Hybrid warfare against NATO nations should trigger the doctrine of collective defense. But how would it work in practice?
Since 2016, NATO has made it clear that hybrid attacks on member states could lead to the invocation of Article 5 of the North Atlantic Treaty, which says an attack on one is an attack on all.
And at the alliance’s 2023 Summit in Vilnius, NATO leaders agreed malicious cyber activities could trigger the article on a case-by-case basis, leading to a collective response.
But under what circumstances, and in response to which hybrid threats, would the alliance go beyond Article 4’s provision to hold consultations and activate Article 5 for only the second time in its history? And how would it be implemented?
The response from democratic governments to Russia’s hybrid attacks so far — including sabotage of infrastructure, interference in democratic processes, and cyber-attacks — has been inadequate, and often amounted to little more than mild disapproval. A comprehensive arsenal of hybrid warfare tools is urgently needed to deter future Russian misconduct.
But if such measures prove insufficient, NATO must be ready to activate collective self-defense in situations that closely resemble armed conflict.
The alliance has long prioritized preparation, deterrence, and defense against coercive political, economic, energy, and informational tactics by state and non-state groups, including Russia and China, that fall below the threshold of open war.
But, with strategic competition and the use of hybrid tactics in grey-zone conflicts already intensifying, and likely to worsen, those preparations need to be stepped up.
The recent decision to increase patrols in the Baltic Sea region, following sabotage against undersea cables, was seen by many as a significant shift in NATO’s long-term approach to below-the-threshold threats and a strong addition to existing efforts to counter Russia’s shadow fleet.
This firm stance is indeed commendable, but despite its strengthened presence, another cable, connecting Latvia to the Swedish island of Gotland, was damaged in January. Since October 2023, a total of 11 cables in the region have been sabotaged.
While NATO’s Baltic Sentry operation is crucial, it remains primarily reactive, dealing with incidents after they have occurred. Considering the growing complexity of hybrid threats, NATO should have a more proactive and assertive policy.
One element should be greater clarity on what would trigger a collective response. If an adversary deliberately cut off all energy cables to a NATO member, for example, would that be recognized as an act of aggression that met the threshold?
Without a clear stance, adversaries may exploit uncertainty, believing they can act without consequence. NATO must head off this possibility by updating its strategic guidelines, strengthening member states’ readiness to counter hybrid warfare, and clarifying its position on Article 5 in high-risk scenarios.
There also need to be protocols for coordinated responses to cyberattacks, disinformation, and covert sabotage, which integrate military, economic, and cyber tools to bolster collective defense.
In July 2022, NATO leaders endorsed further preventive and response options, expanding air and missile defense systems, prioritizing energy security, and enhancing intelligence and surveillance. The alliance also supports updates of legal frameworks and collaborates with partners like the European Union on coordinated sanctions and countermeasures.
To reinforce deterrence, NATO pre-positions troops, conducts snap exercises simulating hybrid attacks, and continues to explore emerging technologies like AI and big data.
While specific measures would vary based on the circumstances, the following are examples of potential Article 5 responses for each case.
Severe cyberattacks. Attacks that cripple essential infrastructure, such as power grids, financial systems, or military networks. Cyber defense forces of individual allies may engage in counter operations, including disabling or destroying servers used by state or non-state groups behind the attack. This could involve coordinated efforts across allies to contain and neutralize the threat.
Sabotage of critical infrastructure. Destruction or disruption of assets like undersea cables, pipelines, or transportation networks — especially if it has a major impact on national security. For example, in early February Estonia, Latvia and Lithuania disconnected from the Soviet-era electricity grid linking them to Russia and Belarus, increasing their dependence on external power cables. NATO might impose security measures, including stopping and inspecting foreign ships, verifying the validity of insurance documents, and detaining suspicious vessels. In extreme cases, NATO could implement a naval blockade to prevent further sabotage.
Coordinated hybrid operations. Multiple forms of attack (e.g., disinformation, economic coercion, cyberattacks) executed simultaneously to destabilize a NATO country. The alliance might deploy both conventional and unconventional forces to restore stability, protect critical infrastructure, and provide deterrence against further attacks.
Hybrid actions with clear attribution. Hybrid threats attributable to a nation or a non-state group with state backing (though contested attribution can complicate collective defense decisions.) NATO could deploy emergency response forces, including intelligence and security units, to contain the threat. The alliance might also deploy troops in the affected country to deter further aggression and demonstrate a unified response.
Threats to NATO military operations. Attacks on NATO’s operational infrastructure, such as bases or communication systems, even through non-conventional means. NATO may formally declare that such unconventional means are now subject to Article 5, ensuring an attack on its operations, regardless of the method, would prompt a collective military and political response. This could involve cyber defense measures, an increased troop presence, and retaliatory strikes.
Direct threat to sovereignty. Hybrid tactics aimed at undermining the sovereignty of a NATO country by destabilizing its government or manipulating elections. The alliance might deploy conventional forces and intelligence units, and assist in securing electoral and governmental institutions. Measures could include reinforcing cybersecurity and media infrastructure to counter disinformation and manipulation.
These scenarios highlight the urgent need for NATO to establish clear protocols. Effective responses must be tailored to evolving situations, enabling the alliance to defend its member states’ stability and sovereignty against attacks that blur the line between peace and conflict.
Activating Article 5 in such contexts would grant NATO the authority to deploy all necessary measures, including military force, to counter and deter further aggression. It would remain a last resort, undertaken only when all other options have been exhausted, and its implementation would require the full agreement of all NATO members.
By Eitvydas Bajarūnas. Eitvydas Bajarūnas is an ambassador in the Ministry of Foreign Affairs of the Republic of Lithuania, and currently a Center for Europe Policy Analysis (CEPA) Visiting Fellow. Article and pictures first time published on CEPA web page. Prepared for publication by volunteers from the Res Publica - The Center for Civil Resistance.
