The Wales Summit Declaration released on September 5, 2014, by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales contains these provisions directly related to cyber security:
- [72.] As the Alliance looks to the future, cyber threats and attacks will continue to become more common, sophisticated, and potentially damaging. To face this evolving challenge, we have endorsed an Enhanced Cyber Defence Policy, contributing to the fulfillment of the Alliance’s core tasks. The policy reaffirms the principles of the indivisibility of Allied security and of prevention, detection, resilience, recovery, and defence. It recalls that the fundamental cyber defence responsibility of NATO is to defend its own networks, and that assistance to Allies should be addressed in accordance with the spirit of solidarity, emphasizing the responsibility of Allies to develop the relevant capabilities for the protection of national networks. Our policy also recognises that international law, including international humanitarian law and the UN Charter, applies in cyberspace. Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. (emphasis added)
- [73] We are committed to developing further our national cyber defence capabilities, and we will enhance the cyber security of national networks upon which NATO depends for its core tasks, in order to help make the Alliance resilient and fully protected. Close bilateral and multinational cooperation plays a key role in enhancing the cyber defence capabilities of the Alliance. We will continue to integrate cyber defence into NATO operations and operational and contingency planning, and enhance information sharing and situational awareness among Allies. Strong partnerships play a key role in addressing cyber threats and risks. We will therefore continue to engage actively on cyber issues with relevant partner nations on a case-by-case basis and with other international organisations, including the EU, as agreed, and will intensify our cooperation with industry through a NATO Industry Cyber Partnership. Technological innovations and expertise from the private sector are crucial to enable NATO and Allies to achieve the Enhanced Cyber Defence Policy’s objectives. We will improve the level of NATO’s cyber defence education, training, and exercise activities. We will develop the NATO cyber range capability, building, as a first step, on the Estonian cyber range capability, while taking into consideration the capabilities and requirements of the NATO CIS School and other NATO training and education bodies.
The statement that “[a] decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis,” implies that a cyber attack could be a “use of force” or an “armed attack” as those key legal terms are used in the United Nations Charter. While the terms “armed attack”, “use of force” and “cyber attack” remain undefined — and, crucially, when a cyber attack constitutes an armed attack or a use of force remains unclear — the language suggests that cyber attacks which “threaten national and Euro-Atlantic prosperity, security, and stability” and cyber attacks whose “impact is as harmful to societies as conventional attack” would qualify as armed attacks or uses of force under international law. Note that those definitions would leave open the possibility of cyber attacks which do not result in death or serious bodily injury nevertheless qualifying as uses of force or armed attacks, a point this author has argued for years. I believe that actions in cyberspace might threaten national security to an extent that a military response is justified or even necessary, even if neither the cyber attack nor it reasonably immediate consequential damages result in death or serious bodily injury.
2 Pingbacks