NATO has warned that cyberattacks such as WannaCry and NotPetya could, if attributed to a state, trigger Article 5 of the treaty and prompt a military response from member countries. The alliance indicated there are signs these incidents may have been state-sponsored, raising the prospect of treating them as violations of sovereignty.
Article 5 is NATO’s core collective defense clause: an attack on one member is considered an attack on all, and if invoked it obliges members to provide a collective response. In NATO’s history it has been invoked only once—by the United States after the 11 September 2001 terrorist attacks on the World Trade Center and the Pentagon.
“As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures,“ said Tomáš Minárik, researcher at the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) Law Branch. “A countermeasure is a state response that would otherwise be unlawful but for the fact that the state is responding to an internationally wrongful act attributable to another state.”
WannaCry disrupted the UK’s National Health Service, taking critical systems offline, increasing waiting times and forcing the cancellation of some urgent procedures. While there is no public evidence directly linking those disruptions to fatalities, the attack clearly harmed patients by delaying care and placing extra strain on medical staff.
Following recent attacks, UK Defence Secretary Sir Michael Fallon suggested Britain might respond to serious cyberattacks with military measures, including airstrikes. That implies the UK could seek NATO support under Article 5 and call on other member states to participate in a collective response.
After Article 5 was invoked in 2001, NATO allies joined the United States in military operations in Afghanistan and later Iraq; some NATO personnel remained deployed for many years. The treaty’s language is explicit regarding conventional armed attacks, but it was drafted before the emergence of large-scale cyber operations, leaving ambiguity about when cyber incidents rise to the level of an armed attack or a trigger for collective self-defense.
Experts draw a distinction between cyberwarfare and cyberespionage. Cyberespionage aims to obtain information and typically does not directly endanger lives, whereas cyberwarfare can cause physical disruption, economic damage, and even loss of life. Because of the potential threat to life and critical infrastructure, the attack that hit the NHS could, if proven to be intentional and state-directed, be treated as an act of cyberwarfare. WannaCry exploited a vulnerability disclosed in tools linked to the US National Security Agency and has been tied by some investigators to activity intended to raise funds for the North Korean regime, although attribution is complex and politically sensitive.
NATO officials have expressed particular concern about NotPetya. “In the case of NotPetya, significant improvements have been made to create a new breed of ultimate threat,” said Bernhards Blumbergs, researcher at the NATO CCD COE Technology Branch. “Among all new features, the malware has been more professionally developed in contrast with sloppy WannaCry, and instead of scanning the whole Internet it is more targeted and searches for new hosts to infect deeper on local computer networks once initial breach has occurred.”
WannaCry behaved like a broad, opportunistic ransomware strain that encrypted files indiscriminately and demanded payment to restore access. NotPetya, by contrast, was more surgically targeted at organisations and businesses worldwide. Ukraine was among the hardest hit, with thousands of systems disabled, including some systems at the Chernobyl nuclear site, demonstrating the potential for severe economic and societal disruption.
Security analysts at NATO have characterized NotPetya as largely symbolic of capability and intent. Lauri Lindström, researcher at the NATO CCD COE Strategy Branch, described the incident as a “declaration of power” and a demonstration of disruptive capability and readiness to use it, rather than a straightforward ransomware extortion campaign.
These developments underscore that cyberattacks can have real-world consequences and that states conducting or sponsoring such operations risk provoking non-cyber responses. As cyber capabilities grow in sophistication and destructive potential, NATO and its members face difficult political and legal questions about how to deter, attribute, and respond to hostile operations in cyberspace.
Do you think cyberattacks should justify invoking Article 5 of the NATO treaty? Share your view in the comments.