US cyber ambassador: NATO must extend ‘deterrence into the digital world’

SAN FRANCISCO — The U.S. State Department’s top cybersecurity official said Thursday that countries are taking advantage of the differing views among NATO members on whether cyberattacks could trigger a collective military response.

Since the onset of Russia’s invasion of Ukraine last year, debate has raged about whether a damaging cyberattack could trigger Article 5 – the foundational principle of NATO that an attack on any member would necessitate a military response from all.

Article 5 has only been triggered once – after the 9/11 terrorist attacks – but has been a topic of interest for several European countries facing a barrage of crippling cyberattacks since the start of Russia’s invasion of Ukraine in February 2022.

At the RSA Conference this week, U.S. Ambassador at Large for Cyberspace & Digital Policy Nathaniel Fick said that NATO’s adversaries “seek to do things to us using digital means that they would never do to us using kinetic means because of the clarity of the response policies.”

Nathalie Jaarsma, the Netherlands’ ambassador at-large for security policy and cyber, said during the same panel that in general, cyberattacks do fall below the threshold for triggering Article 5. But she mentioned that some countries have pushed for “an accumulation” of cyberattacks to be factored into Article 5 considerations.

“It’s really a case-by-case situation and about the impact. [We need] to have internal discussions about what we do see as the thresholds for our potential range,” she said.

Fick said it would be to NATO’s “collective advantage to clarify and enforce how” they respond to cyber incidents.

He echoed Jaarsma’s comments in acknowledging that most cyberattacks fall far below the threshold for military response. But he wondered whether there is a “middle” between the nuisance attacks and serious incidents involving critical infrastructure or loss of life.

Fick referenced the ransomware attack allegedly launched by Iran against Albania as a situation that might live in that “middle.” Albania’s status as a NATO member prompted the U.S. to offer significant financial and technical help, but Fick questioned whether tougher deterrence efforts were needed.

“I think the implicit assumption is that we need to extend the full power of deterrence into the digital world, using not only cyber means but every ounce of economic, informational and diplomatic means necessary,” he said.

Mandiant CEO Kevin Mandia noted that despite the fears referenced by NATO members, it appeared that Russia understands the level of cyberattack that would trigger Article 5.

While Ukraine has faced several damaging cyberattacks, many experts believe Russia has largely held back from causing the kind of digital destruction that was expected.

“I think there is some evidence out of Russia in 2022 that maybe they were also trying to figure out what is the skirmish level below the threshold of Article 5 in cyber because we didn’t see the new and novel innovation that they probably do have in Ukraine,” he said.

“It stretches credulity to think they're not sitting on at least one to five zero days right now. They’re not using it so maybe they are saying ‘we’re not sure about the collateral damage if we do these things.’”

Fick noted that after Russia’s devastating attack on satellite provider Viasat, several European countries “on the eastern flank” wanted a “more assertive response.”

But he said the U.S. was “not in a hurry to invoke Article 5” and in the end, the “bedrock” of NATO is “that the alliance speaks with one voice.”