Cyberattacks as “Armed Attacks” on the Objects of Critical Infrastructure in Light Article 5 of Nato Treaty
Abstract
In recent years, cyber security has become one of the most actively discussed topics of
international law, not only because domestic and inter-State cyber security incidents have
grown in number and severity, but also because of the realisation that the technical
peculiarities of cyberspace create new and unique legal problems that previously have not
been encountered.1
In the Wales Summit Declaration on 5 September 2014, NATO recognized that
international law, including international humanitarian law and the United Nations Charter
(UN Charter), applies in cyberspace. A decision as to when a cyberattack would lead to the
invocation of Article 5 would be taken by the North Atlantic Council (NAC) on a case-by-case
basis.2
Collective self-defense expressed in Article 5 of NATO Treaty is a well-known
fundamental principle of NATO: “…an armed attack against one or more of them in Europe or
North America shall be considered an attack against them all (…)”.3
Although Article 5 of the NATO Treaty has no concept of the objects of armed attacks,
cyberattacks as “Armed Attacks” can be carried out on Critical Infrastrucutre (CI), and on
Critical Information Infrastructure (CII). Such objects can function for both military and
civilian purposes. CI for civil purposes can be both in state and private ownership. The types
of activities of such objects are important for the exercise of state functions.
Purpose - The present article aims at analyzing concept, types, functions of critical
infrastructure and cases of cyberattacks on such objects and to determine the relationship
with definition of Armed Attack in light Article 5 of the NATO Treaty.
Design/methodology/approach – the author of the article is comparing legal definitions of
CI in-laws of member states of NATO that connects to cyberattacks and come across with
differences and common points. The case of Estonia (cyberattack on government networks),
Ukraine (cyberattack on CEI) and Stuxnet (cyberattacks against CI) are shortly reviewed.
Finding - when it comes to cyberattacks, in most cases, it is conducted on a CII, which is
directly connected and is the source of automatic control of critical infrastructure. To date, the
most successful such definition is in the strategy for cybersecurity of Lithuania as a NATO
member, and a partner of NATO, Finland. Case in Ukraine showed that CI works in
disconnected access to the Internet network. However, working personnel periodically violated the rules of automated control and connected the Supervisory Control and Data Acquisition
(SCADA)1 to the Internet.
Research limitations/implications – the author uses NATO Treaty, legislation of the
member countries of NATO to compare it and three cases of cyberattacks on CI.
Practical implications – the article could be considered by NATO’ headquarters (NATO
HQ), North Atlantic Council (NAC), Allied Command Transformation (ACT), NATO
Communications and Information Agency (NCI Agency), NATO accredited Centres of
Excellence, in particularly NATO Cooperative Cyber Defence Centre of Excellence (NATO
CCD COE), military legal advisers to the command of NATO allies and partner countries.
Originality/Value – the problem of application of Article 5 of NATO Treaty to
cyberattacks is quite new for NATO and partner countries as well. That also causes a novelty
of that article – finding that cyberattacks on CI could be invoked right on the collective selfdefense
for NATO.
Collections
- Straipsniai / Articles [5370]