Editor's note: The following is a guest article from Mark Laity, senior director at the StratCom Academy and former head of NATO's military SHAPE Communications Division.
When a NATO official told Reuters that a cyberattack could be considered an armed attack and trigger "Article 5," it was a significant moment. How significant is harder to judge.
"Article 5" is NATO's holy grail, the core of what NATO is about. It is part of the Washington Treaty, signed in 1949, that set up the North Atlantic Treaty Organization, which started with 12 members and now has 30.
Article 5 states, "The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all."
So, an attack on Latvia is effectively the same as an attack on the United States – a powerful deterrent to a potential aggressor, but of course life is never that simple.
For decades it seemed simpler, as an armed attack would be obvious and NATO nations would respond with tanks, artillery, and warplanes. Now, in our new world, nations can be undermined through information warfare and infrastructure crippled by cyberattacks, often difficult to trace.
How NATO should respond to such attacks created much debate, first on the principles of whether a cyberattack could be considered an "armed attack," and secondly if it is, what to do about it.
The first question has been answered: it can, but the circumstances in which it would are less clear, and I would say at present unknown even within the Alliance. We can assume it will have to clear a very high bar.
The second question is even harder, and it is worth returning to Article 5 here. Yes, an armed attack on one is considered an attack on all, but each member is only required to take "…such action as it deems necessary, including the use of armed force..."
So, if for instance Latvia was attacked with tanks, individual nations are not obliged to respond with military force. Article 5 is powerful but how nations individually respond, with a lot or a little, is still up to them.
Nevertheless, a conventional military attack on a NATO nation would, I believe, get a massive response. Deterrence has worked. But when we move into the gray zone of "hybrid warfare" that response is harder to predict.
This is one of the aims of Russian strategy towards NATO, to achieve its goals while operating below the threshold that will trigger Article 5. On cyber, those waters will be even muddier given how deniable activity is within cyberspace.
In 2014, NATO's leaders made cyber defense a core part of collective defense but policy and activities to implement that decision are still evolving.
To that end, for instance, it has a technical agreement with the European Union and a NATO Industry Cyber Partnership. At SHAPE, NATO's military headquarters, there is also a Cyberspace Operations Centre.
Currently, NATO is far more focused on defensive cyber, to secure its systems from attack, and the nature of that is a point of debate.
Many say passive cyber defense, where you simply build up your virtual walls, leaves the initiative with your adversary, enabling him to probe without consequence until he finds your weak point. Effective defense means also going after the attacker and forcing him onto the back foot – so-called cyber offense. That is also what would be needed if NATO's responding to an Article 5 breach.
It is also important to recognize NATO as an institution does not possess significant cyber capabilities. When it comes to activities, NATO is a command and control organization using hardware and personnel loaned by members.
Few nations have sophisticated cyber capabilities and for operational security reasons, they are closely guarded, rarely shared, and carefully used.
It means if a cyberattack did trigger NATO Article 5, then the actual use of cyber weapons would be outsourced to nations for use on behalf of the Alliance in a coordinated manner.
I am assuming, surely likely, that any first response to a cyberattack would include cyber. However, as the NATO source told Reuters, a response does not have to be symmetrical, and could theoretically escalate to include a military one.
However, as noted, I think the bar for that will be high. Getting 30 nations to agree on this will be hard, and a further possibility is if NATO cannot agree there could be a so-called "coalition of the willing" operating separately.
So, we are in uncharted waters. NATO has long since agreed cyberattacks could trigger Article 5, and that itself was a major decision and something of a deterrent to hostile actors. But the reality of having to act on it is now closer than ever before.