Albania weighed invoking NATO’s Article 5 over Iranian cyberattack

Albanian Prime Minister Edi Rama talks about the recent massive cyberattacks on his nation and when an attack warrants a NATO response.

Albania weighed invoking NATO’s Article 5 over Iranian cyberattack

Albania was hit by cyberattacks earlier this year so debilitating that the government considered invoking a NATO declaration that could have pulled all member states into confrontation with Iran, Prime Minister Edi Rama said.

It would have been the first time a NATO member state used a cyberattack to invoke Article Five — which treats an attack against one member as an “attack against them all,” requiring collective defense.

Ultimately Albania decided against taking that action rather than risk escalation — and antagonizing powerful allies, Rama said in an interview from his office in the Albanian capital. Rama did not say how seriously the option to trigger Article Five was considered or for how long.

“I have too much respect for our friends and our allies to tell them what they should do,” Rama said. “We are always very careful to be very humble in our assessments.”

The discussion inside the Albanian government over triggering Article Five underscores the ongoing debate as to whether a cyberattack will ever be serious enough to truly trigger a full-blown NATO collective defense response — which could involve cyber retaliation against the attacking country by all NATO members or crippling sanctions. The provision has only been triggered once, just days after the Sept. 11 attacks on the United States, and the consequences have not been fully spelled out for a cyberattack. NATO member countries must come to the aid of the nation that invokes Article Five, but each member country can determine the extent of their response.

For Rama, the July attack — which forced the country to shut down websites across government used for everything from paying utilities to obtaining driver’s licenses — walked right up to the line.

“It's like bombing a country,” Rama said of the cyber strike, which was widely attributed to Iranian hackers. Ninety-five percent of Albania’s government services are provided online, meaning daily operations halted at government offices across the country, he said. The hackers also attempted to wipe sensitive government data, he said, but were not successful.

Albania severed diplomatic relations with Iran in response — believed to be the first time a nation has taken this step due to a cyberattack. But Rama decided against taking the incident to NATO.

“It was too much for us to think about and to get to the decision that we should ask NATO to trigger Article Five,” Rama said.

In likely retaliation for the severing of relations, Iranian hackers again attacked Albania in early September, disabling certain systems used in border and customs processing. Rama warned that his nation expects more attacks from Iran, and is working to strengthen cyber defenses.

The line around when a cyberattack could trigger Article Five is unclear. The NATO Cooperative Cyber Defence Centre of Excellence described the application of it to a cyberattack as “a blurry but consistent position of NATO,” while NATO Secretary General Jens Stoltenberg said in 2018 that the level of cyberattack to trigger collective defense “must remain purposefully vague.”

“I am often asked, ‘under what circumstances would NATO trigger Article Five in the case of a cyberattack?’ My answer is: we will see,” Stoltenberg said at the time.

Jim Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, said NATO is likely still working through the “menu of options” it would use to respond to a cyberattack. “It’s going to be messy for a while until we sort out what you can do short of violence that can have [an] effect.”

The Iranian cyberattacks may have caused widespread disruption, but did not lead to any deaths or permanent destruction of systems. These facts, paired with the smaller size of Albania in terms of geography and population, made triggering Article Five even more remote.

“If the attack had been more damaging, they might have gotten some support,” Lewis said. “No one was hurt, so it’s hard to make the case that it’s Article Five.”

The Russian invasion of Ukraine has intensified these discussions, given recent warnings that Russia is preparing to intensify cyberattacks against Ukraine as the winter months approach, and that a cyberattack against Ukraine could spill over into neighboring countries that belong to NATO.

Many NATO members, including Albania, have provided cybersecurity support to Ukraine.

“We have done our part,” Rama said of Albania’s assistance, “but what's happened with Iran imposes a different speed.”

NATO and its member states did take actions to support Albania after the July strike. NATO released a statement condemning the attack and pledging to provide support to strengthen Albania’s cyber defense. The U.S. Treasury Department sanctioned Iran’s intelligence agency and its leader, and the Justice Department indicted alleged Iranian hackers for widespread attacks against global critical infrastructure.

The FBI and the Cybersecurity and Infrastructure Security Agency released a joint advisory in September detailing how the Iranian hackers gained access to the victimized Albanian networks 14 months prior to the attack being carried out, periodically stealing emails associated with the government of Albania. The British government noted in a separate alert that Rama’s emails were among those accessed.

Rama pointed to U.S. assistance following the attack, which included providing in-person expertise to investigate the incident, as a “big support,” and noted that Albania is currently awaiting U.S. financial aid for cyber defense efforts.

“Every dollar that will come will be very much appreciated,” Rama said. “I think they should and they will show that they support us in this situation.”