Brian E. Frydenborg
Introduction
Article 5 of NATO’s foundational 1949 North Atlantic Treaty demands that if an “armed attack” is carried out against even just one member state, all other member states “shall” consider that attack (and any armed attack) on a member state “an attack against them all” and “will assist,” up to and “including the use of armed force.” This bedrock is the centerpiece for over seven decades of the Pax Americana: the U.S.-led global system of military power, alliances, collective defense, and ability to project combined strength anywhere on the planet. For it to continue in these roles, NATO must adapt to current and future threats by adding cyberwarfare—including information warfare—to Article 5.
Cyberwarfare a Defining Part of Modern Warfare
Most cyberattacks against NATO states are carried out by Russia. A key element of these involve what is called “information warfare” (“a new face of war,” quoting a RAND Corporation report), heavily involving disinformation and that includes “warfare” to indicate these are hardly benign/normal influence operations but those that have always been part of any serious conventional war in modern times.
The Nature of Russian Cyberwarfare Confronting NATO
Russia’s weapons in its undeclared war on NATO are not tanks, bombs, bullets, or jets; rather, they are illicit financing, trolls, bots, and fake news, with the Kremlin often fomenting, funding, and promoting the rise of far-right ethno-nationalist extremists, all while disparaging those in the center and mainstream left. Putin’s party, the banally nationalist United Russia, has even formed formal and informal alliances with significant like-minded political parties in major NATO countries.
These campaigns, relying on hacking, disinformation, propaganda, and other cyber-methods, are coordinated through major components of the Russian government and close Putin allies in and out of the Kremlin, often using thousands of fake accounts to artificially boost their impact, which, in turn, are bolstered within the target states by agents and local allies along with unwitting true believers long dubbed “useful idiots.” In many NATO countries—including the U.S.—Putin is even liked by far-rightists. Domestic media, then, can become loud voices augmenting Russia’s propaganda, especially right-wing media outlets, but also some on the far-left. Repeated enough, top traditional outlets latch onto this disinformation, sometimes mainstreaming it, other times critiquing yet still propagating, as I have previously explained.
Cyberwarfare a Larger Threat Now to NATO than Terrorism
By far, the most damaging, destabilizing, and effective attacks NATO countries since 9/11 have been Russian cyberattacks, campaigns that have been able to affect political outcomes and internal dynamics in numerous NATO countries to suit Putin’s agenda.
Falling Short
NATO currently has a Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. Yet even presently, one-sixth of NATO— Albania, Canada, Iceland, Luxembourg, and North Macedonia—are not members of this Centre, though, encouragingly, Canada and Luxembourg are going to join, new states were recently added, and non-NATO states Austria, Finland, Sweden, and Switzerland are “Contributing Participants,” a status available to those outside of NATO; Australia, Ireland, Japan, South Korea, and—most recently—Ukraine will join that second group. There is also set to be a new military cyberdefense command center fully operational in 2023 at NATO’s military base in Belgium.
Yet official working papers, conferences, interviews, statements, and raising possibilities are no substitute for a concrete, clear policy, and NATO simply does not have this.
The vague idea seems to be that if a cyberattack was “serious” enough, Article 5 could be activated, but this seems myopic: death by a thousand cuts is still death and has the same effect as decapitation, so tolerating many smaller attacks, thereby transmitting a clear indication that there will not be a collective Article 5 response to them, is just bad policy. It is also most decidedly not the case for armed attacks, in which any by a nation-state or sponsored by one would trigger Article 5. Years of unrelenting cyberwarfare has done more damage to NATO than any Soviet Army did during the Cold War, in part, because of Article 5: the USSR and then Russia did not dare use armed force to strike any NATO country for fear of Article 5’s unequivocal guarantee of a collective response, even in 2015 when NATO-member Turkey shot down a Russian military jet over Syria.
Yet when it comes to cyberwarfare, NATO is practically inviting Russia to attack and get away with it, with the Alliance quite consistently demonstrating an unwillingness, even inability under its existing framework to collectively respond to Russia’s cyberaggression. As the aforementioned UK Russia report noted, “Russia is not overly concerned about individual reprisal” against its aggressive acts, including its cyberattacks, with even the U.S. demonstrably inspiring little hesitation.
Clearly, pretending cyberwarfare is not war and allowing cyberwarfare in real-world practice to be kept out of NATO’s Article 5—leaving individual members states flailing independently and ineffectively against an organized, determined, and capable de facto enemy content to stand down its conventional military against NATO while unleashing its cyberunits upon it with impunity—has failed.
At the end of New York Times cybersecurity reporter Nicole Perlroth’s recent book This Is How They Tell Me the World Ends—the indispensable, terrifying, definitive account of the development of cyberwarfare and the mess in which we currently find ourselves—the author warns that “many will say” that “these…critical assignments of our time” to deter and defend ourselves from cyberwarfare “are impossible, but we have summoned the best of our scientific community, government, industry, and everyday people to overcome existential challenges before. Why can’t we do it again?…We don’t have to wait until the Big One to get going.”
As a main advantage of the West over Russia is that people like the West a lot more than Russia—materializing in close economic, diplomatic, and military ties Russia can only dream of—the easiest way for the West to face and fight this dire and metastasizing cyberthreat from Russia is by leveraging its alliances, and, most of all, this means involving NATO and doing so in a big way.
As there is no statute of limitations on cyberattacks and the just-proposed framework not precluded by the current NATO treaty, NATO would even be in its full rights (and is overdue) to now invoke Article 5 against Russia for its cyberwarfare so that this cyberwarfare will result in far more pain for Russia than any damage it inflicts.
How to Revise Article 5 and the NATO Treaty Overall
With Russia’s rampant cyberwarfare only intensifying and its obvious pattern as a hostile bad-faith actor, it is absolutely necessary for a paradigm shift in the international system for deterring cyberattacks. Because NATO is the premier Western defensive alliance, crystalizing cyberwarfare’s relationship to Article 5 is a must, the only way for NATO to maintain credible collective defense in the twenty-first century.
To this end, “or cyberattack” must be added after every occurrence of the words “armed attack” in Article 5 (e.g., “The Parties agree that an armed attack or cyberattack against one or more of them…”).
In a longform, earlier version of this proposal, I have proposed a new detailed Article 15 that defines cyberwarfare in the Article 5 context and who/what would be covered. Any attacks that cause damage and harm would be included, as would digital information warfare/disinformation campaigns. Yet fairly standard espionage operations will not be included (say, China’s hacking) unless either the scale is so exceptional (as was the case with Russia’s unprecedented SolarWinds hack) or if what is hacked is weaponized or threats to weaponize that information are made.
By “weaponized,” I mean any action that tries to coerce, influence, or target publicly. Targets that would trigger Article 5 include all NATO citizens, residents, or entities—public sector or private—or anyone operating on NATO member state territory, as NATO cannot tolerate its territory being used for any such attack. Any attacks targeting family, friends, or connections of these folks for the same purposes would also be covered. This would apply to all state or state-sponsored cyberattacks, while terrorist or non-state actors would also be covered under certain actions but other activities would default to being handled by normal counterterrorism and/or law enforcement agencies.
Conclusion
Expanding Article 5 is necessary and overdue. The early twenty-first century’s second decade has been something of a Wild West, with Russia using the lawlessness of the cyber domain to its devastating effect. The time for lawlessness is over, and revising NATO’s Article 5 as suggested herein will not only clarify the rules for NATO enemies and rivals, but also for the members of a NATO Alliance itself that is in desperate need of clarity and strength on this issue. It will also make NATO once again an alliance that instills fear in the minds of Russian leaders (as it did with Stalin and subsequent Soviet leadership) who would engage in reckless acts of aggression against NATO or its states, even if “just” through cyberwarfare.
No comments:
Post a Comment