— by Tsira Erkvania —
Introduction
Article 5 of the North Atlantic Treaty — the cornerstone of NATO’s collective defence — affirms that an armed attack against one member is an attack against all. However, in the digital age, where cyber operations transcend borders without firing a single bullet, the meaning of “armed attack” becomes increasingly ambiguous. The cyber domain challenges traditional interpretations of conflict and deterrence, raising questions about what constitutes an act of war in this evolving battlespace. Cyberattacks are often hard to trace, responses can be delayed or ineffective, and threats may not be seen as credible. NATO’s ability to defend both the physical and cyber domains will define the future of international security.
NATO has increasingly prioritised cyber defence as a core component of its collective security strategy. The Alliance formally recognises cyberspace as a domain of operations—on par with land, sea, air, and space—in which it must be prepared to defend itself effectively. The establishment of the Cyberspace Operations Centre in Belgium in 2018 marked a significant step toward enhancing NATO’s cyber operational capabilities. Additionally, the deployment of counter-hybrid support teams to assist member states in responding to hybrid threats, including cyberattacks and infrastructure sabotage, further reinforces NATO’s deterrence posture. At the 2021 Brussels Summit, Allies adopted a Comprehensive Cyber Defence Policy aimed at strengthening NATO’s resilience and integrating cyber defence into its overall deterrence and defence strategy. At the 2024 Washington Summit, NATO members agreed to establish the Integrated Cyber Defence Centre, designed to improve network protection, increase situational awareness, and operationalise cyberspace as a theatre of defence operations (NATO, 2024).
Key Cyber Threat Actors
The Russian Federation
The Russian government has openly declared itself in conflict with NATO and has mobilised both state structures and broader society in preparation for a protracted confrontation with the West. Within this context, Russia is expected to continue, and likely intensify, its cyber operations targeting multinational alliances, national governments, and a wide range of critical and non-critical infrastructure. These cyber activities are closely tied to NATO’s ongoing support for Ukraine, which Russia views as a direct threat to its geopolitical interests (Intel 471, 2024).
Since the beginning of the full-scale invasion of Ukraine, Russian APT hacking groups have been conducting intensive cyberoperations against NATO countries. Among other things, they are targeting state administration networks and military ICT systems. The targets of cyberattacks include rail, maritime, and aviation infrastructure. Between 2022 and 2024, their victims have included Czech, Latvian, Lithuanian, Polish, Romanian, and Estonian railway companies. Russian hackers are primarily attempting to undermine the logistical capabilities of the Alliance countries to supply Ukraine with armaments and military equipment (Bryjka, 2024).
The People’s Republic of China
China’s approach to cyber activities is quite different from that of other major players like Russia or Iran. Rather than focusing on attacks that cause immediate damage to important infrastructure—such as electricity grids, transportation networks, or communication systems—China mainly uses cyber tools to conduct espionage. This means Chinese hackers primarily aim to secretly gather valuable information, particularly targeting industries and military organizations worldwide to gain a competitive advantage. Over the years, China has become known for large-scale cyber spying campaigns that steal trade secrets, intellectual property, and sensitive government data. IT company CheckPoint discovered that cyber-attacks originating from Chinese IP addresses against NATO member countries surged by 116% in 2022 (Check Point Research Team, 2022) (Kobzová, 2023).
The Islamic Republic of Iran
Iran is one of the more active states in the cyber realm, near the top of the second tier of global actors. Iran’s cyber attacks have demonstrated the potential to disrupt, sabotage and even destroy civil and commercial targets, critical national infrastructure and military capabilities, and its cyber espionage and information operations have been particularly extensive. In 2022 Iran lashed out at Albania, in what may have been the most destructive cyberattacks against a NATO ally since a Russian attack against Estonia 15 years earlier. The hackers had already penetrated Albanian government servers a year earlier but now launched a series of wiper attacks that crippled computer systems and deleted information belonging to Albania’s intelligence service, police, and border guards (Freilich, 2024).
The Democratic People’s Republic of Korea
Over the past 15 years, North Korea’s cyber campaigns have evolved with each operation, such as Distributed Denial-of-Service (DDoS) attacks, Sony, WannaCry, and cryptocurrency theft such as Axie Infinity. This trajectory has shifted in both sophistication and objectives. North Korean hackers have become more innovative, integrating new technologies such as AI for greater effectiveness and exploring alternative ways to bypass security systems and generate additional funds. This includes collaborating with foreign citizens by masking their North Korean identities and adopting tactics like cryptojacking and exploiting mixing services. As North Korea strengthens its conventional and covert military capabilities, the cyber domain will become vital, alongside areas like space, drones, and shipbuilding. The regime’s targets will also thereby expand, driven by its aspiration to fund the country’s nuclear and ballistic programmes and to steal secrets for building its conventional military and new warfare domain (Sharma, 2024).
Between Deterrence and Defense
NATO has engaged actively since the beginning of Russia’s invasion of Ukraine, including in helping boost the alliance’s cyber defenses. Exercises like “Cyber Coalition” now involve around 1,000 participants across member and partner states. Lithuania, Romania, and Albania have all implemented national reforms that align with NATO’s cyber doctrine. Romania’s 2023 Law 58 on Cybersecurity is perhaps the boldest: it recognizes a comprehensive cyber defense strategy as a priority, designates the powers and responsibilities of the government agencies, and allows for “proactive” defense measures, which could be interpreted as a green light for developing offensive capabilities (Makaryan, 2025). Russian cyber agencies such as the GRU are expected to refine their tactics to identify and exploit weaknesses in NATO’s cyber defences. Future campaigns will likely include intensified cyber-psychological attacks aimed at destabilizing Western governments, institutions, and populations, potentially facilitating pro-Moscow political shifts. Technical cyberattacks will continue primarily as espionage to gather intelligence for future exploitation. Additionally, artificial intelligence (AI) will significantly enhance the scale and effectiveness of Russian information warfare, enabling highly targeted disinformation campaigns and AI-driven deepfakes, as well as potentially unprecedented cyber-technical assaults that may be difficult to detect or counter.
Conclusion
NATO’s foundational principle of collective defense faces significant challenges in the cyber domain, where the definition of an armed attack is less clear. Recognizing this, NATO has formally acknowledged cyberspace as a critical operational domain alongside land, sea, air, and space, and has strengthened its cyber defenses through dedicated centers, policies, and joint exercises. Russia remains the most aggressive cyber threat to NATO. In response, NATO members have enhanced their cyber defense capabilities, with some countries implementing bold legal reforms to allow for proactive and even offensive cyber measures. NATO’s ability to adapt and strengthen its cyber resilience will be essential to safeguarding the alliance’s future security.
References:
NATO. (2024). Cyber defence. Retrieved June 30, 2025, from https://www.nato.int/cps/en/natohq/topics_133127.htm
Intel 471. (2024). NATO summit commences in tandem with tense cyber-kinetic conflict. Retrieved June 30, 2025, from https://intel471.com/blog/nato-summit-commences-in-tandem-with-tense-cyber-kinetic-conflict
Bryjka, F. (2024). NATO members on guard against Russian sabotage. Polish Institute of International Affairs. Retrieved June 30, 2025, from https://pism.pl/publications/nato-members-on-guard-against-russian-sabotage
Kobzová, L. (2023, September 28). China’s cyber threat: Implications for NATO and potential remedies. Adapt Institute. Retrieved June 30, 2025, from https://www.adaptinstitute.org/chinas-cyber-threat-implications-for-nato-and-potential-remedies/28/09/2023/
Freilich, C. (2024, February). The Iranian cyber threat (Memorandum No. 230). Institute for National Security Studies. Retrieved June 30, 2025, from https://www.inss.org.il/publication/iranian-cyber/
Sharma, A. (2024, November 21). North Korea’s cyber strategy: An initial analysis. Observer Research Foundation. Retrieved June 30, 2025, from https://www.orfonline.org/research/north-korea-s-cyber-strategy-an-initial-analysis
Makaryan, M. (2025, June 9). Eastern Europe’s cyber reckoning: Russia’s digital threat is forcing a strategic shift. Inkstick Media. Retrieved June 30, 2025, from https://inkstickmedia.com/eastern-europes-cyber-reckoning-russias-digital-threat-is-forcing-a-strategic-shift/
