- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Coauthored with David Gevarter, intern for European studies at the Council on Foreign Relations.
While the North Atlantic Treaty Organization (NATO) was founded on the idea of collective defense, the nature of security threats has changed since its inception. The Cold War-era alliance is struggling to adapt to evolving technology and the altered nature of warfare. Nowhere is this more true than in the cyber realm. NATO policymakers have acknowledged cyberwarfare as a distinct sphere of conflict, but they have not yet tailored nuclear-era concepts of deterrence and response to this new domain. As cyberattacks increase in destructive potential and remain difficult to attribute, the alliance face the dilemma of whether and how to adapt their policy of strategic ambiguity to a new era of cyberwarfare.
At their annual summit last month, the twenty-nine allies reaffirmed the integral role cybersecurity plays in NATO, creating a Cyberspace Operations Center to supplement existing cyber defense facilities and reaffirming the need for an offensive capability “to deter, defend against, and to counter the full spectrum of cyber threats.” Missing from the communique, however, were any rules of engagement for the cyber sphere. This raises the question: How would NATO respond if a member state were to invoke Article V of the North Atlantic Treaty following a cyberattack?
The NATO alliance has long maintained a policy of strategic ambiguity when it comes to nuclear policy, leaving open the possibility that a conventional attack might be met with a nuclear response. (By contrast, China and India have adopted “no–first use” policy for nuclear weapons.) NATO’s nascent cyber policy exhibits a similar ambiguity, intentionally leaving unclear how the alliance would react to a cyberattack. Rather than responding in kind, NATO might instead conduct conventional attacks, such as missile strikes, allowing for rapid escalation.
Early cyberattacks were largely seen as low-stakes events: an inconvenience for the financial sector and dangerous for personal data, but not a threat to national security or justification for a military response. This is no longer necessarily the case. A coordinated Russian cyberattack against a nuclear power plant in Europe and the United States could have devastating consequences, were it to result in major radiation leaks. An attack on a country’s electric grid, a softer target, could in theory cause hundreds of billions of dollars in damage and put lives at risk as traffic lights stop working, hospitals lose power, and unrest erupts.
Given these stakes, NATO has an obvious incentive to strengthen its capacity to deter and punish cyberattacks, including through conventional retaliation. A U.S. Department of Defense memorandum published in early 2017 stated that at least for the next decade, offensive cyber capabilities are likely to outpace cyber defense, making deterrence the most viable option. Both the United States and NATO also recognize that a devastating cyberattack could quickly escalate to violent conflict by triggering a conventional response. Unfortunately, the alliance’s policy of strategic ambiguity falls short. By failing to define the rules of engagement for retaliation, the alliance leaves open the potential for chaos in determining an appropriate response to cyberattacks. In doing so, it invites adversaries to test the waters.
Cyber deterrence is inherently more challenging than nuclear or conventional deterrence because such attacks are difficult to definitively attribute to a particular actor. For example, it is easier to mask the source of a cyberattack on a power grid than it would have been for the Warsaw Pact to conceal a massive incursion into West Germany. This attribution problem could complicate NATO’s capacity to conclusively determine the source of a cyberattack and justify and conduct a timely conventional response, particularly if member states diverge in their perceptions. This dilemma could strain the foundations of collective defense and undermine any unified front against cyberattacks.
For NATO to commit to military action, all of its members would need certainty, beyond a reasonable doubt, about the identity of the perpetrator. This is particularly true in the case of Russia—a known sponsor of cyberattacks. Without conclusive proof, it might be a challenge to convince a distant country like Portugal or a dangerously close one like Estonia to join in a counterattack. Complicating matters, such post-attack decisions would need to be made quickly, given Russia’s precedent of using cyberwarfare as a precursor to kinetic invasion. The need for speed leaves little room for philosophical debates over what constitutes an act of war.
To be sure, NATO’s strategic ambiguity is not without its benefits. Uncertainty about the threshold for a military response could persuade an adversary not to push the envelope with an audacious attack. But that same ambiguity could lead an adversary to miscalculate. Moreover, the doctrine also leaves open the possibility of discord in the ranks of NATO member states regarding how to deal with any such attack.
NATO’s policy of strategic ambiguity served it well during the long Cold War nuclear confrontation. But it may be less appropriate to the era of cyberwarfare, particularly given the problem of attribution and the potential for inter-allied disagreement on the appropriate response to any particular incident. NATO policymakers need to resolve this dilemma by formulating a more explicit cyberwarfare doctrine to which all of its member states can adhere. This should include updating their mutual understanding of what constitutes an act of aggression under NATO’s collective defense provisions, making explicit to potential adversaries just what its red lines are, and establishing clear procedures and channels for robust allied response to cyberattacks. Unless NATO clarifies current ambiguities, Russian aggression in the cyber realm could go unchecked.