7 September 2016

NATO Article 5 and Cyber Warfare: NATO’s Ambiguous and Outdated Procedure for Determining When Cyber Aggression Qualifies as an Armed Attack

Stephen Jackson, J.D.,
August 16, 2016 

Center for Infrastructure Protection and Homeland Security, George Mason University 
Introduction At the outset of the North Atlantic Treaty Organization’s (NATO) founding, the original 12 Western nations included Article 5 within the Washington Treaty, which codified the concept of collective self-defense, first featured in the Charter of the United Nations of 1945.[1] NATO Article 5 provides that “an armed attack against one or more of [the NATO allies] in Europe or North America shall be considered an attack against them all….”[2] In the event of an armed attack against a NATO Party, “each of them, in exercise of the right of individual or collective self-defence recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith . . . such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.”[3] Although only formally invoked once,[4] Article 5 is the main pillar of NATO, and serves as a deterrent against hostilities by non-NATO nations and non-state actors.

Since NATO’s creation in 1949, the manner in which nations engage in warfare has changed dramatically. This evolution includes incorporation of cyberspace into conducting warfare and securing national defense. For instance, Deputy Assistant Secretary of Defense Aaron Hughes recently testified before the Congress that “[the Department of Defense] relies heavily on cyberspace for virtually everything we do.”[5] Possibly the most blatant use of cyberspace in modern warfare occurred on December 23, 2015, when the Ukrainian power grid experienced major disruption from a sophisticated external cyber attack, largely rumored to be linked to the Russian Federation’s hostile occupation and annexation of Crimea.[6]

In an expression of NATO’s current abilities to counter advanced armed attacks, the Heads of State and Government of the North Atlantic Council issued the Wales Summit Declaration (Wales Declaration) on September 5, 2014. In the Wales Declaration, the Heads of State and Government outlined the threat of cyber threats and attacks, reaffirming NATO’s policy of “prevention, detection, resilience, recovery, and defence.”[7] The Wales Declaration further stated that the norms of international law, which include humanitarian law (jus in bello) and the UN Charter, directly apply to the realm of cyberspace.[8] At the core of these international norms is the concept of collective self-defense incorporated in NATO Article 5 and UN Charter Article 51. The Wales Declaration concluded by providing that NATO Article 5 in fact applies to cyber attacks, as determined by the North Atlantic Council on a “case-by-case basis.” Less than a year later, NATO Secretary General Jens Stoltenberg reiterated that a cyber attack could amount to an armed attack and trigger Article 5’s collective defense provisions.[9]

Although NATO has declared Article 5’s application to certain cyber attacks, the manner in which the North Atlantic Council will assess each cyber attack remains ambiguous. The lack of predetermined standards for assessing cyber attacks poses issues for NATO countries, which all hold various and differing internal criteria for countering cyber attacks. To remove this ambiguity, NATO should strive toward adopting a uniform standard for assessing individual cyber attacks to determine whether each attack rises to the level of an armed attack. Without adopting these measures, the North Atlantic Council will likely face internal strife among member nations while simultaneously facing external pressures during a major cyber event.

NATO Article 5: An Outdated Tool in the Age of Cyber Aggression As with any international treaty, the Washington Treaty is a product of its historical and technological context. Directly after World War II and at the dawn of the Soviet Union, the NATO allies sought to counter Soviet aggression in the Euro-American region. After the Soviet Union disbanded, NATO began preventing non-state actors from infiltrating NATO territories while also expanding its operations to regions like the Middle East.[10] Although NATO continues to use the express language of Article 5 to govern all forms of armed attacks, cyber attacks pose a new and unique obstacle. Cyber attacks are different than traditional methods of warfare because while they often have devastating consequences for the targeted nation or private entity, they rarely result in physical events like the cyber event in Ukraine.

Secretary General Stoltenberg’s announcement regarding the application of international law to cyberspace signifies that the doctrine of jus in bello, which regulates the proper conduct for waging war, also governs how nation states use cyber attacks. Traditional principles of jus in bello include the rules of proportionality and distinction, which dictate how a nation targets oppositional force while avoiding unnecessary civilian casualties.[11] If NATO seeks to enforce the application of international law to cyberspace, the North Atlantic Council will face much difficulty in using Article 5 to define when a cyber attack reaches the threshold of an armed attack based on these doctrines.

Article 5 is useful for assessing state and non-state actions used in traditional warfare. However, the NATO allies drafted Article 5 in light of the technology and tactics of the World War II era. While NATO continued to successfully adapt Article 5 to the evolving challenges post-Soviet Union, it cannot properly invoke the principle of collective self-defense against cyber attacks without at least new definitions for the various forms of cyber events. In particular, without unambiguous guidelines for identifying from where a cyber attack originated, NATO will face difficulty in both locating the origin of a cyber attack and determining whether the cyber attack was sanctioned by the host nation. Also, without proper definitions for the various forms of cyber attacks, NATO will likely encounter unnecessary debate between NATO allies over any cyber attack against a NATO country. Furthermore, without removing ambiguity in identifying cyber events that equate to a traditional armed attack, the North Atlantic Council will face difficulty in deciding upon a proper and proportionate armed response in accord with the principles of jus in bello.

Currently, almost every NATO ally has an individual national security and defense strategy related to cybersecurity.[12] These strategies vary in detail and scope, and lack uniformity in defining the elements of which cyber attacks warrant an aggressive response. Some scholars argue that the International Court of Justice accurately determined that collective self-defense is triggered when an act “inflicts substantial destruction upon important elements of the target state,” even if the attackers used non-traditional weaponry like airplanes or cyber attacks.[13] For instance, this “scale and effects” test does not adequately address the technical differences between using cyberspace to create either a kinetic disruption to a power plant or the potential to dismantle an entire financial infrastructure with zero physical effects. The potential for a single cyber attack to result in major disturbance, with or without any physical element, is sufficient to warrant specific guidelines. However, as long as the North Atlantic Council assesses individual cyber attacks on a case-by-case basis without predetermined specialized rules, the various interests of all 28 NATO nations will pose obstacles for a swift and efficient NATO response.

The Adoption of Cyber Attack Guidelines to Supplement Article 5 To properly dissuade and combat future cyber attacks, NATO should adopt cyber attack guidelines to reduce ambiguity and address the uniqueness of cyber aggression. In doing so, NATO will afford all member nations a unified procedure in which the North Atlantic Council may examine cyber attacks. This does not necessarily mean that bright line rules should be adopted. According to Department of State Coordinator for Cyber Issues M.E. Painter, “[a]s a general matter, states have not sought to define precisely (or state conclusively) what situations would constitute armed attacks in other domains, and there is no reason cyberspace should be different.”[14] Instead, Coordinator Painter argues that nations like the United States should define specific “norms of responsible behavior” for cyberspace that embrace traditional international law while adapting them to the intricacies of cyberspace.[15]

While Coordinator Painter speaks on behalf of the United States Government, his ideas of broad norms created specifically for regulating cyberspace is an important concept that NATO must at least consider for a framework dictating proper identification of cyber attacks, understanding whether a cyber attack rises to an armed attack under Article 5, and what are the proportional responses to such attacks. The United Nations has already embraced this line of thinking by issuing its annual Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE Report). The most recent UN GGE Report included several U.S. recommendations for how nations should and should not utilize information and communications technologies.[16]

Following the United Nations’ example, NATO should also form cyber attack guidelines that illustrate a set of norms related to cyberspace, but focus solely on cyber attacks, Article 5, and jus in bello. NATO can form the first coherent set of international guidelines for cyber attacks,[17] which is vital for maintaining dominance in the international sphere. NATO should begin its formation of the guidelines by analyzing the Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual). Issued in 2013 for the benefit of NATO, experts in international law comprised “black letter” rules incorporating traditional jus in bello principles to cyber warfare.[18] Although the Tallinn Manual is not binding legal authority, it offers international organizations the best attempt at combining international law with the new realm of cyberspace. In consulting the Tallinn Manual, NATO should begin to draft binding authority for the North Atlantic Council in the form of an amendment to the Washington Treaty, or at least a persuasive document codified within NATO’s Military Committee or Allied Command Operations. By codifying principles similar to those included in the Tallinn Manual, NATO would drastically reduce the ambiguity surrounding the current case-by-case analysis identified in the Wales Declaration.

The formation of binding cyber attack guidelines for all NATO members and the North Atlantic Council will not be an easy task. As stated earlier, each NATO nation has independently formed its own set of standards for combating cyber aggression. Individualization among members will assuredly create friction in drafting these guidelines. However, NATO would be wise to begin the process before these individualized standards become too offensive for a uniform NATO procedure.

Conclusion The evolution of modern warfare shows that as weaponry becomes more advanced, nations attempt to curtail their devastating effects. To this point, international treaties and protocols, like the Geneva Protocol prohibiting asphyxiating and poisonous gases in battle,[19] tend to follow atrocities on the battlefield. Though only in the early stages of use for military purposes, cyberspace offers a unique opportunity to break the trend of following devastating events. By adopting a set standard before a major cyber attack is used against a NATO member, NATO may curtail these potential attacks by offering non-NATO members a clear set of rules. These rules may serve as a deterrent for these cyber attacks while simultaneously limiting the time in which NATO may effectively and proportionately respond.

Stephen Jackson received his juris doctor degree from George Mason University School of Law and is currently a Research Associate at the Center for Infrastructure and Protection at the George Mason University School of Business. The views and arguments expressed in this article are solely the author’s, and do not represent the views of the Center for Infrastructure and Protection or George Mason University. 

References [1] See U.N. Charter arts. 2(4), 51.
[2] North Atlantic Treaty art. 5., Apr. 4, 1949, 63 Stat. 2241, 34 U.N.T.S. 243.
[3] Ibid.
[4] The United States invoked Article 5 after the September 11, 2001 terrorist attacks, which led to NATO’s first operations outside of the Euro-American region. See “Collective Defence – Article 5,” North Atlantic Treaty Organization, last updated Mar. 22, 2016, http://www.nato.int/cps/en/natohq/topics_110496.htm.
[5] Digital Acts of War: Evolving the Cybersecurity Conversation, Before the H. Comm. on Oversight and Government Reform Subcomms. on Information Security and National Security, 114th Cong. 1 (2016) (statement of Aaron Hughes, Deputy Assistant Secretary of Defense).
[6] See Kim Zetter, “Everything We Know about the Ukrainian Power Hack,” Wired.com, Jan. 20, 2016, https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/ (overview of the cyber attack and its effects).
[7] Wales Summit Declaration, Sept. 5, 2014, http://www.nato.int/cps/en/natohq/official_texts_112964.htm.
[8]Ibid.
[9] “Keynote Speech by NATO Secretary General Jens Stoltenberg at the Opening of the NATO Transformation Seminar,” North Atlantic Treaty Organization, last updated May 19, 2015, http://www.nato.int/cps/en/natohq/opinions_118435.htm.
[10] See “Collective Defence – Article 5,” supra note 4.
[11] See Jason Andress & Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, 2nd ed. (Elsevier Inc., 2014), 251.
[12] See “Cyber Security Strategy Documents,” NATO Cooperation Cyber Defence Centre of Excellence, last updated Aug. 1, 2016, https://ccdcoe.org/cyber-security-strategy-documents.html (including related documents for all NATO nations except Greece, as well as for various non-NATO nations).
[13] Michael Gervais, “Cyber Attacks and the Laws of War,” 30 Berkeley J. of Int’l L. 525, no. 2 (2012): 543. doi: 10.15779/Z38R66C, http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1422&context=bjil (referencing the International Court of Justice’s Legality of the Threat or Use of Nuclear Weapons Advisory Opinion of 1996, and United State’s invocation of UN Charter Article 51 after September 11, 2001).
[14] Digital Acts of War: Evolving the Cybersecurity Conversation, Before the H. Comm. on Oversight and Government Reform Subcomms. on Information Security and National Security, 114th Cong. 5 (2016) (testimony of Department of State Coordinator for Cyber Issues M.E. Painter).
[15] See Ibid. at 2-3.
[16] See Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. Doc. A/70/174 (2015), http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.
[17] The 2015 UN GGE Report fails to directly address issues related to jus in bello and collective self-defense. Ibid.
[18] Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt, ed. 2013), http://www.peacepalacelibrary.nl/ebooks/files/356296245.pdf.
[19] Protocol for the Prohibition of the Use in War of Asphyxiating, Poisonous or Other Gases, and of Bacteriological Methods of Warfare, Apr. 29, 1975, http://www.state.gov/t/isn/4784.htm.

No comments: