NATO recently announced that it will regard cyber as a domain of conflict, joining land, sea, and air as other domains in which conflict may occur. At a press conference on June 14, 2016, NATO Secretary General Jens Stoltenberg said that NATO “will recognize cyberspace as an operational domain, just like air, sea and land. Cyber defence is part of collective defence. Most crises and conflicts today have a cyber dimension, so treating cyber as an operational domain would enable us to better protect our missions and operations.”
A number of recent news articles (Wall Street Journal; Stars and Stripes; and Breaking Defense) have called attention to the fact that such a designation will enable NATO members to invoke Article 5, which states that an armed attack on one NATO member will be regarded as an armed attack on all member nations, against which such nations could invoke their inherent rights to self-defense.
Indeed, the designation of cyber as a domain of conflict is significant, and the ability to invoke Article 5 in response to a cyberattack (not all cyberattacks, just some of them. On this particular point, Stolenberg said that “a cyber attack can trigger Article 5, meaning that a cyber attack can trigger collective defence, because we regard cyber attacks as something that can cause a lot of damage and can be very dangerous. . . . but the same time I think it's also important to understand that cyber is not something that always triggers Article 5.”
But one additional important aspect of designating cyber as a domain of conflict—for the most part, not mentioned in the news articles above—is that it opens the door for NATO to consider the role that offensive cyber operations might play in collective defense. In response to a direct question on this point from a Der Spiegel report who asked “does NATO need to develop also offensive cyber capabilities to possibly attack other, well, any attackers who try to do any harm to NATO countries?”, the official transcript shows that Stolenberg was silent on this matter.
Soltenberg’s silence on this matter is not entirely surprising. NATO is a defensive alliance, and NATO spokespersons are understandably reluctant to talk about anything with offensive connotations. But defensive alliances have offensive weapons, if nothing else to help restore the status quo in the aftermath of an enemy attack. It’s no secret that NATO member nations operate warplanes that have deep interdiction capabilities for destroying targets far removed from their home bases, ships carrying long-range missiles, and tanks that could be used for establishing control over tracts of land. Despite Soltenberg’s silence, why would we expect the cyber domain of conflict to be any different?
To date, the United States and the Netherlands are the most forthcoming about the role that offensive cyber operations could play in military operations and strategy (strange to be writing these words about U.S. openness, but compare to other NATO nations, it’s very true). Whether the NATO announcement about cyber as another domain of conflict prompts greater openness regarding offensive cyber operations from other nations remains to be seen, but there is no question that the NATO announcement provides a degree of legitimacy for such operations as a part of alliance strategy that has been absent in the past.