A

You're listening to the Cyberwire Network, powered by N2K.

B

When cyber threats strike, minutes matter. Booz Allen brings the same battle tested expertise trusted to protect national security to defend today's leading global organizations. They safeguard their data, strengthen enterprise resilience and mobilize in minutes across energy, healthcare, financial services and medicine manufacturing. Their teams don't just respond, they anticipate, outthink and stay ahead of evolving threats. This is powerful protection for commercial leaders only. From Booz Allen. See how your organization can prepare today@booz allen.com Commercial. Foreign.

C

Hello, welcome back to our special three part series on NATO's 2025 cyber coalition exercise. I'm Liz Stokes and in this second episode we're diving into the day to day of cyber defense. How nations detect threats, defer attacks, and work together to defend critical networks. In this episode, my brilliant colleague Maria Vermazes will guide you through our journey in Tallinn, Estonia, sharing the sights, sounds and human stories that bring this exercise to life. Together, we'll take you behind the scenes of one of the world's most complex and high stakes cyber exercises, meeting the people who make it happen, and show you why the human factor is just as important as the technology in defending against modern cyber threats. So let's open our time capsule and step into a day at NATO's cyber range.

A

Hi everyone, Maria Varmazes here and as I'm writing and reading this script, it's late January 2026 and like a lot of us living in the United States, I am trying to make sense of fast moving political turmoil, primarily comments and actions from the US President that are quickly upending long established geopolitical world order and causing a lot of global worry and outcry about how the United States treats its allies, along with the future of NATO and the United States. Place in it or not. Now, this is not something I would normally share about the sausage making of a podcast, but in this case the greater context really matters. Quite simply because the event you're about to hear about was recorded just before all of this upheaval really began. And all of that upheaval will undoubtedly influence how we and you interpret what we're about to share here. My colleague producer Liz Stokes will get you a little bit up to speed.

C

Now let's recap what we mentioned in the previous episode. Maria and I were in fact not in the United States, but in Tallinn, Estonia during NATO's cyber coalition. It's a NATO cybersecurity exercise focused on cooperation, trust and mutual defense between allies. Much of it was happening quietly, far from the headlines, since by the time we put this episode to air, there could be more geopolitical changes that may affect NATO. So we're going to treat this episode as a time capsule of what we saw and learned in one day, where we were a guest of NATO at their cyber headquarters in Tallinn. We'll save our reflections on what we saw and what it all means for the third episode.

A

With that said, let's crack open our audio time capsule. Let me walk you through our day with NATO for the 2025 cyber coalition exercise. It is Tuesday, December 2, 2025, and we actually saw the sun and some blue sky for the very first and only time this morning, for just a few minutes as we headed out from our hotel at 8:30am on our walk, Liz and I walked past the Estonian Foreign Ministry. The Estonian flag is flying proudly out front and right next to it, same level and size, the Ukrainian flag. It's top of mind for me, and I'm sure many Estonians as well, that later today, Russian President Putin is due to meet in Moscow with a US envoy to negotiate a peace agreement in Ukraine. It's been all over the news, just about everywhere we've gone. I get the impression that people don't have much faith that it'll happen, but hold out hope just in case. As Liz and I walk along, we quickly figure out that we're going in the right direction. When we see a number of uniformed military soldiers walking along with us, we turn a corner and see a building with two cannons in front. It's the Estonian Ministry of Defense, and like the Foreign Ministry, out in front, the Estonian flag flies proud right alongside the Ukrainian flag. And a bonus, NATO's flag flies proudly on a flagpole out front. After checking in at the Estonian Ministry of Defence, presenting our credentials and going through the understandably high level of security, we start our day with a full morning briefing describing this year's NATO Cyber Coalition exercise. We hear a crucial phrase a lot this morning and throughout the day. We mentioned it in episode one, but that phrase is collaboration, cooperation, coordination. We learn about all the various exercises that the defenders from across NATO nations and allied partner nations are working on. They're all ripped from the headlines type situations that would be familiar to cyber defenders. Network compromises, attacks on critical infrastructure, hacked backups, bread and butter situations for defenders in this line of work. And there were some that I didn't expect to see, but was delighted to find out were there, for example, a cyber readiness in space scenario, practicing what to do should a cyber attack occur on space based assets and networks? And there was an exercise entirely for cyber legal teams to hash out. Makes sense for military legal teams to ponder infosec law when they are at the home of the Talon Manual, after all. Now, I was really curious what a legal exercise would look like in this context. Major Tyler Smith, cyber Operations attorney with the 16th Air Force, told me a bit more about his experience.

D

As we've been planning this, we try to think of questions, legal questions, to go along with the cyber play. How can we make this relevant to the different legal audiences? And information sharing is one of the key things that we focus on. Right? And we're putting out questions that are requiring our legal audience to look at their nation and look at their national laws and look at their domestic policy. On, hey, how do we share? How if this happened and we knew a partner was going to have or was having a similar thing, how do we do that? And so there's not an overriding international law basis to share that information. That's domestic policy, domestic law. And so this is, it's a good opportunity to kind of blend that international flavor of what we're doing, but then have them also hone down and look at, hey, well, how would we do this if it was with this partner nation or that partner nation, how do we share?

A

So of the seven possible scenarios or storylines in the NATO parlance, including the legal one, it was ultimately up to the participating national teams to decide what they wanted to try out during the two week exercise, one storyline, or many, a veritable buffet of tabletop exercises to refine their tactics, tools and procedures, while also finding and fixing gaps in their capabilities, solving new problems, threat hunting, patching and still keeping vigilant against perennial threats, and deterring and countering any adversarial action. And this being a military exercise, of course, adds an entire level of interesting complexity above what we might normally think of as tabletop exercises. The defensive work being practiced here is not just within a NATO alliance or a national military level, but importantly, it is also with national or international civilian industry. Think about it. Usually the military doesn't own the networks that it operates on, but military operations on that infrastructure can absolutely affect many, if not all of its users. So coordination, there's that word again with the civilian side, is a major part of this exercise, as is planning and understanding the operational effect of doing military operations on civilian cyber infrastructure, mitigating risk while still working effectively. And crucially, you've got to make sure that you're not missing anything. And like any good training exercise, there were boundaries, of course. For example, everything was non offensive work. No hackbacks, no red teaming. There are other exercises for that. Cyber Coalition is all about detection, deferment, defense. And while NATO was happy to share some information about the tools and tactics that they've been developing to aid their defenders, NATO, it was clear that the core of the entire exercise is really all about the human factor. Getting people to talk to each other, learn how to better work with each other, find new ways to more efficiently gather and quickly share the kinds of information that can turn the tide of battle. A phrase that can sound like hyperbole most of the time, but in this case, not an exaggeration. Here's US Navy Commander Bryan Caplan again on the human challenges at play.

E

We would love the nations to, you know, jump right in and share stuff, but it's never the case. You know, really, it takes sometimes. Nations that have participated in the exercise for years, they're more comfortable, they have a better system in place, knowing what they can share, what they can't. Some of the newer nations that are participating, they're more timid to really either ask questions to other nations or provide information to nations. So it, it is a challenge. And the key for us to kind of keep things moving in the direction that we would like it to go, which is the collaboration, the coordination and the cooperation is to have mechanisms in place that kind of steer the nations during the storylines, to get them to kind of go outside their comfort zone, to coordinate and work with the nations to try to get further along in the, usually the reps that come from the nations during the planning cycle, you know, by the time we execute, they have, you know, built a good rapport with the other representatives from the nation. So because we do icebreakers at events, kind of to try to get people to communicate, talk, get comfortable. So when it comes to the execution part, they're more willing to help. Now the more difficult part is they're nation back at home to, to be willing to provide the representatives here with some of that information to then share it. So, yes, it's, it's definitely challenging, but it's a good challenge. And that's why we really have the exercise to kind of push those boundaries and, and get that flow of information, you know, up and down, left and right to, and it really does help out.

A

In our previous episode, I talked about NATO's Article 5 and that would be the mutual self defense clause. NATO officials many times made a point that the entire cyber Coalition exercise operates below Article 5, again, whatever that means. But I should note that it's actually a different part of the NATO charter that was more frequently mentioned by throughout my conversations and interviews that day, especially as it related to efficiency in information sharing. And that would be NATO Article 3. Here's Irene Gibson, who is a storyline briefer from NATO's Cyber and Digital Transformation Division.

F

Article 3, which is specifically says that allies may, and I'm quoting this so that I don't get it wrong, separately and jointly, by means of continuous and effective self help and mutual aid, maintain and develop their individual and collective capacity to resist an armed attack.

A

Keeping in mind that the NATO treaty was written in 1949, it's interesting to think what continuous and effective self help and mutual aid could mean in the context of cybersecurity. NATO's answer to that is improving speed and clarity of information. Truly the sharpest blade in the arsenal of the defender, being able to set separate that signal from the noise. And to do that, they've deployed a tool that they're calling the Virtual Cyber Incident Support Capability, or vsisc.

F

So VSISC is like a fancy phone, a friend. So oftentimes when nations experience cyber crises and they wish to request aid, they will do so bilaterally, which basically means nation A will talk to nation B and say, hey, I have this crisis, can you help me with it? This enables nation A to talk to 31 other nations at the same time and say, okay, I'm having this serious crisis and I'm interested in anyone who can help me that is an ally within NATO. The interesting thing about this is that in cyber we don't normally think of cyber as an armed attack. But the founding of Visus sort of elevated cyber to the concept of an attack where Article 3 doesn't just apply in terms of an armed attack. Article 3 can apply in terms of the cyber coming. This exercise is being run because increasingly cyber capabilities are really defining modern warfare. And frankly, cyber is one of our greatest force multipliers within NATO. And it's really a critical enabler to ensuring readiness and information superiority as well. I think oftentimes in the military sphere, as part of the military staff, we think of sort of classic concepts of defense, you know, like historic things like hard weapons, high quantity, visible assets. And I think it's important that in the modern era we have a fundamental paradigm shift to expanding those classic concepts to the constantly evolving cyberspace. And that means that we need iterative evolution and creativity. Because in cyber, to stand still is to be left behind.

A

At this point, I was pretty eager to actually see some of the people doing all of this crucial work and using these new tools. And after the briefing at the Estonian Ministry of Defense, we headed pretty much right next door to CR14, which is the facility that houses the NATO cyber range. Now, CR14 was even more locked down than the Ministry of Defense. For those that know the military parlance of a skiff, or sensitive compartmented information facility, that is essentially where we were headed.

C

A skiff is a space where highly sensitive military intelligence is shared, so security is intense. We were instructed to leave behind anything that could transmit a signal. No Wi fi or Bluetooth at all, which meant phones and laptops were obviously out. Personal smart devices had to go too, including my smartwatch and Maria's, along with earbuds. Thankfully, though, we were allowed to bring our audio recorder, since it doesn't have any radio capabilities.

A

And since I'm never without a notepad and pen, falling back on analog in a cyber range allowed me to take a few notes. As media, our presence in this military facility required specific protocol to protect classified information. Perhaps as a little girl in my wildest princess fantasy days, I might have dreamt of a dedicated escort and having my presence announced to a room before I entered it, but the reality of it was nothing like what kid me might have imagined. We were loudly announced before we entered any kind of room for the defender's benefit, not so they could look busy for us media types, but so they could specifically not look busy. Stop handling sensitive information. Close down important windows on your workstations. Don't talk about anything secret, everybody. The press is here. The inside of NATO's cyber range in many ways looked unremarkable and indistinguishable from an average and beige cube farm. I was relieved to not see anything flashy, because while complex dashboards and threat maps may look cool for cameras, that's the kind of thing you show to try and impress people who don't know any better. The real work of cybersecurity is decidedly unglamorous, and the cyber range cubicles lined a long room. Each cubicle was labeled with a nation's flag, with two or more service members representing their component commands from that nation seated at their workstations, heads down and typing away, or otherwise coordinating with larger teams back home, or sometimes teams that were in the room with them from other nations. The cyber range room had heavy coverings lining all of the windows, so absolutely no daylight or prying eyes could peep in. And in the center of the room was a table with a few snacks, because snacks are always a good idea. And of all things, a little paper turkey, like a Thanksgiving turkey table, centerpiece of all the things. Well, given that the Cyber Coalition exercise is two weeks long and starts just before US Thanksgiving does, when I got a chance to sit down with U.S. service members for an interview later that day, I had to ask about the turkey. Here's Candice Sanchez, chief of exercises for the 16th Air Force, telling me more.

G

There's a number of Americans out here. We're like, hey, let's just have Thanksgiving together. And then we started inviting our. Our partners to come over. And they, a lot of them, this was their first time experiencing Thanksgiving. We learned just recently this year, they like deviled eggs. We gave them the experience of. We brought cranberry sauce in a can. We brought it over so that they could have that experience as well. Some enjoyed it, some didn't, but it was definitely a staple we had to have. We found a turkey this year, thanks to our Estonia partner. They were able to find us a turkey in the local area, so we were able to do that.

A

The only other room that we went to at the NATO Cyber range was what I presume was a sock or something like one. All of the workstations were locked, and that's good. And the large monitors against the wall were off. And just like all the windows, many of the monitors were also physically covered with sheets. There wasn't really anything for us to see. And I couldn't help but shake the feeling that perhaps there was at some point going to be some kind of tech demonstration in here for us to see. But current events overruled, perhaps the fraught failed peace negotiation in Moscow, but that is just conjecture on my part. It bears repeating that NATO Cyber Coalition is a defensive military exercise on its own. It's kind of extraordinary that we even know of its existence. No one here is going to be imparting any tips and tricks here for the practitioner. Nor was there much concrete detail about what the defenders at this exercise did. So temper your expectations, okay? Without tipping their hand too much, NATO wants us to know that they are practicing for a lot of different scenarios. They also want any potential adversaries of NATO to know this as well. And over the course of the day, I found many interesting parallels on how over the years, this specific exercise seems to have followed the maturity of the cybersecurity world in general for a long time. When talking about tactics, tools and procedures, that last bit, the procedures seemed to Get a bit short changed compared to the tools. The promise of that single pane of glass, that one perfect tool from that vendor, that's definitely not over promising. That might be the silver bullet to make up for major gaps in security hygiene. Oh, if only tools are bits, they're a gadget. They represent potential for efficiency, maybe even ease. Generally they work or they don't. Binary. Humans, however, we're messy. We poke holes where they don't belong. We break things that we're doing just fine. So it stands to reason for both the industry and for military alliances like NATO that the human side of cybersecurity is where a lot of work remains to be done. And to me the best perspective on that is from Major Tobias Malm of the Swedish Armed Forces. He's been a participating member of the NATO Cyber Coalition for 13 years now. A highlight for me was hearing his thoughts on how much this cybersecurity exercise has changed.

H

When I started like 13 years ago, it was very focused on the technical part where you had these technical training audiences who solved some technical issues. And then it has developed to what it is today where you have much

A

more

H

complex system of sharing information. It's emphasis the importance of the cooperation within the alliance. So it has changed a lot, I would say. And when I look upon what Sweden has done during these years, we started with a technical team and today we have technical teams, we have the Cyber Command, we have the National Cyber Security center and a lot of other agencies within Sweden. So it's much larger and it's much more complex and it's more focused on operations and sharing of information, how do we do it, which system we use and etc.

A

It is always tempting to point to the technical solution and certainly there are those. But truly a lot of the growth and the challenges come down to the human factor. It's those three Cs again. Collaborate, cooperate, coordinate and in the end they're really one big C. Communicate the

H

whole domain with cyber, since it's, it's not geographically locked, we need to share information and work together with others and we need to train that because it's not as easy as you can imagined. So for us this exercise is very important to actually know which, which system should you use for which information, how do you pack the information, which information is relevant to the others and, and sort of just train how you communication I would say because we are usually not that good at communication as a human so we need to train that and, and this is an excellent opportunity to do that.

A

Thank you for listening to this second episode of our three part series. I enjoyed cracking open the time capsule of our day with NATO in Tallinn back on December 2, 2025. Hope you enjoyed coming along with us in our next part. We're staying in the present and reflecting on what we learned and the broader meaning for global cybersecurity in a fraught geopolitical moment. This episode was written and hosted by me, Maria Varmazes. It was produced by Liz Stokes, mixing, editing and sound design by Trey Hester. Our Executive Producer is Jennifer Ibin with content strategy by Mayan Plout. Peter Kilby is our publisher. Thank you so much for listening.