WARSAW, Poland — July's NATO Warsaw Summit will come with a major focus on cyber-related capabilities, and could conclude with a new definition of cyberspace as a warfighting domain – reinforcing the idea that a cyber-attack on a partner could trigger an Article 5 invocation.
Such an announcement represents the increasing focus of cyber for the alliance at a time when Russia is increasingly focused on asymmetrical warfare to try and weaken the European members, as Western officials have said. That NATO is considering a change in how cyber is handled on a policy level was revealed by a source involved in the planning for next month's summit.
Defense News is traveling in Poland this week as part of a journalist tour hosted by the Polish government, which paid for travel and accommodations.
The thinking behind the discussions is focused on the modern reality that major infrastructure damage could be caused by a cyber strike. That issue has become a focus in the United States, where local utility companies could be particularly vulnerable.
The question of how to respond to cyberattacks is a thorny one. Attribution for the attacks can often be murky, making it very hard to prove accurately the original source. Even if the location of an attack is identified, a nation can claim that the attacks came from a rogue individual and not a government.
In addition, defining the proportionality of a response can be tricky. How should a nation state respond to a small hack from a neighbor that steals information? How does that compare to an attack on critical infrastructure, such as shutting down a power grid, which could lead to injuries or accidents to civilians? Should cyberattacks always merit a response in the virtual domain, or could a kinetic or economic response be launched as a result?
While NATO Secretary General Jens Stoltenberg has previously said a cyberattack could trigger Article 5, the reciprocity issue is a particularly hard one for NATO officials to figure out, as nations understandably do not want to risk being dragged into conflict by an ally over a low-level hacking attempt.
The 2007 denial-of-service attacks on Estonia was noted by the source as an example where the government could have – hypothetically, under the new operating concept – invoked Article 5, the NATO rule that requires allies to come to the defense of whatever nation triggers it. (Article 5 has only been invoked once, by the United States following the September 11 terrorist attacks.)
However, that incident did not result in any serious property or economic damage, in comparison to the STUXNET virus that destroyed part of Iran's nuclear program.
Regardless of what decision comes out of the Warsaw Summit, the NATO partners are increasingly focused on building cyber resiliency among the allied nations. While NATO may look to suggest general standards and tactics among the allies, the specifics of handling cybersecurity matters would still fall to the individual members for the foreseeable future.
However, some common operating standards, particularly when it comes to protecting classified information among the militaries, may be advisable. As nations become increasingly interoperable, the flow of data back and forth can create vulnerabilities in the back-ends of systems.
For example, officials for the F-35 joint strike fighter program have expressed concern about the ability to link up digital flight training systems among the operators, as some nations may not have the same levels of security that US systems do, providing a potential back door for hackers attempting to access US data.