NATO chief Jens Stoltenberg states that a cyber attack could trigger Article 5 of the NATO pact, which confirms that an attack on a NATO country will be considered an attack on the entire alliance. NUPI researcher Niels Nagelhus Schia explains what it takes for a cyber attack to approach this threshold.
Stoltenberg’s statement came on one press conference after he was asked about a Russian cyber attack on Ukraine that has consequences for surrounding NATO countries such as Poland or Romania could trigger Article 5.
“We have determined that cyber attacks can also trigger Article 5, but we have never put ourselves in a position where we have given a potential counterparty the privilege of defining exactly when we trigger Article 5,” he said.
The NATO chief stressed that the alliance is concerned with curbing conflicts in order to prevent accidents and mishaps from spinning out of control and creating “a very dangerous situation”.
–
Article 5
Senior researcher Niels Nagelhus Schia tells Dagbladet that it is not new that NATO says that a cyber attack can also trigger Article 5, but that this is a political decision that must be made in each individual case. Schia also says that it is difficult to imagine what it takes for a cyber attack to have that type of consequence.
– There will be attacks on critical infrastructure, preferably government, that may approach the threshold, says Schia, who also heads NUPI’s research center for digital technology and cyber security.
– For example, against the health service or if, for example, the attack on the Ukrainian power grid in 2015, where more than 200,000 electricity customers lost power for more than three hours on Christmas Eve, had been carried out against a NATO country, it could have been interesting. Especially if other infrastructure was affected at the same time.
Schia adds that if a cyber attack were to trigger Article 5, it is natural to imagine that NATO will retaliate against the attack with the same coin. In this way, Schia does not envisage that NATO will strike back with full force against a minor cyber attack.
–
Cyberattacks
So far in the Ukraine war, we have seen DDOS attacks on government websites, Schia explains.
– Such attacks are very easy to control for the attacker, who can ensure that they do not spread. If you use malware, on the other hand, there is a greater risk that it can spread uncontrolled, says Schia and continues:
– The Struxnet attack is the first known case and one of the few times that a cyber attack has caused physical damage. The attack took place in Iran, where a virus was planted to destroy the country’s nuclear weapons production. The virus caused the centrifuges to spin much faster than they were built for, which caused them to explode.
–
Estonia cyberattack
Schia also says that the only time a cyber attack has come close to triggering Article 5 of the NATO pact was in Estonia in 2007.
At that time, the Estonian authorities, banks and important institutions were put out by a DDOS attack, and Russia was pointed out to be behind it. It took several weeks before they managed to get the website up again, says Schia and continues:
– Estonia tried to invoke Article 5, but this happened before there had been a discussion about whether a cyber attack could trigger Article 5 in NATO. However, Estonia acquired the NATO Cyber Security Center as a result.