World leaders at the NATO summit in Brussels on Monday agreed to a new cyber defense policy, the first in seven years, which affirms the alliance’s position that certain adversarial cyber activity may be considered “an armed attack” that would trigger the Article 5 collective defense clause.

“We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack,” NATO leaders wrote in a joint statement. “If necessary, we will impose costs on those who harm us. Our response need not be restricted to the cyber domain.”

World leaders gather at the NATO Summit in Brussels on June 14, 2021. Photo: White House.

The new cyber policy arrives ahead of President Joe Biden’s meeting with Russian President Vladimir Putin, where he’s expected to press Putin on Moscow’s alleged maligned cyber and ransomware activity, and following the G-7 summit in Cornwall, England where the group committed to “address the escalating shared threat from criminal ransomware networks.”

Jake Sullivan, Biden’s national security adviser, told reporters en route to Brussels that the new cyber defense strategy will not be released to the public, while adding it will detail how to bolster the alliance’s cyber defense cooperation and parameters for meeting Article 5 response requirements.

“[On] Article 5: This would be on a case-by-case basis. And the notion is that if someone gets hit by a massive cyber-attack, and they need technical or intelligence support from another Ally to be able to deal with it, they could invoke Article 5 to be able to get that,” Sullivan said. “The way that I’ve consistently characterized our response when it — when it came to SolarWinds and to other cyber-attacks of that scope and scale is that we are prepared to take responsive actions that are seen and unseen, and I’ll leave it at that.”

The joint statement from NATO leaders added the alliance will continue a dialogue on how to conduct potential collective responses to cyber attacks, and that the group is “determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats.”

“Cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent. This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm. To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defense Policy, which will support NATO’s three core tasks and overall deterrence and defense posture, and further enhance our resilience,” NATO leaders wrote. 

Jens Stoltenberg, the NATO secretary general, has previously floated the idea of Article 5 being used in a cyber response as threats have grown globally.

“For NATO, a serious cyber-attack could trigger Article 5 of our founding treaty. This is our collective defense commitment where an attack against one ally is treated as an attack against all. We have designated cyberspace a domain in which NATO will operate and defend itself as effectively as it does in the air, on land, and at sea. This means we will deter and defend against any aggression towards allies, whether it takes place in the physical world or the virtual one,” Stoltenberg said in a 2019 statement.