Europe’s cyber rapid response teams should pivot to proactive missions

In the summer and fall of 2022, Albania suffered a series of cyberattacks targeting its government infrastructure. The country attributed these attacks to Iran and reached out to NATO for support. Likening the attacks to “bombing a country,” Albanian Prime Minister Edi Rama initially floated the idea of invoking Article 5 of the Washington Treaty, which would trigger NATO’s collective defence principle.

NATO already has a mechanism for aiding allies in the aftermath of cyberattacks: Cyber Rapid Reaction Teams. These teams are built to be an efficient form of incident response and mitigation. NATO began building its own teams as early as 2011; the EU began a similar programme in 2017. 

However, Albania ultimately received aid from the United States. EU and NATO rapid response teams are fully operational, but neither has been deployed to remedy a cyber incident. Instead, it is smaller national teams that have responded to emergencies.

Origins

Crisis management systems are nothing new in the field of security—or even cybersecurity, for that matter. Computer emergency response teams (CERTs) emerged in the late 1980s in response to internet worms and other increasingly widespread security incidents.

Multinational CERT systems, however, have always faced challenges, such as difficulties establishing trust and cumbersome management structures. As a result, they lagged behind the creation of state and sector-led programmes. A EuroCERT pilot project was launched from 1997 to 1999 to increase cooperation across existing European CERTs. However, the project quickly fell apart, with member states agreeing that while many positive outcomes had been achieved, “the needs of the various networks in Europe and their CERTs are so different that it is not possible to reach consensus on the definition of a single permanent service.” 

Governing multinational response teams

The EU and NATO faced similar challenges when they began devising their own rapid response teams. 

The EU project is part of a broader Permanent Structured Cooperation (PESCO) defence arrangement designed to enhance institutional integration across member states. Under PESCO, member states can propose and lead specific security projects, and other EU states can sign on to participate or observe.

Lithuania created the Cyber Rapid Response Teams and Mutual Assistance in Cyber Security as a new PESCO project in 2017-2018. The country serves as its lead, while seven other member states have joined as participants. The project also has observer members while Lithuania continues to recruit new members. 

The project is funded by the project members and any state or institution requesting its assistance—not the EU writ large. Leadership of the project rotates between project members, but Lithuania maintains a significant role, including as co-chair of the project council—the group that ultimately signs off on deploying a rapid response team. EU member states, EU institutions, and partner countries can make formal requests for assistance. The council is supposed to decide whether they will deploy a team within 24 hours of such a request. Then, teams are constructed of eight to twelve experts based on the nature of the emergency. 

NATO’s rapid response teams are governed differently. The teams are staffed and funded by the full alliance. Allies cannot opt out—they contribute to the NATO Computer Incident Response Capability (NCIRC), which administers the teams. An ideal team comprises six specialists selected from the NCIRC staff based on the nature of the emergency to which the team is responding. As one senior NATO official stated in an interview with me, “it’s not a bunch of dudes or dudettes sitting in a basement waiting to be deployed… They are hands on keyboards and part of the 200-strong NCIRC team that does NATO enterprise network protection.”

There has also been confusion over when to use the teams: a 2012 blog released on NATO’s main website described rapid response teams as a tool for any ally to use. Yet in The Wall Street Journal a year later, NATO Secretary General Anders Fogh Rasmussen described the teams as a resource primarily built for defending NATO networks, with a possible longer-term goal of defending allies. 

Because all allies are involved in the NCIRC, its funding, and its resourcing, decisions to deploy a rapid response team are made by consensus at the highest political level of the alliance: the North Atlantic Council. There, all 32 member states have representatives who must reach a consensus on any request for activating a team, which slows down decision-making.

In effect, as my recent report details, multinational response teams are not structured to fulfil their missions. The EU and NATO rapid response teams have failed to be either rapid or responsive because their organising principles do not allow them to be. 

Mismatched missions?

Despite these different structures and governance models, neither NATO nor the EU has deployed a rapid response team to deal with a crisis. 

The EU project did come exceptionally close to mobilising a team to aid Ukraine in early 2022. However, fully activating a response team took well over a month. Team members were chosen and set to travel to Kyiv on February 24—the very day that Russia launched its full-scale invasion of the country. While the team explored other avenues of providing aid, it ultimately did not travel to Ukraine.

Instead, the EU teams have begun shifting toward a proactive support model. While the Lithuanian project maintains its crisis-first orientation on paper, in practice, the teams have been most successful in deploying to EU partner countries to lend aid before an emergency arises. The project has pivoted toward fostering long-term goodwill through offering vulnerability assessments and helping countries develop stronger cyber defence postures. Teams have been deployed to Moldova and Mozambique as part of broader EU partnership and training missions. 

NATO’s teams have not seen any action. The process of deploying a team is highly formalised and politicised, and no state has gone through all the steps to request aid from the North Atlantic Council. Yet, although no NATO team has been activated, individual NATO allies have taken action to offer emergency assistance. Crisis management is happening within the NATO alliance, just not through a centralised cyber rapid response capacity.

Solutions for now?

For either team to fulfil its namesake mission—reacting rapidly to an emergency—it needs a streamlined structure that delegates authority to as few actors as possible to make deployment decisions. Teams also need to develop high degrees of trust across participating countries to facilitate information sharing, the pooling of technical expertise, and solutions to liability issues when entering foreign networks to remediate incidents. Neither organisation is free from political grievances and scepticism across its member states.

For now, multinational teams are better suited for proactive missions, which allow for longer planning timelines and often involve less sensitive political situations. National teams are much more effective at responding: they can work directly with the country in need, establishing more streamlined information sharing and liability protocols. 

Indeed, the crisis response community is shifting increasingly toward the single-country model. Australia announced its own initiative in November 2023, and others are sure to follow. For now, this is the best way forward.