Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Europe’s cyber rapid response teams should pivot to proactive missions

Taylor Grossman 1 March 2024
Share On:
Taylor Grossman finds that NATO and EU cyber rapid response teams are not built to respond rapidly to emergencies
Main Top Image
Image created with the assistance of Dall-E 2

In the summer and fall of 2022, Albania suffered a series of cyberattacks targeting its government infrastructure. The country attributed these attacks to Iran and reached out to NATO for support. Likening the attacks to “bombing a country,” Albanian Prime Minister Edi Rama initially floated the idea of invoking Article 5 of the Washington Treaty, which would trigger NATO’s collective defence principle.

NATO already has a mechanism for aiding allies in the aftermath of cyberattacks: Cyber Rapid Reaction Teams. These teams are built to be an efficient form of incident response and mitigation. NATO began building its own teams as early as 2011; the EU began a similar programme in 2017. 

However, Albania ultimately received aid from the United States. EU and NATO rapid response teams are fully operational, but neither has been deployed to remedy a cyber incident. Instead, it is smaller national teams that have responded to emergencies.

Origins

Crisis management systems are nothing new in the field of security—or even cybersecurity, for that matter. Computer emergency response teams (CERTs) emerged in the late 1980s in response to internet worms and other increasingly widespread security incidents.

Multinational CERT systems, however, have always faced challenges, such as difficulties establishing trust and cumbersome management structures. As a result, they lagged behind the creation of state and sector-led programmes. A EuroCERT pilot project was launched from 1997 to 1999 to increase cooperation across existing European CERTs. However, the project quickly fell apart, with member states agreeing that while many positive outcomes had been achieved, “the needs of the various networks in Europe and their CERTs are so different that it is not possible to reach consensus on the definition of a single permanent service.” 

Governing multinational response teams

The EU and NATO faced similar challenges when they began devising their own rapid response teams. 

The EU project is part of a broader Permanent Structured Cooperation (PESCO) defence arrangement designed to enhance institutional integration across member states. Under PESCO, member states can propose and lead specific security projects, and other EU states can sign on to participate or observe.

Lithuania created the Cyber Rapid Response Teams and Mutual Assistance in Cyber Security as a new PESCO project in 2017-2018. The country serves as its lead, while seven other member states have joined as participants. The project also has observer members while Lithuania continues to recruit new members

The project is funded by the project members and any state or institution requesting its assistance—not the EU writ large. Leadership of the project rotates between project members, but Lithuania maintains a significant role, including as co-chair of the project council—the group that ultimately signs off on deploying a rapid response team. EU member states, EU institutions, and partner countries can make formal requests for assistance. The council is supposed to decide whether they will deploy a team within 24 hours of such a request. Then, teams are constructed of eight to twelve experts based on the nature of the emergency. 

NATO’s rapid response teams are governed differently. The teams are staffed and funded by the full alliance. Allies cannot opt out—they contribute to the NATO Computer Incident Response Capability (NCIRC), which administers the teams. An ideal team comprises six specialists selected from the NCIRC staff based on the nature of the emergency to which the team is responding. As one senior NATO official stated in an interview with me, “it’s not a bunch of dudes or dudettes sitting in a basement waiting to be deployed… They are hands on keyboards and part of the 200-strong NCIRC team that does NATO enterprise network protection.”

There has also been confusion over when to use the teams: a 2012 blog released on NATO’s main website described rapid response teams as a tool for any ally to use. Yet in The Wall Street Journal a year later, NATO Secretary General Anders Fogh Rasmussen described the teams as a resource primarily built for defending NATO networks, with a possible longer-term goal of defending allies. 

Because all allies are involved in the NCIRC, its funding, and its resourcing, decisions to deploy a rapid response team are made by consensus at the highest political level of the alliance: the North Atlantic Council. There, all 32 member states have representatives who must reach a consensus on any request for activating a team, which slows down decision-making.

In effect, as my recent report details, multinational response teams are not structured to fulfil their missions. The EU and NATO rapid response teams have failed to be either rapid or responsive because their organising principles do not allow them to be. 

Mismatched missions?

Despite these different structures and governance models, neither NATO nor the EU has deployed a rapid response team to deal with a crisis. 

The EU project did come exceptionally close to mobilising a team to aid Ukraine in early 2022. However, fully activating a response team took well over a month. Team members were chosen and set to travel to Kyiv on February 24—the very day that Russia launched its full-scale invasion of the country. While the team explored other avenues of providing aid, it ultimately did not travel to Ukraine.

Instead, the EU teams have begun shifting toward a proactive support model. While the Lithuanian project maintains its crisis-first orientation on paper, in practice, the teams have been most successful in deploying to EU partner countries to lend aid before an emergency arises. The project has pivoted toward fostering long-term goodwill through offering vulnerability assessments and helping countries develop stronger cyber defence postures. Teams have been deployed to Moldova and Mozambique as part of broader EU partnership and training missions. 

NATO’s teams have not seen any action. The process of deploying a team is highly formalised and politicised, and no state has gone through all the steps to request aid from the North Atlantic Council. Yet, although no NATO team has been activated, individual NATO allies have taken action to offer emergency assistance. Crisis management is happening within the NATO alliance, just not through a centralised cyber rapid response capacity.

Solutions for now?

For either team to fulfil its namesake mission—reacting rapidly to an emergency—it needs a streamlined structure that delegates authority to as few actors as possible to make deployment decisions. Teams also need to develop high degrees of trust across participating countries to facilitate information sharing, the pooling of technical expertise, and solutions to liability issues when entering foreign networks to remediate incidents. Neither organisation is free from political grievances and scepticism across its member states.

For now, multinational teams are better suited for proactive missions, which allow for longer planning timelines and often involve less sensitive political situations. National teams are much more effective at responding: they can work directly with the country in need, establishing more streamlined information sharing and liability protocols. 

Indeed, the crisis response community is shifting increasingly toward the single-country model. Australia announced its own initiative in November 2023, and others are sure to follow. For now, this is the best way forward.

avatar
Taylor Grossman

Related

Featured image
Binding Edge
The magic of sophisticated cyber attacks
Max Smeets 4 December 2023
Read more arrow
Featured image
Binding Edge
Learning to supply cyber capabilities
Joseph Jarnecki 10 June 2024
Read more arrow
Featured image
Binding Edge
Cyber threats to European elections: beyond the headlines
Jamie Collier 28 May 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.