness of cyber-attacks, NATO might not be able to invoke Article 5. NATO should, therefore, take reasonable measures to stop or minimize the damage that could be caused by an aggressor such as implementing defense mechanism to isolate the danger and stop it from making any further damage. Increasing its cyber capabilities and working with all member states to establish a deterrence strategy might be an option NATO should adopt.