The potential consequences of cyberattacks under NATO’s Article 5: applying self-defence in cyberspace
The increasing frequency and sophistication of cyberattacks have transformed international conflicts and challenged the international legal framework regarding self-defence. Today, NATO members face security threats capable of causing widespread disruption without the use of physical force. These threats test the aptness of NATO's Article 5, which would be the legal basis for the invocation of the mutual defence clause in cyberspace. The Wales Summit Declaration and Brussels Summit Declaration recognised that cyberattacks may reach the threshold of an armed attack, potentially triggering Article 5. However, invoking Article 5 for a cyberattack raises further legal questions, particularly in relation to the attribution of responsibility and the applicability of the right to self-defence. The involvement of non-state actors and the inability to clearly prove state involvement in a cyberattack challenges the conventional way of executing retaliatory actions. International law, in its current form, fails to instruct states on how to apply self-defence in cyberspace. Hence, as NATO governments appear increasingly reliant on cyberspace for both military capabilities and public services, they should actively consider the uncertainty that would derive from a unilateral invocation of Article 5 in the case of a cyberattack.