How do we determine whether an attack is truly an attack? For a long time, NATO’s founding logic provided a relatively clear answer to this question. Tanks crossing borders, cities being bombed, or territory being occupied were obvious acts that would unquestionably trigger the logic of collective defence. Today, however, NATO’s own approach recognises that the assessment of an “armed attack” is no longer limited to traditional interstate military strikes and that the nature of each incident must be evaluated on a case-by-case basis. The rise of hybrid threats targets precisely this area of assessment.

NATO defines hybrid threats as the simultaneous or sequential use of military and non-military, overt and covert instruments. Within this framework, disinformation campaigns, cyber attacks, economic pressure, the use of irregular armed groups, and the employment of conventional military forces as instruments of coercion must be considered together. Viewed in this way, hybrid threats are aimed not only at causing physical damage but also at creating doubt within societies and eroding the resilience of states. NATO’s 2022 Strategic Concept describes this threat repertoire in even broader terms, including interference in democratic processes, disinformation campaigns, the instrumentalisation of migration, manipulation of energy supplies, economic coercion, and the use of proxy actors to exert pressure. NATO’s 2024 approach to information threats further deepens this framework by defining attacks in the information environment as deliberate, harmful, manipulative, and coordinated activities.

The real strength of hybrid threats lies not in any individual tool but in the strategic ambiguity they create. The Helsinki-based Hybrid CoE defines hybrid threats as coordinated activities that target the systemic vulnerabilities of democratic states while exploiting the difficulties of detection and attribution. This definition is important because the objective of hybrid attacks is not simply to cause damage. A more significant goal is to influence decision-making processes, extend the response time of the targeted state, and deepen debates among allies over whether a response is necessary and, if so, to what extent. For this reason, hybrid attacks rarely seek military victory. Instead, they aim to generate strategic hesitation. Studies examining NATO’s Article 5 approach in the cyber domain similarly emphasise that the Alliance has deliberately avoided declaring fixed red lines and that its position is based on strategic ambiguity and case-by-case assessment.

Why the threshold remains ambiguous

The first point to remember is that Article 5 has never been a mechanical, automatic trigger for war. According to NATO’s official interpretation, Article 5 states that an armed attack against one Ally shall be considered an attack against all. However, the nature of the assistance provided depends on the actions each Ally considers necessary, and such assistance may or may not involve the use of armed force. There is also no single automatic procedure governing the invocation of Article 5. The assessment is made through a political decision of the North Atlantic Council and depends on the specific circumstances of each case. This is not a weakness of Article 5 but one of its strengths. At the same time, it is precisely this flexibility that hybrid threats seek to exploit.

NATO has not ignored this grey area. At the 2016 Warsaw Summit, the Alliance explicitly stated that hybrid warfare could be addressed within the framework of collective defence and that the North Atlantic Council could decide to invoke Article 5. The 2021 Brussels Summit went further in the cyber domain, noting that significant and cumulative malicious cyber activities could, under certain circumstances, reach the level of an armed attack and that any such determination would again be made on a case-by-case basis. The 2022 Strategic Concept reaffirmed that both individual and cumulative cyber activities, as well as hybrid operations, could, if necessary, reach the threshold of Article 5. The issue is therefore not that this possibility is absent from NATO documents. Rather, the Alliance has deliberately left open the question of what level of cumulative effect, what degree of attribution, and what political context would justify such a decision.

The issue of attribution is therefore not merely a technical challenge. In hybrid operations, the attacker may avoid direct involvement of its military forces and instead rely on proxy networks, civilian infrastructure, information operations, commercial instruments, or ambiguous cyber campaigns. NATO summit declarations from 2021 and 2023 specifically emphasise that attribution of hybrid activities remains a sovereign national responsibility. This is not a call for disunity among Allies. Rather, it is a realistic recognition that political responsibility and the assessment of evidence may differ from one state to another.

As a result, the advantage of hybrid attacks lies not only in concealment but also in their ability to delay the formation of a common threat perception among Allies. Recent analyses suggest that Russian sabotage activities and proxy-based operations are often designed precisely to avoid creating circumstances that would clearly trigger Article 5. The objective is not necessarily to remain completely invisible but to remain sufficiently ambiguous to complicate consensus, slow decision-making, and reduce the likelihood of a unified collective response.

Lessons from Estonia and Ukraine

The cyber attacks against Estonia in 2007 served as an early warning of the challenges that would later dominate discussions about hybrid threats. During the roughly three-week campaign, government and parliamentary websites, ministries, media organisations, internet service providers, major banks, and numerous private-sector targets came under sustained attack. What made the case particularly instructive was not only the scale of the disruption but also the uncertainty surrounding it. According to assessments by the StratCom COE, ambiguity was one of the defining characteristics of the incident. Although the attacks appeared politically motivated, establishing direct and indisputable state responsibility was far from straightforward.

The Estonian case did not result in the invocation of Article 5. Nevertheless, it became a turning point in NATO’s understanding of cyber defence. According to NATO’s own account, the establishment of the Cooperative Cyber Defence Centre of Excellence in Tallinn followed the Alliance’s comprehensive review of its cyber defence posture in the aftermath of the large-scale attacks against Estonia. This response was significant because the events of 2007 demonstrated that a campaign capable of disrupting the functioning of an entire society might not fit the traditional template of an “armed attack” while still constituting a collective security concern. The lesson of Estonia was that non-military instruments could produce strategic effects comparable to those traditionally associated with military action.

Ukraine, meanwhile, demonstrated that hybrid threats are not necessarily an alternative to war but are often a precursor to, and companion of, conventional conflict. NATO views the period that began with Russia’s annexation of Crimea in 2014 not only through the lens of conventional military pressure but also through cyber attacks, disinformation campaigns, and other hybrid activities. It was in this context that the NATO–Ukraine Platform on Countering Hybrid Warfare was established in 2016. The developments following 2022 reinforced the same lesson. Field observations published by Microsoft indicated that actors linked to Russia integrated large-scale cyber operations and influence activities into the broader invasion effort. This demonstrated that hybrid tools are not merely “below-Article 5” instruments used during peacetime. They can also operate alongside conventional warfare, targeting decision-making processes and societal resilience even during active military conflict.

NATO’s adaptation curve

It would be inaccurate to argue that NATO was completely unprepared for these challenges, although it is equally clear that its initial responses were insufficient. At the 2014 Wales Summit, Allies declared that cyber defence was an integral part of collective defence and stated that any decision on whether a cyber attack could trigger Article 5 would be assessed on a case-by-case basis. The 2016 Warsaw Summit went further by recognising cyberspace as a domain of operations in which NATO must defend itself. The Alliance also adopted strategies and implementation plans for countering hybrid warfare, while the Cyber Defence Pledge made the strengthening of national networks and critical infrastructure a priority. In other words, NATO began to treat hybrid threats not merely as a theoretical concept but as a driver of institutional transformation.

This process of adaptation was later reinforced through a network of specialised institutions. The 2018 Brussels Summit announced the establishment of counter-hybrid support teams that could provide tailored assistance to Allies upon request. The Strategic Communications Centre of Excellence in Riga evolved into a hub for NATO’s strategic communications capabilities, producing doctrine, research, and training. The Hybrid CoE in Helsinki developed into a specialist centre working closely with both NATO and the European Union on methodologies, training programmes, and network-building related to hybrid threats. The Cooperative Cyber Defence Centre of Excellence, established in Tallinn in 2008, gradually became more than a training and exercise institution. Through the Tallinn process, it also emerged as an important reference point for the legal and strategic assessment of cyber incidents. These centres do not create deterrence on their own, but they provide a shared body of knowledge and concepts that helps reduce the ambiguity on which hybrid attacks often depend.

NATO’s more recent initiatives follow the same trajectory. The Comprehensive Cyber Defence Policy adopted at the 2021 Brussels Summit emphasised the Alliance’s determination to employ its full range of tools against cyber threats and reaffirmed that cumulative malicious cyber activities could reach the level of an armed attack. In 2023, NATO adopted a new concept aimed at strengthening the contribution of cyber defence to its deterrence and defence posture, activated its Virtual Cyber Incident Support Capability, and reinforced national cyber objectives. The NATO Information Threats approach adopted in 2024 brought together early warning, monitoring, public attribution, correction of false narratives, and rapid coordination within a single framework. Taken together, these developments demonstrate that NATO increasingly views hybrid threats not only through a military lens but also through their cognitive, infrastructural, and political dimensions.

The real strength of article 5

The conclusion that emerges from this discussion is that the real strength of Article 5 lies not only in military capability but also in political unity and controlled strategic ambiguity. According to NATO’s own interpretation, Article 5 is not an automatic and uniform response mechanism. It operates through the collective political judgement of the North Atlantic Council, and each ally contributes in the manner it considers necessary. In the age of hybrid threats, this characteristic should be viewed not as a weakness but as a significant advantage. If NATO were to establish rigid and publicly declared response templates for every cyber attack, disinformation campaign, or infrastructure disruption, adversaries could more easily design operations that remain just below those thresholds. Case-by-case assessment, by contrast, complicates an attacker’s risk calculations.

At this point, an important distinction must be made. Strategic ambiguity should not be confused with strategic vagueness. NATO’s decision not to publish precise and publicly measurable thresholds may strengthen deterrence, but that does not mean the Alliance should operate without internal criteria, preparation, or common assessment frameworks. Not every hybrid attack requires a large-scale military response, and Article 5 itself does not demand one. The fact that responses to cyber activities are not restricted to the cyber domain and may include political, diplomatic, economic, intelligence, and military instruments further strengthens NATO’s position. The more relevant question is therefore not “Which incident automatically constitutes war?” but rather “Which set of collective tools should be activated in response to a particular incident?”

From this perspective, NATO’s priority should not be rewriting Article 5. The more pressing task is improving the management of the space below the Article 5 threshold. The first pillar of this effort is cyber defence and critical infrastructure resilience. NATO’s seven baseline requirements for national resilience are designed to ensure the continuity of government, energy supplies, communications systems, transportation networks, and essential resources such as water and food during crises. The 2021 Strengthened Resilience Commitment further identified the protection of critical infrastructure across land, sea, space, and cyberspace, as well as the diversification of supply chains, as explicit objectives. Hybrid deterrence is therefore not only about imposing costs on an attacker. It is also about reducing the expected impact of an attack. A resilient society lowers the strategic returns of grey-zone operations.

The second pillar is the protection of the information environment. NATO’s 2024 approach to information threats brings together monitoring, analysis, early warning, public attribution, corrective communication, and rapid coordination within a single framework. This matters because the impact of disinformation often stems less from the content itself than from delayed institutional responses. For this reason, Allies should develop common standards for threat assessment, while strategic communication structures should work not only during crises but also before crises emerge, helping to strengthen public trust. The role of the StratCom COE in Riga is particularly valuable in this regard. Hybrid deterrence is not only about countering attacks but also about enabling societies to recognise manipulation more quickly.

The third pillar is allied coordination and early warning architecture. Counter Hybrid Support Teams, the NATO–Ukraine Platform on Countering Hybrid Warfare, and various hybrid threat analysis structures are important steps in this direction. Their value, however, increases significantly when combined with joint exercises, regular political consultations, and real-time information sharing between public and private actors. Given that much of the critical infrastructure on which modern societies depend is operated by private companies, hybrid defence cannot remain the exclusive responsibility of governments.

NATO may not need to establish rigid public red lines, but Allies should develop internal decision-making frameworks based on factors such as cumulative effects, confidence in attribution, cross-domain coordination, and the degree of disruption caused to societal functioning. Such mechanisms would preserve strategic ambiguity while reducing the risk of political paralysis.

Article 5 is not outdated in the age of hybrid threats. Its effectiveness, however, no longer depends solely on the wording of the treaty itself. It depends on how that commitment is interpreted and on the political preparation that supports it. NATO has already acknowledged that cyber attacks and hybrid operations may, under certain circumstances, reach the level of an armed attack. The more important question is how that recognition can be translated into credible practical tools.

In other words, the problem is not the existence of Article 5. The problem is that adversaries increasingly operate in grey zones where they believe Article 5 is unlikely to be triggered with certainty.

For this reason, the most effective policy is not the creation of rigid and publicly announced thresholds. It is the development of flexible interpretation, rapid political consultation, strong societal resilience, and multidomain response options. The greatest advantage enjoyed by hybrid threats is their ability to create uncertainty about how the targeted side will react. NATO’s most effective answer is therefore not to abandon Article 5, but to transform it into a living instrument of deterrence supported by political unity, resilience, and strategic ambiguity.