By James Pearson and Jonathan Landay
LONDON/WASHINGTON (Reuters) -A cyberattack on a NATO member state could trigger Article 5, its collective defence clause, a NATO official said on Monday, amid concerns that chaos in cyberspace around Russia’s invasion of Ukraine could spill over into other territories.
The military alliance has for years made clear that a serious cyberattack could trigger the clause, but such a scenario has so far been largely hypothetical.
“Allies also recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as an armed attack,” the official told Reuters.
“We will not speculate on how serious a cyberattack would have to be in order to trigger a collective response. Any response could include diplomatic and economic sanctions, cyber measures, or even conventional forces, depending on the nature of the attack,” the official said.
Whether or not a cyberattack met the threshold of an attack large enough to trigger Article 5 was a “political decision for NATO Allies to make,” they added.
Britain and the United States have warned of potential cyberattacks on Ukraine which could have international consequences should, for example, malicious software designed to target networks in Ukraine start to spread elsewhere.
There has also been concern among cybersecurity experts that Russia could team up with some of the gangs and people who release malicious software, such as malware used to hold Colonial Pipeline to ransom in the United States last year.
U.S. Senate Intelligence Committee Chairman Mark Warner said there were no clear guidelines on how NATO (North Atlantic Treaty Organization) should respond, should such an attack take place.
“These are things that have been in hypothetical discussion for a decade, but because we’ve not come to any universal conclusion on what those standards should be, what level of attribution is needed, we’re kind of in a very grey area,” he told Reuters.
He posed the hypothetical case of a Russian cyberattack on Ukraine that impacts NATO member Poland, triggering power outages that result in hospital patients dying or knocking out traffic lights, causing fatal road accidents involving U.S. troops deployed there.
“The West may have wanted strategic ambiguity in this area, and that may still be the right choice,” he added.
“But have we sufficiently made clear to the Russians the red lines on cyber or frankly to the NATO public, the American public, on red lines on cyber? I don’t think we’ve done that.”
Warner said he was “pleasantly surprised” a massive Russian cyberattack had not occurred. But he added that such an attack “becomes even more dangerous with Putin elevating the readiness of his nuclear weapons.”
(Reporting by James Pearson in London and Jonathan Landay in Washington; editing by Grant McCool)