By Elizabeth Dominic
To keep pace with the rapidly developing landscape of military technologies, the North Atlantic Treaty Organization (NATO) is reportedly changing its approach to cyber warfare. NATO, a primarily defensive alliance so far, is considering the adoption of offensive cyber warfare strategies to confront hacking attacks from its opponents. Member states including United States, Germany, Spain, Britain, Netherlands, and Norway are already actively developing offensive cyber warfare strategies and are hoping to solidify their agreement by 2019. The agreement would enable the alliance to combat cyber attacks that undermine governments and steal their intelligence information and military technologies. This post will briefly examine the prospect of NATO adopting the proposed offensive cyber warfare strategy within the current framework of international law.
NATO’s Current Cyber Strategy
At present, NATO has a strong cyber defense policy in place. It aims to protect its own networks, and provides assistance to its members to develop their own cyber defense capabilities. Following the denial of service (DoS) attacks against Estonia, NATO adopted a new cyber defense policy at the 2008 Bucharest Summit, which then led to the establishment of the Cyber Defense Management Authority. It was subsequently replaced with Cyber Defence Management Board, which is the nodal agency responsible for “technical, political, and information sharing between allies” and for directing and coordinating between existing cyber defence entities.
In the following years, NATO made substantive progress towards integrating cyber defense into its exercises. At the 2014 Wales summit, cyber defense was established as an integral component of NATO’s core mission of collective defense, triggering the application of collective defense under Article 5 of the NATO Treaty. Under Article 5, all member states are required to come together to aid a member state if it is subjected to an armed attack. With the adoption of the cyber defence policy, an armed attack was defined to also include a cyber attack. However the threshold that is to be satisfied by the cyber attack to trigger collective defense was not disclosed so that it would remain as a deterrent for potential attackers. This was followed by an official recognition of cyber as a domain of warfare in 2016.
Should NATO Adopt An Offensive Cyber Warfare Strategy?
The cyber threat landscape is rapidly undergoing dramatic changes; it is becoming increasingly sophisticated and diverse. A war in cyber space is not a distant possibility. In response to these current developments, it might be appropriate for NATO to adopt a more proactive approach to counter the threats posed by the proliferation of cyber weapons by its adversaries and to ensure global security. An offensive cyber warfare strategy, as considered by NATO could be a solution. Embedding offensive cyber operations into NATO’s military operations may serve as a deterrent for potential attackers.
However the use of offensive cyber strategies should be governed by the principles of international law. Even though the UN Charter prohibits the use of force, Article 51 of the Charter recognizes the inherent right of states to act in self-defence. Therefore an offensive cyber strategy should be employed only if it amounts to an act of self-defence. In the cyber context, as per the unanimous opinion of the Group of Experts that prepared the Tallinn Manual, only cyber attacks with kinetic consequences are tantamount to an armed attack, legitimizing the use of force in self-defence. There are limited circumstances in which an act of offensive warfare can be considered an act of self-defence, which is legitimate in international law.
International Law and Offence as Defence
Currently, there are two possible types of self-defence- anticipatory and pre-emptive- that could be claimed by a state if it exercises use of force against another prior to getting attacked. However there is an ongoing debate on their legitimacy under international law. Over the course of time, anticipatory self-defence has gained international consensus with the support of significant state practice and is considered legitimate if an imminent threat of attack clearly exists and the response is proportional to the threat. However pre-emptive self-defence involves preventive action by a state against a non-imminent threat, and is more controversial.
Even though the ICJ has in the past ruled a claim of pre-emptive self-defence invalid in Democratic Republic of the Congo v. Uganda stating that it is not in consonance with the language of the UN Charter, the claim is being increasingly reaffirmed by many countries including Australia, UK, China and the US. But if imminence is not a pre-requisite, where do we draw the line between legitimate and illegitimate pre-emptive self-defence attacks? The international community is yet to establish a criteria for determination of the same.
In light of the profound political consequences attached to an offensive attack, it is ideal for NATO to resort to offensive strategies only if either a member state is subjected to cyber attack or if there is an imminent threat. It is also imperative that the response remains proportional. However in case of cyber attacks, key questions remain in relation to the determination of proportionality and imminence. This confusion is exacerbated by the uncertain nature of law in this field, with a lack of consensus on even basic questions such as what amounts to a cyber attack.
As cyber attacks are increasingly integrated into the conventional military technologies of states and non-state actors, NATO is facing an array of complex threats. An offensive strategy has both its advantages and disadvantages. However, considering the complexities surrounding the determination of what amounts to cyber attacks and what is legitimate self-defence, now might not be the ideal time for NATO to adopt an offensive cyber warfare strategy.
 Robin Emmott, Reuters, NATO mulls ‘offensive defense’ with cyber warfare (Nov.30, 2017), available at http://mobile.reuters.com/article/amp/idUSKBN1DU1G4.
 Neil Robinson, NATO: changing gear on cyber defense, NATO Review, available at https://www.nato.int/docu/review/2016/Also-in-2016/cyber-defense-nato-security-role/EN/index.htm.
 Vincent Joubart, Five years after Estonia’s cyber attacks: Lessons learned for NATO?, NATO (2012); Szentgali Gergely, The NATO Policy on Cyber Defense, AARMS 1, 4 (2012)
 Warwick Ashford, ComputerWeekly.com, NATO to adopt new cyber defense policy (Sept.03, 2014), available at http://www.computerweekly.com/news/2240228071/Nato-to-adopt-new-cyber-defence-policy.
 James A. Lewis, The Role of Offensive Cyber Operations in NATO’S Collective Defense, Tallinn Paper No.8 (2015).
 Anthony Clark Arend, International Law and the Preemptive Use of Military Force, The Washington Quarterly (2003).
 Commonly referred to as the Caroline Test, formulation of Customary International Law upheld by the Nuremberg Tribunal; Patrick Kelly, Preemptive Self-Defence, Customary International Law and the Congolese Wars (Sept.3, 2016).
 Patrick Kelly, Preemptive Self-Defence, Customary International Law and the Congolese Wars (Sept.3, 2016).
Elizabeth Dominic is a Programme Officer at the Centre for Communication Governance at National Law University Delhi