NATO Is in a Cyberwar with Russia and Must Expand Article 5 to Include Cyberwarfare or Risk Losing and Diminishment
By Brian E. Frydenborg
Article 5 of NATO’s foundational 1949 North Atlantic Treaty demands that if an “armed attack” is carried out against even just one member state, all other member states “shall” consider that attack (and any armed attack) on a member state “an attack against them all” and “will assist,” up to and “including the use of armed force.” This bedrock is the centerpiece for over seven decades of the Pax Americana: the U.S.-led global system of military power, alliances, collective defense, and ability to project combined strength anywhere on the planet. For it to continue in these roles, NATO must adapt to current and future threats by adding cyberwarfare—including information warfare—to Article 5.
Cyberwarfare a Defining Part of Modern Warfare
Most cyberattacks against NATO states are carried out by Russia. A key element of these involve what is called “information warfare” (“a new face of war,” quoting a RAND Corporation report), heavily involving disinformation and that includes “warfare” to indicate these are hardly benign/normal influence operations but those that have always been part of any serious conventional war in modern times.
The ever-evolving concept of warfare in our digital age, then, does not have to include shots being fired from guns, and it is naïve to not consider cyberwarfare as simply another form of war in the twenty-first century that uses force in the digital realm to achieve results in some of the same spirit as traditional armies: attack, defense, deception, sabotage, destruction, and to pressure actors to change behavior. Clausewitz most famously wrote that “war is merely the continuation of policy [or politics] by other means” and would have well understood cyberwarfare to be war and well within that “other means” category.
Russia and China are the two countries that have led in cyberwarfare. Bolder but weaker Russia is NATO’s—and America’s—foremost enemy (even if unofficially but obviously in a de facto sense), while China is stronger but more reserved as the West’s clearest top rival. China has carried out and been a leader in non-weaponized hacking and espionage (admittedly common among all major states), but has not, say, publicly released disinformation or stolen information in a manner timed to seriously interfere with NATO countries’ elections (as Russia has). And though China has its own complex influence operations, Russia undoubtedly has led by far in cyberattacks more hostile than espionage (uniquely so among major powers) since its game-changing 2007 Estonia cybercampaign.
Figure 1. Where the political warfare fits within the implements of power. “All activities are illustrative, rather than an exhaustive list of possible actors.” From RAND's The Growing Need to Focus on Modern Political Warfare
Russia officially considers NATO a “threat,” and since that 2007 Estonia cybercampaign, has been far more aggressive and threatening towards NATO states, often stoking internal divisions and flooding them in cyberattacks, including election interference and boosting secessionism, with notable cybercampaigns being carried out against over twenty NATO member states (apart from campaigns against non-NATO states).
Furthermore, de facto, undeclared wars are the most common type of war in modern history even if the term “war” is not used. America, for example, has a long history of undeclared war going all the way back to the nation’s earliest days involving conflict with Native Americans and also the 1798-1800 Quasi-War, then popularly termed “The Undeclared War with France.” As one scholar notes, “the legal state of war is possible without actual fighting.”
The Nature of Russian Cyberwarfare Confronting NATO
Thus, it is hardly extreme to consider NATO and Russia in an undeclared cyberwar and, therefore, a state of undeclared war. NATO Review, NATO’s flagship journal, even in 2017 published analysis noting that Russia was waging “non-kinetic political war on the West,” as I have.
Russia’s weapons in its undeclared war on NATO are not tanks, bombs, bullets, or jets; rather, they are illicit financing, trolls, bots, and fake news, with the Kremlin often fomenting, funding, and promoting the rise of far-right ethno-nationalist extremists, all while disparaging those in the center and mainstream left. Putin’s party, the banally nationalist United Russia, has even formed formal and informal alliances with significant like-minded political parties in major NATO countries.
These campaigns, relying on hacking, disinformation, propaganda, and other cyber-methods, are coordinated through major components of the Russian government and close Putin allies in and out of the Kremlin, often using thousands of fake accounts to artificially boost their impact, which, in turn, are bolstered within the target states by agents and local allies along with unwitting true believers long dubbed “useful idiots.” In many NATO countries—including the U.S.—Putin is even liked by far-rightists. Domestic media, then, can become loud voices augmenting Russia’s propaganda, especially right-wing media outlets, but also some on the far-left. Repeated enough, top traditional outlets latch onto this disinformation, sometimes mainstreaming it, other times critiquing yet still propagating, as I have previously explained.
Reigning as the supreme disruptor on social media, Russia spews a “firehose of falsehoods” that has been massively effective, distorting and gaslighting public discussion to wildly amplify Russia’s preferred narratives beyond any natural organic reach, influencing many millions, thus helping to create an atmosphere where disinformation is sometimes consumed even more than actual news and doubt about even basic truths becomes widespread.
And once Putin’s favored are in office partly because of Russian disinformation, they in turn further spread Russian disinformation from the highest levels of their governments, even mimicking Kremlin tactics and adopting policies favorable to Russia, even covering up Russia’s trail (both America’s 2019 Mueller report and the British Parliament’s Intelligence & Security Committee’s exceptional Russia report released last year note damning examples of obstruction in their respective governments).
Most notably for NATO, the American presidential candidate Putin twice ordered Russian election interference on behalf of had expressed hostility to NATO repeatedly during the campaign, even contemplated leaving the Alliance as president, and may still have done so if reelected.
Cyberwarfare a Larger Threat Now to NATO than Terrorism
By far, the most damaging, destabilizing, and effective attacks NATO countries since 9/11 have been Russian cyberattacks, campaigns that have been able to affect political outcomes and internal dynamics in numerous NATO countries to suit Putin’s agenda.
Russian cyberwarfare efforts against the U.S. have included election interference—beginning with what I called back in December 2016 the First Russo-American Cyberwar—that has already caused damage to America, its democracy, and its reputation that is hard to exaggerate, with effects not only still being felt by the U.S. but guaranteed to still be felt for some time. Russia is also clearly and repeatedly promoting unrest and division, recently pushing both disinformation about the coronavirus and bogus conspiracy theories of fraud 2020 U.S. presidential election. In the run-up to that election, the Russians targeted the main political rival of their preferred incumbent, just as in 2016.
These efforts produced results: multiple respectable surveys and any casual look at social media show that vast numbers of Americans—even key leaders—are supporting this disinformation, even spreading nonsense about both the 2020 presidential election, damaging faith in the very foundations of democracy coronavirus (including millions doubting coronavirus vaccines literally helping kill Americans). There are also global effects on opinion of America and the rest of the West along with international views on coronavirus and vaccines.
Most recently coming to light are the devastatingly far-reaching SolarWinds operation; a cyberattack against USAID that ensnared some 150 government agencies, non-profits, think tanks, and human rights groups globally that have criticized Russia; a recent attack on top U.S. cybersecurity firm FireEye; and the Colonial Pipeline and JBS meat plant ransomware, with Russia playing a role with these ransomware groups similar to how the Taliban gave al-Qaeda safe harbor, resulting in the 9/11 attacks—incidentally, the only time NATO ever invoked Article 5.
In contrast, physical terrorist attacks in NATO countries since 9/11, while tragic, have still had comparatively limited effects. Even Russia’s own 2018 Novichok chemical weapon attack on British soil in Salisbury against Russian military intelligence officer turned spy for the UK Sergei Skripal had more symbolic an effect than anything else, dwarfed by the damage from Russian efforts to move the 2016 Brexit vote in the direction of Leave or the effect of Russia’s campaign to amplify Scottish secessionism (now increasingly likely and sooner rather than later, an outcome that would obviously dismember and damage a UK already acutely damaged by Brexit). To journalist George Packer, “antisocial media has us all in its grip.”
NATO currently has a Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. Yet even presently, one-sixth of NATO— Albania, Canada, Iceland, Luxembourg, and North Macedonia—are not members of this Centre, though, encouragingly, Canada and Luxembourg are going to join, new states were recently added, and non-NATO states Austria, Finland, Sweden, and Switzerland are “Contributing Participants,” a status available to those outside of NATO; Australia, Ireland, Japan, South Korea, and—most recently—Ukraine will join that second group. There is also set to be a new military cyberdefense command center fully operational in 2023 at NATO’s military base in Belgium.
NATO considers “cyber defence…part of NATO’s core task of collective defence” and has since 2014, when the Alliance first specifically articulated the possibility of invoking Article 5 in reaction to cyberattacks (but only “on a case-by-case basis”). NATO has since “pledge[d] to ensure the Alliance keeps pace with the fast evolving cyber threat landscape and that our nations will be capable of defending themselves in cyberspace as in the air, on land and at sea,” repeatedly reiterating that Article 5 being invoked in response to a cyberattack is a possibility, including just this September 2020 and in June 2021.
The vague idea seems to be that if a cyberattack was “serious” enough, Article 5 could be activated, but this seems myopic: death by a thousand cuts is still death and has the same effect as decapitation, so tolerating many smaller attacks, thereby transmitting a clear indication that there will not be a collective Article 5 response to them, is just bad policy. It is also most decidedly not the case for armed attacks, in which any by a nation-state or sponsored by one would trigger Article 5. Years of unrelenting cyberwarfare has done more damage to NATO than any Soviet Army did during the Cold War, in part, because of Article 5: the USSR and then Russia did not dare use armed force to strike any NATO country for fear of Article 5’s unequivocal guarantee of a collective response, even in 2015 when NATO-member Turkey shot down a Russian military jet over Syria.
Yet when it comes to cyberwarfare, NATO is practically inviting Russia to attack and get away with it, with the Alliance quite consistently demonstrating an unwillingness, even inability under its existing framework to collectively respond to Russia’s cyberaggression. As the aforementioned UK Russia report noted, “Russia is not overly concerned about individual reprisal” against its aggressive acts, including its cyberattacks, with even the U.S. demonstrably inspiring little hesitation.
Clearly, pretending cyberwarfare is not war and allowing cyberwarfare in real-world practice to be kept out of NATO’s Article 5—leaving individual members states flailing independently and ineffectively against an organized, determined, and capable de facto enemy content to stand down its conventional military against NATO while unleashing its cyberunits upon it with impunity—has failed.
At the end of New York Times cybersecurity reporter Nicole Perlroth’s recent book This Is How They Tell Me the World Ends—the indispensable, terrifying, definitive account of the development of cyberwarfare and the mess in which we currently find ourselves—the author warns that “many will say” that “these…critical assignments of our time” to deter and defend ourselves from cyberwarfare “are impossible, but we have summoned the best of our scientific community, government, industry, and everyday people to overcome existential challenges before. Why can’t we do it again?…We don’t have to wait until the Big One to get going.”
As a main advantage of the West over Russia is that people like the West a lot more than Russia—materializing in close economic, diplomatic, and military ties Russia can only dream of—the easiest way for the West to face and fight this dire and metastasizing cyberthreat from Russia is by leveraging its alliances, and, most of all, this means involving NATO and doing so in a big way.
As there is no statute of limitations on cyberattacks and the just-proposed framework not precluded by the current NATO treaty, NATO would even be in its full rights (and is overdue) to now invoke Article 5 against Russia for its cyberwarfare so that this cyberwarfare will result in far more pain for Russia than any damage it inflicts.
How to Revise Article 5 and the NATO Treaty Overall
With Russia’s rampant cyberwarfare only intensifying and its obvious pattern as a hostile bad-faith actor, it is absolutely necessary for a paradigm shift in the international system for deterring cyberattacks. Because NATO is the premier Western defensive alliance, crystalizing cyberwarfare’s relationship to Article 5 is a must, the only way for NATO to maintain credible collective defense in the twenty-first century.
To this end, “or cyberattack” must be added after every occurrence of the words “armed attack” in Article 5 (e.g., “The Parties agree that an armed attack or cyberattack against one or more of them…”).
In a longform, earlier version of this proposal, I have proposed a new detailed Article 15 that defines cyberwarfare in the Article 5 context and who/what would be covered. Any attacks that cause damage and harm would be included, as would digital information warfare/disinformation campaigns. Yet fairly standard espionage operations will not be included (say, China’s hacking) unless either the scale is so exceptional (as was the case with Russia’s unprecedented SolarWinds hack) or if what is hacked is weaponized or threats to weaponize that information are made.
By “weaponized,” I mean any action that tries to coerce, influence, or target publicly. Targets that would trigger Article 5 include all NATO citizens, residents, or entities—public sector or private—or anyone operating on NATO member state territory, as NATO cannot tolerate its territory being used for any such attack. Any attacks targeting family, friends, or connections of these folks for the same purposes would also be covered. This would apply to all state or state-sponsored cyberattacks, while terrorist or non-state actors would also be covered under certain actions but other activities would default to being handled by normal counterterrorism and/or law enforcement agencies.
Expanding Article 5 is necessary and overdue. The early twenty-first century’s second decade has been something of a Wild West, with Russia using the lawlessness of the cyber domain to its devastating effect. The time for lawlessness is over, and revising NATO’s Article 5 as suggested herein will not only clarify the rules for NATO enemies and rivals, but also for the members of a NATO Alliance itself that is in desperate need of clarity and strength on this issue. It will also make NATO once again an alliance that instills fear in the minds of Russian leaders (as it did with Stalin and subsequent Soviet leadership) who would engage in reckless acts of aggression against NATO or its states, even if “just” through cyberwarfare.