The North Atlantic Treaty Organization (NATO), founded in 1949 as a military alliance between 12 North American and European countries, has today 29 members. According to the principle of collective defense enshrined in Article 5 of the Washington Treaty, an armed attack against one NATO Ally is considered as an attack against all NATO Allies. After the September 11 attacks against the United States, NATO invoked Article 5 for the first time in its history. In September 2014, the Alliance issued a clarification of Article 5, extending its scope to include cyberspace in addition to “physical space”.
The principle of collective defense obliges Alliance members to defend each other in case of an armed attack. According to the Strategic Concept of 1991, NATO leaders moved “acts of terrorism” to the top list of “other risks”. Therefore, NATO can invoke Article 5 if an aggressor commits a terrorist act (as seen in the aftermath of the 9/11 attacks). However, as stated in a Brookings article in 2002: “this is not to say that any act of terrorism or threat to energy supply can or should be treated as an Article 5 contingency that obliges all allies to contribute troops. It does mean, however, that all recognize that global developments can imperil their common interests and values, a point made dramatically clear by the attacks on Washington and New York.” Furthermore, the Alliance has officially accepted that cyber attacks are within the scope of Article 5. Thus, a member state may request assistance from other Allies when responding to a cyber attack. However, despite the fact that a digital attack on a member state is covered by Article 5, according to Article 72 of the Wales Summit Declaration, “a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.” It should be further emphasized that if a terrorist act is committed by a group based in the attacked country (i.e., within domestic jurisdiction), it does not constitute an attack under Article 5.
“The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defense recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
Any such armed attack and all measures taken as a result thereof shall immediately be reported to the Security Council. Such measures shall be terminated when the Security Council has taken the measures necessary to restore and maintain international peace and security.”
NATO’s secretary general Jens Stoltenberg has described the severity of a cyber attack that may trigger Article 5. According to him: “The level of a cyberattack that would provoke NATO into a response under Article 5 must remain purposefully vague, as will the nature of NATO’s response. A clearly defined threshold only invites attacks immediately beneath it. That is the logic of deterrence.”
The Alliance’s Strategic Concept sets out NATO’s security tasks and reaffirms a deterrence and defense approach. The Strategic Concept is based on prevention and resilience policies on crisis management, collective defense and security.
The Alliance’s Policy Guidelines on Counter-terrorism (2012) state that “modern technology increases the potential impact of terrorist attacks employing conventional and unconventional means, particularly as terrorists seek to acquire chemical, biological, radiological or nuclear (CBRN) capabilities and cyber abilities”. The document provides strategic and risk assessment guidelines to efficiently counter terrorism as part of NATO’s main priorities of “collective defense, crisis management, and cooperative security”. It also focuses on three main pillars: increase ‘shared awareness’ of terrorist threats/risks; develop strategies to counter these threats/risks, and engage in partnership with countries to enhance their strategies in countering terrorist threats.
NATO’s approach to cyber defense has evolved over the years. At the 2014 Wales Summit, NATO recognized that international law applies to cyberspace and that cyber attacks could be as harmful as conventional attacks. NATO’s cyber defense policy mainly focuses on the protection of its own networks (including operations and missions) and on the promotion of international cooperation in cyberspace. At the Warsaw Summit in 2016, NATO announced a Cyber Defense Pledge, officially adding cyberspace to its three operational domains (land, sea, air).
The Wales Summit Declaration stated that cyber defense “is part of NATO’s core task of collective defense”. NATO adopted the Pledge in order to strengthen the cyber defenses of national networks and infrastructures, as well as to enhance NATO – EU cyber defense co-operation. In February 2016, NATO and the European Union signed a Technical Arrangement on cyber-defense, which provides a framework for exchanging information and sharing best practices.
Additionally, the NATO Industry Cyber Partnership (NICP) aims to reinforce cyber defense strategies by strengthening the relationship between the private sector and Alliance members. According to NICP’s official website, the partnership brings together NATO entities, national Computer Emergency Response Teams (CERTs) and NATO member countries’ industry representatives.
In September 2017, the STRATCOM held a workshop on Social Media in Operations – a Counter-Terrorism Perspective, where NATO’s Centre of Excellence on Defense Against Terrorism (COE-DAT) explored how NATO can improve its approach to counter-terrorism. The report of the COE-DAT workshop stated that “in order to develop social media analysis further, a NATO wide legal framework or code of conduct must be established”.
Later in October 2017, NATO held a Parliamentary Assembly session on “The Social Media Revolution: Political and Security Implications”. The report of the session explained how terrorist organizations use cyberspace as a tool for recruitment and propaganda, and misuse social media platforms for their illicit activities.
Finally, the Tallinn Manual, a non-binding academic study on how existing international law applies to cyberspace, was established through the joint cooperation of a group of world renowned experts and the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE).