© Photo by NATO North Atlantic Treaty Organization via Flickr
“NATO WILL DEFEND ITSELF” is the bold title of Jens Stoltenberg’s 2019 article in Prospect Magazine on emerging cyber-threats against the North Atlantic Treaty Organisation (NATO) and its Allies. An unambiguous tagline follows: “[t]he alliance will guard its cyber domain – and invoke collective defence if required.”
This is not the first time NATO has offered such a claim. Buried in Art. 72 of the 2014 Wales Summit Declaration, Allies recognized that a cyber-attack could trigger Article 5 – the call for collective defence. In 2016, as a massive advancement in international security, NATO declared cyber-space as an operational domain (alongside land, air, and sea) in the Warsaw Summit Communique. This not only reaffirmed NATO’s stance on cyber-attacks but established a foundation for Article 5 to be triggered in such an event. In the Brussels Summit Communique of 2021, the narrative began to change. While Allies reaffirmed earlier promises, NATO developed the Comprehensive Cyber Defence Policy (a document still not fully released to the general public) and emphasised the ways in which NATO could combat increasing cyber-threats without triggering Article 5. These alternative methods included building up Allies’ cyber-infrastructure, cyber-security, and cyber-defence capacities, developing NATO’s Cyber Rapid Reaction Teams – who are available to respond virtually to cyber-attacks both for Allies and like-minded States, and a Cyberspace Operations Centre.
Despite efforts promoting alternative methods, NATO cannot take back what was said. The Alliance has constantly demanded to know what a triggering cyber-attack would consist of but since the conflict in Ukraine, this demand has only grown further. In Microsoft’s recent intelligence report, “Defending Ukraine: Early Lessons from the Cyber War”, the company noted that cyber-attacks against NATO Allies have increased. While the attacks have been calculated in their severity so-far, the threat-level is slowly increasing. Clear from the Madrid Summit Declaration a few weeks ago, NATO’s efforts are spread thin between keeping severe cyber-attacks away from NATO domain and preparing Allies for the worst.
As NATO Allies respond to Kyiv’s request for NATO support on the cyber-front, they are confronted by the underlying question: when will it be them?
NATO says a ‘significant’ cyber-attack will trigger Article 5, but the reality is more complicated. Triggering Article 5 will require the exact combination of What, Who, and Why.
1. What are the characteristics of a ‘significant’ attack?
In contrast to his clear-cut headline in Prospect, Stoltenberg offered a very different perspective in his 2014 article for the Atlantic Council. When asked about the type of cyber-attack the Wales Summit Declaration declared would trigger Article 5, the then new, NATO Secretary General argued that the nature of such an attack must remain, “…purposefully vague.”
The Alliance has maintained this vagueness over the past nine years. Communiques and Declarations since have mandated that cyber-incidents are addressed on a case-by-case basis (rather than a shared protocol), little acknowledgement is given to the cyber-attacks launched against Allies – or even on NATO itself – and any institutional work on cyber-defence or offence is kept confidential. The consistent NATO position on the subject, however, is that “…. cyber-attacks similar to the ones Estonia experienced in 2007,” could qualify today as triggering attacks.
So, in the few things NATO has said and in the many things it hasn’t, a possible picture of what ‘significance’ consists of, can be drawn.
A. Targets government infrastructure and/or emergency services
The first aspect of defining this ‘significance’ includes the specific and conscience targeting of government infrastructure and emergency services. This is not to say that attacks against civilian or private sector cyber-infrastructure won’t occur in tandem, but a distinction must be made between broad attacks and targeted attacks. Broad attacks are indiscriminate against users of the same operating system, networks, or programmes. Although broad attacks may affect government infrastructure and emergency services, they are not the specific and sole targets. Targeted attacks are launched against government infrastructure and/or emergency services because they are government infrastructure and/or emergency services.
Compare the 2007 Estonia Attacks against the 2017 WannaCry Virus; the 2007 Estonia Attacks and the 2017 WannaCry Virus infiltrated government, civilian, and private cyber-infrastructure in similar access/use prevention attacks that severely disrupted normal life of those effected. In Estonia, the attacks came during a period of major civil unrest and included anti-government messages coded into the malware. The WannaCry Virus, which forced the UK National Health Service (NHS) to a “standstill”, was a virus that targeted vulnerable Microsoft Windows software; which the NHS happened to use. Though the WannaCry Virus could be considered more life-threatening – operations had to be cancelled and emergency patients had to be relocated – the virus is rarely considered more significant (as an affront to national security) than the Estonia Attacks.
Though a broad attack may affect a larger population or more networks, it lacks the political messaging that make governments concerned about (inter)national security. While broad attacks may happen in tandem, targeted attacks are necessary to force governments to take action externally as opposed to internally.
B. Encompasses a variety of cyber-attacks launched against various targets
Variety would likely be a necessary element of a triggering cyber-attack, as a larger variety in attacks and targets, the more strained national resources become.
Consider the 2021 Colonial Pipeline Attack against the United States. Colonial Pipeline is considered one of the most severe cyber-attacks against the U.S., even leading President Biden to declare it a national emergency. Yet, despite being the first time in U.S. history a national emergency was declared because of a cyber-incident that hit a critical energy supply which is widely considered protected infrastructure, the cyber-attack was never referenced as a type of triggering attack.
Another comparison can be made against the NotPetya Power-Grid Attacks in Ukraine. Starting in 2015, these were severe attacks against Ukrainian power-grids, resulting in blackouts for several hours in the effected regions. While the first few NotPetya attacks proved successful in disrupting critical Ukrainian infrastructure, Ukraine’s Computer Emergency Response Teams have been able to block Sandworm in recent years.
Both of these attacks share a common target – the power supply – but it is in the aftermath of these attacks that their weaknesses are revealed. Though the attacks disrupted critical infrastructure, the attacks were so focused against one target that all available emergency response teams could respond in tandem, preventing major escalation. In the cases of NotPetya and the Colonial Pipeline, no massive collective security response was needed because the resources at hand were available. It is possible to conclude, then, that resource exhaustion would be necessary for an attack to trigger Article 5. As such, a wide variety of attack type and attack targets are more likely to exhaust national resources and weaken critical infrastructure.
C. Is a continuous, long-lasting attack
The key words in dealing with this aspect are continuous and long-lasting, the former meaning persistence and the latter meaning timespan.
Continuity is important for effect. With attacks such as NotPetya or the #OpIsrael Attacks (the annual Anonymous cyber-siege against the Israeli government) their consequences diminish over time because the National Cyber Emergency Response Teams (CERTs) are able to build up defences in-between attacks. After a certain amount of time, such cyber-attacks are ineffective because CERTs become faster at stopping or building precise defences. In a continuous attack, CERTs are less able to build up defence strategies at the same time as they are responding to current attacks. Continuity also signals a higher threat level, as attackers need enormous resources and skill to maintain a continuous attack.
Timespan is additionally important, mainly in terms of resource exhaustion and domestic unrest. In Estonia, the cyber-siege lasted 22 straight days. A longer timespan fatigues national CERTs and other resources, making Allies with less capacity more likely to seek NATO support through the collective defence mechanism. Timespan, moreover, is highly effective in creating national panic and unrest, which could force governments into taking a higher-level action.
This prevention of defence and order is a hard task to achieve but is highly effective in forcing Allies to look externally for aid. More, the severity of continuous and long-lasting attacks put pressure on NATO to intervene, in a way an attack that can be quickly resolved won’t.
D. Politically motivated rather than financially motivated
This is not to say that Ransomware is not a significant cyber-attack. In fact, some of the most severe cyber-incidents in history are due to Ransomware attacks. But in looking at the common procedure in responding to Ransomware, it is unlikely that a financially motivated cyber-attack alone would ever evoke collective defence.
In the case of the Colonial Pipeline, and many other serious Ransomware attacks, the companies targeted prefer to pay the ransom and restore operations, and later use CERTs to recover the ransom and build up cyber-security defences. Colonial Pipeline was successful in their methods, retrieving most of the ransom back a month after the initial attack. In other cases, companies refused to pay the ransom and instead worked through other methods to recover or recreate blocked functions.
If Ransomware were used with stronger political motivations, the response could be different. The World Economic Forum predicts that ransomware attacks against the energy-sector, specifically the oil industry, will rise. With attacks such as the recent cyber-attacks against oil facilities in Germany, Belgium, and the Netherlands, a political message becomes clear. Though little information has been given on these attacks, they cannot be separated from the ongoing tensions with Russia over oil-supply and fears about the fragile European energy-sector.
Similar to the importance of a targeted, politically motivated attack to drive government into action, it is known that financially-motivated attacks are handled through a different and more discreet process.
E. Causes civilian harm and/or death
The most notable aspect of Estonia, which sets them apart from other significant cyber-incidents, is that a civilian was killed and 156 people were injured. The cyber-attacks alone were not the direct cause of the injuries and death, but it was the chaos, confusion, and lack of order that led to such fateful consequences.
NATO has not defined “significance” by the number of civilian injuries or casualties; nonetheless, this criterion is not too far of a leap. Article 5 has only been triggered once in NATO history – following the 9/11 terrorist attack which killed nearly 3 000 people and injured hundreds more. To trigger Article 5 again, an attack (whether physical or cyber) of enormous proportions would be required. With this in mind, a “significant” cyber-attack could comprise of malware such as Stuxnet or Triton (considered one of the “Sons of Stuxnet”) that causes user-prevention on targets that need consistent human supervision to prevent major threat to civilian life, such as nuclear or chemical facilities, power-plants, or major defence infrastructure. In a worst-case scenario, it should be noted that three NATO allies are nuclear States. A severe cyber-attack against an Ally’s nuclear arsenal could end in mass civilian death.
This is not to dismiss the panic and disorder of other notable cyber-attacks, nor presume a deadly cyber-attack is necessary to develop proper security measures. However, both government and public measure of ‘significance’ in cyber-attacks relate to real-world implications. The ability for a cyber-attack to lead to death, and specifically civilian death which would transgress the laws of conflict, is undeniably significant.
2. Who has committed the attack
Cyber-space is known for its asymmetrical and anonymous nature. Cyber-attacks are easily disguised, and attackers even more. Furthermore, cyber-attacks require little to no physical presence at the target of the attack and can be conducted across countries and continents. Hacker collectives, such as the perfectly named Anonymous, are often decentralised and spread throughout the world. It is this anonymity that makes the State response so difficult.
In addition, tracing sophisticated cyber-attacks, such as those against governments or critical infrastructure, takes considerable skill, time, and money. Even when culprits are caught, it can be difficult to determine who is who. However, understanding the “who” will be crucial to triggering Article 5.
As previously mentioned, to meet the possible criterion of a ‘significant’ cyber-attack as NATO refuses to define, attackers will be part of a well-organised, skilled, and financed hacker collective. These types of collectives themselves are rare in cyberspace, with three major exceptions: those that are part of a State organ, a private military company (PMC), or a supported patriotic hacker collective. However, as not all States are equal, neither are all adversaries. If assumed the adversary will be one of these three actors listed, NATO must determine through a cost analysis if the adversary is worth invoking Article 5 instead of relying on other methods of defence or international procedure.
A. State Organ
NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) identified in 2021 that 61 United Nations Member States had developed cyber-forces by 2018. While the strength and skill of these cyber-forces vary, there is renewed focus on capacity building. State cyber-forces are also provided with the necessary training and financing to launch a significant cyber-attack.
A cyber-attack launched by one State against another carries heavier political weight. If a State were to launch a significant cyber-attack against a NATO Ally, they risk the retaliation of all NATO members – including diplomatic and economic penalties. NATO Allies would also suffer the cost of retaliation so the cyber-attack would need to meet the threshold of ‘significant’ beyond a doubt. This works both ways, of course, which may cause some NATO Allies to be more cautious before agreeing to Article 5.
Additionally, if a significant cyber-attack did come from a State organ, NATO faces more pressure to trigger Article 5. Non-State Cyber-Actors (NSCAs) could be countered through more discreet measures, such as extradition or the cooperative efforts of a few States, rather than the full Alliance (for example, the multi-national CERTs established by NATO and the EU). However, a State organ gives a physical ‘face’ for the general public to rally against, possibly leading to domestic demand for international solidarity and public action.
In the case of a State organ carrying out an attack as the aggressor, NATO potentially faces a higher cost by not acting than by triggering Article 5.
B. Private Military Company
Cyber-mercenaries emerged as a concern in the 2010’s when international experts began researching the nexus between international law and cyber-operations for the CCDCOE-sponsored Tallinn Manual. The Tallinn Manual 1.0 was published in 2013 (version 2.0 in 2017) and is largely considered as the best collection of informal rules governing practices in cyber-space. The Manual identifies the reality of cyber-mercenaries under the assumption of State-supported proxies yet advocates a high-threshold of attribution. By 2020, the United Nations defined cyber-mercenaries as a mercenary class.
The number of private military companies (PMCs) that retain cyber-mercenaries is estimated in the hundreds, including well-known organisations such as Acedemi (formerly Blackwater) and the Wagner group. It is widely believed that many government-sponsored cyber-operations are outsourced to cyber-mercenaries, whether this is due to a heightened skill set or a method of offsetting accountability. It is a realistic scenario that a significant cyber-attack worthy of triggering Article 5 would be launched from a PMC.
If this is the case, NATO Allies could be hesitant to trigger Article 5 when weighing up costs and benefits. With PMCs such as Blackwater or the Wagner Group – both of which suffered international scandals after their mercenaries committed war crimes – when ‘wrongdoers’ are exposed, the companies can simply shift all blame on the individuals, disband those responsible, and
It could be argued that if the responsible cyber-mercenaries were under the ‘effective control’ of a State, then the chances of NATO triggering Article 5 would be higher. However, if effective control was proven, the controlling State would be responsible under international law, and there still exists the political and economic consequences of NATO using collective defence against a State and later resources to prove ‘effective control’ in justification of their actions. This outcome is unfavourable both to NATO Allies and the responsible State, especially when responsibility can be shifted onto a PMC. Further, NATO has not accepted the Tallinn Manual as a regulatory legal framework and, as such, is not bound by the Manual’s rules on cyber-mercenaries under effective control.
In the case of a PMC as the aggressor, NATO would face more cost in triggering Article 5 than in using other defence mechanisms and legal procedure.
C. Supported Patriotic Hacker Collective
The line has often blurred State action and action in the name of the State. While the Law of State Responsibility (which the Tallinn Manual uses as a foundation for rules governing the attribution of cyber-attacks) says that acts outside State control are not attributable to the State unless claimed as their own. This highlights the controversy over Russian cyber-attacks; many of the recorded ‘Russian cyber-attacks’ are launched by patriotic hacker collectives and attributed to the government by the media. As seen by the 2007 Estonia Attacks, patriotic hacker collectives can be extremely powerful. They are also more likely to meet the criteria of a potential adversary: motivated by a common political agenda, the collectives are more organised. Patriotic hacker collectives often have some form of State support as well.
It is unclear what State support can be strictly defined as, but could include some form of financial aid, sophisticated malware, physical infrastructure, or even ‘the suggestion of a’ target. The application of the Law of State Responsibility to cyber-space is still in development. There is some debate as to whether a State may be responsible (in the form of positive or negative action) for these types of support. The Tallinn Manual seems to suggest that cyber-infrastructure within State territory is subject to that State’s jurisdiction. In this argument, a State has the responsibility to prevent hacker collectives within their own jurisdiction. Interestingly, the Tallinn Manual also suggests that the use of State funds for malware alone does not meet the threshold of State responsibility because a State does not control how the resources are used, but a State may bear some responsibility again in the obligation in prevention. Some scholars go so far as to argue that providing a target for a Patriotic Hacker Collective may make a State responsible, which was the argument against the Russian Federation for the 2007 Estonia Attacks and even current cyber-attacks in Ukraine.
This lack of clarity on State responsibility and the actions of Patriotic Hacker Collectives requires a degree of caution from allies if triggering Article 5. NATO Allies are wary about setting international standards and practice, especially in a domain that is demanding precedent.
Moreover, the home State of a Patriotic Hacker Collective may decide to cooperate with Allies in finding the hackers responsible and with eventual prosecution efforts, but this depends on existing legal factors, such as a dependable diplomatic relationship or an extradition treaty. In contrast, the home State (if not found legally responsible) may not cooperate even if a diplomatic or legal relationship exists. This was the case with Russia after Estonia requested investigative assistance though the States’ Mutual Legal Assistance Treaty. If uncooperative, NATO faces strong resistance to invoking collective defence against a non-State actor.
In the case of Supported Patriotic Hacker Collectives, the costs are essentially equal for either choice. The determining factor will be if NATO Allies are ready to bear the burden of precedent-setting.
3. Why would Allies have consensus on the significance of an attack?
NATO makes decisions based on a consensus-based system which is considered, “…a fundamental principle which has been accepted as the sole basis for decision-making in NATO since the creation of the Alliance in 1949.” This means that all NATO Allies must agree that a cyber-attack is significant enough to trigger Article 5. Achieving this consensus may appear a daunting task, as any scholar of international affairs will know, getting multiple governments to agree (especially when it costs money and involves a political controversy) is a challenge indeed. While the NATO consensus system creates a proper ‘united force’, an article for the Atlantic Council suggests another reason, to encourage Allies to be flexible in forming their own coalitions. Therefore, the challenge is not consensus over the significance of a cyber-attack (assuming the previous two aspects have been met), rather in proving NATO action is better than ‘flexible’ coalitions between specifically like-minded Allies. A triggering cyber-attack will need to be met with a unified front of all NATO members in the way 9/11 did while also managing to face the high-level of scrutiny.
It is accepted that 9/11 is considered one of the most important events in the 21st century. It is also the first and only time Article 5 has been triggered in NATO history.  9/11 immediately became the worst terrorist attack in world history, and stemming from its urgency, Allies invoked collective defence within 24 hours of the attack. Apart from its severity, 9/11 had a large impact on the international system. It brought attention to the rising power of Non-State Actors, the growing asymmetry of conflict, and the ways domestic or regional instability can result in major terrorist cells with international impact. The emergence of cyber-conflict already represents a great shift in security and power politics and States have already begun to adapt. A significant cyber-attack must have unexpected elements then, just as 9/11, to create a forced divergence from the predicted path of global security.
The Libyan intervention regardless of its controversial outcome, generated Alliance consensus on the ‘responsibility to protect.’ The responsibility to protect is a concept that emerged in the 21st century, which argues that sovereignty can be undermined because there is an international responsibility to protect the vulnerable from the hands of a deadly government. Though not a collective defence in the sense of Article 5, Operation Unified Protector was intended to be a collective defending of the vulnerable population in Libya. This humanitarian aspect is crucial to oblige NATO interference. A significant cyber-attack should then target a vulnerable population or have the purposeful result of making a population vulnerable.
The 1999 Operation, like Libya, was a ‘humanitarian operation’ in response to ethnic cleansing taking place in the former Yugoslavia. The Yugoslav Wars occurred before the development of the ‘responsibility to protect’ but it was a similar mentality. Interestingly, the United States was hesitant to have NATO involved in the conflict, coming from a fear of reliving World War Two and yet, it was the failure of an international organisation (the League of Nations in WW2 and the United Nations in Yugoslavia) that spurred NATO to act. The criteria of ‘significance’ as aforementioned expresses the importance of exposing national security weaknesses but it also has the potential to expose failures in the emergency response mechanisms of regional institutions, that rely upon national cooperation as opposed to regional coordination.
This is not to argue that a triggering cyber-attack would require the same death toll of 9/11 or the ethnic cleansing of the Yugoslav wars. Rather, it is to say that a triggering cyber-attack requires the same shift in international politics, power, and security that other major NATO operations responded to. The analysis of the “whys” for NATO action in these three events suggests that a significant cyber-attack, as previously defined, would push Allies to trigger Article 5 by embodying the changing nature of armed conflict, shifting determinants of power and security, developing capabilities of actors beyond the Westphalian model, and the vulnerability of States and society that grows in tandem with dependency on cyber-space.
If the final question is why Allies would have consensus to trigger Article 5, the answer is simple: such an attack represents a new era of global security threats NATO must prove it can defend against. As such, the conclusion to come to must be yes, but. Yes, a significant cyber-attack would trigger Article 5, but the demands of significance are likely so intense that such an attack is doubtful today.
Through a comparative analysis against the most mentionable cyber-attacks, it is determined that a cyber-attack meeting NATO’s vague threshold of significance must:
- Target government infrastructure and/or emergency services;
- Encompass a variety of cyber-attacks with various targets;
- Be continuous and long-lasting;
- Stem from political motivation, rather than financial gain;
- and result in civilian harm and/or death.
Further, it must be considered how the type of actor launching a ‘significant’ cyber-attack influences whether Allies will trigger Article 5. If the aggressor is a State organ, Allies may be more inclined to invoke collective defence due to heightened political pressure and threat level. Otherwise, if an aggressor is a Private Military Company or Supported Patriotic Hacker Collective, Allies may pursue other defence methods after a cost analysis.
Lastly, a triggering cyber-attack must, in its essence, prove to be as revolutionary to the international system as past conflicts, such as 9/11, Libya, or Yugoslavia were, to force NATO into a position of reaching a consensus on intervention.
The cyber-attacks Allies fear are inching closer and NATO appears woefully underprepared, leaves two choices: first, NATO can define its cyber-policy in respect to collective defence or second, wait until its hand is forced. Stoltenberg is correct, NATO will defend itself, but when and how is still left to the sceptics.
Nicolás Sol Centeno is an undergraduate student at the Geneva School of Diplomacy and International Relations and a blog writer at Platform for Peace and Humanity. He enjoys researching and writing on the convergence of international humanitarian law and emerging technology in conflict. Nicolás has previously interned at the International Institute for Sustainable Development and Global Migration Policy Associates and contributes to UN Today magazine.
 Jens Stoltenberg, ‘NATO WILL DEFEND ITSELF’ (Prospects Magazine, October 2019), pg.4, <https://www.prospectmagazine.co.uk/content/uploads/2019/08/Cyber_Resilience_October2019.pdf> accessed 29 July.
 North Atlantic Treaty Organisation, Brussel’s Summit Communique (July 2021) Press Release (2021) 086, <https://www.nato.int/cps/en/natohq/news_185000.htm?selectedLocale=en> accessed 29 July.
 Brad Smith, ‘Defending Ukraine: Early Lessons from the Cyber War,” (Microsoft On the Issues, June 2022) <https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/> accessed 29 July.
 Ibid. See footnote 3.
 Jens Stoltenberg, “Stoltenberg Provides Details of NATO’s Cyber Policy,” (Atlantic Council, May 2018) <https://www.atlanticcouncil.org/blogs/natosource/stoltenberg-provides-details-of-nato-s-cyber-policy/> accessed 31 July
 Michaela Pruckova, “Cyber Attacks and Article 5 – A Note on a Blurry but Consistent Position of NATO”, (CCDCOE) <https://ccdcoe.org/library/publications/cyber-attacks-and-article-5-a-note-on-a-blurry-but-consistent-position-of-nato/> Accessed 31 July
 Rain Ottis, “Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective,” (CCDCOE, Estonia, 2018) pp 2-3 <https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf> accessed 29 July.
 “The NHS Cyber Attack,” (Acronis, February 2020) <https://www.acronis.com/en-eu/blog/posts/nhs-cyber-attack/> accessed 1 August
 Kim Zetter, “Inside the Cunning Unprecedented Hack of Ukraine’s Power Grid,” (Wired Magazine, March 2016) <https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/> accessed 1 August.
 “Ukraine Has Prevented a Sandworm Attack on its Power Grid,” (April 2022) <https://incyber.org/en/ukraine-has-prevented-a-sandworm-attack-on-its-power-grid/> accessed 1 August.
 “#OpIsrael” (DDOSPEDIA) <https://www.radware.com/security/ddos-knowledge-center/ddospedia/opisrael/> accessed 1 August.
 Ibid. See footnote 7.
 Sean Michael Kerner, “Colonial Pipeline Hack Explained: Everything You Need to Know”, (TechTarget, April 2022) <https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know> accessed 29 July.
 Staff, “Steamship Authority Still Impacted by Cyber Attack,” NBC Boston (June 2021) <https://www.nbcboston.com/news/local/mass-steamship-authority-still-impacted-by-cyber-attack/2399217/> accessed 1 August.
 Alexander Klimburg, “Why the Energy Sector’s Latest CyberAttacks in Europe Matters,” (World Economic Forum, February 2022) <https://www.weforum.org/agenda/2022/02/cyberattack-amsterdam-rotterdam-antwerp-energy-sector/> accessed 1 August.
 “Collective Defence and Article 5,” (North Atlantic Treaty Organisation, August 2022) <https://www.nato.int/cps/en/natohq/topics_110496.htm> accessed 1 August.
 Jason Blessing, “The Global Spread of Cyber Forces, 2000-2018” (CCDCOE, International Conference on Cyber Conflict, Tallinn, 2022) <https://ccdcoe.org/uploads/2021/05/CyCon_2021_Blessing.pdf> accessed 29 July.
 Eric Talbot Jensen, “The Tallinn Manual 2.0: Highlights and Insights,” (Georgetown Journal of International Law, Vol. 48, pp 735-778) <https://www.law.georgetown.edu/international-law-journal/wp-content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf> accessed 30 July.
 Ataa Dabour, “The Rise of Cyber-Mercenaries”, (Human Security Centre, May 2021) <http://www.hscentre.org/technology/the-rise-of-cyber-mercenaries/ > accessed 1 August.
 Emma Schroeder, et al., “Hackers, Hoodies, and Helmets: Technology and the Changing Face of Russian Private Military Contractors,” (Atlantic Council, July 2022, Issue Brief,) <https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/technology-change-and-the-changing-face-of-russian-private-military-contractors/> accessed 29 July.
 Laura Reddy, “Blackwater Renames Itself, And Wants to Go Back to Iraq,” (ABC News, December 2011) <https://abcnews.go.com/Blotter/blackwater-renames/story?id=15140210#:~:text=CEO%20Ted%20Wright%20said%20that,find%20nice%20and%20%22boring.%22> accessed 1 August.
 Eleanor Beardsley, “An Ex-Member of One of the World’s Most Dangerous Mercenary Groups Has Gone Public,” (NPR, June 2022) <https://www.npr.org/2022/06/06/1102603897/wagner-group-mercenary-russia-ukraine-war?t=1661794688781> accessed 1 August.
 United States Coast Guard, Office of Emerging Policy, Future B – Cybergeddon, pp 35-38, <https://www.uscg.mil/Portals/0/Strategy/Cybergeddon.pdf> accessed 30 July.
 Ibid. See footnote 20.
 Ibid. See footnote 20.
 Ibid. See footnote 7.
 Ibid. See footnote 7.
 “Consensus Decision-Making at NATO,” (North Atlantic Treaty Organisation, last updated June 2022), <https://www.nato.int/cps/en/natohq/topics_49178.htm> accessed 31 July.
 Christopher Skaluba and Conor Rodihan, “No Consensus? No Problem. Why NATO is Still Effective,” (Atlantic Council, January 2018) <https://www.atlanticcouncil.org/blogs/new-atlanticist/no-consensus-no-problem-why-nato-is-still-effective/> accessed 31 July.
 Leo Michel, “NATO Decisionmaking: Au Revoir to the Consensus Rule?” (Institute for National Strategic Studies National Defence University, August 2003, Strategic Forum No.202) <https://apps.dtic.mil/sti/pdfs/ADA421879.pdf> accessed 31 July.
 Matthew Green, “To What Extent Was the NATO Internvention in Libya a Humanitarian Intervention,” (E-International Relations, February 2019) <https://www.e-ir.info/2019/02/06/to-what-extent-was-the-nato-intervention-in-libya-a-humanitarian-intervention/> accessed 1 August.
 Marco Siragusa, “The Yugoslav Wars and the Role of NATO,” (People Dispatch, April 2022) <https://peoplesdispatch.org/2022/04/27/the-yugoslav-wars-and-the-role-of-nato/> accessed 1 August.
 Ibid. See footnote 34.