The author points to Estonia's deliberations after the 2007 DoS attacks to show that Article 5 after cyberattack has long been a known possibility. Her main claims seem to be that the new language adds negligible deterrence value, and in any case, attribution challenges render "deterrence and retaliation" useless in this issue area. I don't think she's looking in the right place for value, and I would add three caveats to the attribution argument she shares with many others.
Value. Wolff sees the statement as empty partly because the Russians, the supposed target, don't need any "formal notice that their actions may have consequences." (She also argues that cyberattackers don't worry about retaliation because of attribution challenges, so I am confused; let's leave that aside for now.) Member states, though, don't only have potential cyberattackers in mind. They also worry about having the military support of allies if and when the time comes. One function of an institution like an alliance is to set mutual expectations of behavior (Keohane 1984). Practically speaking, it's possible to envision a squeamish member government affecting or delaying the consensus decision to approve Article 5 retaliation on the (disingenuous) principled grounds that cyberattacks are fundamentally different. The new statement closes the loophole, assuring vulnerable members that destruction on their territory would be treated as an act of war regardless of means. Indirectly, this clarity may also enhance deterrence, but that isn't the only benefit to look for.
The author at one point recognizes this issue, but quickly dismisses it:
Sure, the denial-of-service attacks caused some pretty major disruptions to Estonian daily life, but nothing on par with the harm caused by the Sept. 11 attacks—the only incident in NATO’s history for which Article 5 has ever been invoked. We don’t really know what it would look like for an incident of that magnitude to be perpetrated through electronic means, but if such a thing happened, it seems unlikely that the NATO members would waste time quibbling about whether their treaty applied to cyberattacks.
Attribution and deterrence. Wolff tells us that deterrence in this context is bound to be weak because of technological attribution issues. As a result, she argues that NATO should "instead" focus on hardening of cyberdefenses and mitigation efforts. I do not understand why these are framed as mutually exclusive options. How does the new declaration detract from hardening or mitigation efforts at all?
Nevertheless, I'm inclined to agree about the difficulties posed by attribution problems for deterrence. Here are my three caveats. First, there are some scenarios in which attackers would want targets to know the true origin of an attack---for instance, when an attack is carried out for coercive purposes (with the threat of more to come) rather than for brute force alone. The possibility of retaliation can deter the coercive strategy. Second, assume you are a non-governmental entity in a state hostile to NATO, and you discover the means to launch a destructive cyberattack. Knowing now that Article 5 may be invoked, you may think twice for fear that the alliance might attribute such an attack to your government and thus your action might bring military punishment on your country.
Finally, put yourself in the shoes of a political leader in a state hostile to NATO. You've heard attribution is difficult if not impossible, but you know NATO and member governments have been working for years on attribution techniques. Do you, as a technological novice, trust your cyber-services when they assure you a brute-force attack will not be traced? Do you trust that coding mistakes won't be made, or that programmers won't brag on Facebook? Knowing that the consequences for discovery could be military retaliation, you may decide not to risk it.
For these reasons, I think NATO's new approach is better than the ambiguity that preceded it.