What kind of cyberattack would trigger a response from NATO?

That question, on so called Article 5 intrusions, has intrigued cybersecurity experts since the organization declared cyberspace a domain of warfare in 2016. But a more immediate question may be how NATO and its member nations confront the daily cyber events that never rise to the threshold of armed attacks.

“I actually don’t think that the biggest problem is when Article 5 is triggered or not … It is all the activity that is taking place the threshold of armed attack yet is still strategically meaningful,” Max Smeets, senior researcher at ETH Zurich Center for Security Studies, said Dec. 3 at the NATO Engages think tank event in London. “That is something that NATO is grappling with today and how to respond to that.”

These attacks been a concern within the United States as well, which has lead to new approaches that involve daily engagement in cyberspace as a way to confront or delay these events.

But aggressor nations are using cyberspace to achieve their strategic goals and doing so by disguising their identity or where the attacks are coming from. Such activity makes it more difficult for the NATO alliance to respond to.

It is "very difficult for the alliance, NATO, because the means used are not the standard forms of military aggression,” Teija Tiilikainen, director of the European Centre of Excellence for Countering Hybrid Threats, said at the event. “We know that it is attacks against critical infrastructure, it is attacks against the information environment, it is forms of aggression that don’t fall into the fields of NATO’s competencies. This is a difficulty for NATO because when we compare the forms of aggression with any other types of traditional aggression, it is a question of essential threats, in this case, but it is much more difficult for the alliance to find the proper responses from the instruments at its disposal.”

Each state can determine how they view the application of international law in these emerging spaces, said Klara Jordan, executive director of the European Union and Africa at the Global Cyber Alliance.

“States have a huge responsibility to talk about their understanding of international law … That’s how you create the understanding of what it would be that would facilitate answering those questions,” she said.

As an example, Jordan mentioned the position taken by the UK attorney general, who acknowledged in May 2018 that a cyber operation, no matter how hostile, never violates sovereignty. On the other hand, the French outlined a stance in September 2019 that remote cyber operations that cause effects are, indeed, a violation of sovereignty.

The United States has yet to officially state an opinion on this subject.