NATO and its partners face a rapidly evolving landscape of hybrid threats that continuously target both military and civilian infrastructures through cyberspace. This article explores how advanced cyber technologies and collaborative practices support resilient cyber defence operations for the Alliance.

Understanding Hybrid Threats

Hostile cyber operations against critical functions such as energy supply, communications, logistics and government services are a common tactic in hybrid warfare. The immediate effects of cyber attacks may only be local disruptions, yet the strategic intent is broader: to undermine confidence in institutions, create political friction and test Alliance cohesion below the threshold of armed conflict.

In this context, cyber resilience becomes a core element of deterrence. It is not only about preventing intrusions, but about ensuring that essential military and civilian functions can continue to operate even when networks are under sustained pressure. Cyber resilience does not stop adversaries from launching hybrid operations, but it limits the operational and political gains they can achieve.

Operational Capabilities for Cyber Resilience

Resilience begins with securing the fundamentals. Multi-factor authentication, timely patching, robust privilege management and effective network segmentation remain essential for limiting the impact of intrusions. Incidents such as NotPetya in 2017 demonstrated how failures in basic cyber hygiene can allow a single compromise to cascade across interconnected systems and supply chains, with effects that can reach national services and critical infrastructure.

Yet effective cyber resilience requires more than fundamental security controls. If adversaries gain initial access, they may deploy tailored malware or use legitimate administrative tools (living off the land) to move laterally and escalate privileges and target critical assets. Detecting and understanding this behaviour quickly is essential for limiting its impact and maintaining mission continuity. To achieve this level of situational awareness, defenders require capabilities that provide clarity about what has entered the environment, how it behaves and what risks it poses to critical functions.

Advanced Analysis of Malware and Phishing Activity

Automated analysis of suspicious files, URLs and emails plays an increasingly important role in identifying previously unseen malware, weaponised documents and targeted phishing attempts. The resulting behaviour-based evidence allows defenders to understand what a malicious object is doing, which systems are likely at risk and how an intrusion may unfold.

Integrated into Security Operations Centre workflows, automated analytical capabilities support triage, prioritisation and containment. This analytical automation is increasingly important as AI enables attackers to operate at a scale and speed that human cyber defenders alone cannot match.

Intelligence-Led Detection and Response

High-confidence threat intelligence – derived from internal analytical results and trusted external feeds – provides insight into tools, methods, and techniques used by hostile actors. When structured in standardised formats, this information supports both response and proactive activities such as detection engineering, threat hunting operations and risk assessments.

Exercises and Preparedness

Exercises and training bring all cyber defence elements together. Realistic cyber-range environments and large-scale events such as Locked Shields allow teams to rehearse decision-making under pressure and validate operational processes during a crisis. They also help NATO defence teams and relevant national authorities rehearse coordination across sectors and ensure that defensive playbooks function as intended.

Collective Defence Through Information Sharing

No single nation can achieve cyber resilience alone. Cyber campaigns frequently exploit cross-border dependencies in supply chains, digital services and critical infrastructure. Shared situational awareness and coordinated responses are therefore central to NATO’s cyber posture.

Timely exchange of validated threat information – including indicators of compromise, observed behaviours, and lessons identified – enables earlier and more consistent defensive action. This is particularly valuable when dealing with rapidly evolving malware variants or coordinated phishing campaigns that may target multiple Allies at once.

Considerations

Cyber resilience strengthens NATO’s deterrence posture by reducing the likelihood that adversary cyber operations will achieve meaningful strategic effects.

From this perspective, several focus areas emerge:

• Sustained investment in building resilient and increasingly automated cyber defence systems that can evolve towards autonomy
• Clear governance for automated and AI-supported autonomous defensive cyber systems, ensuring they operate transparently, use reliable data and remain under appropriate human control
• Efficient mechanisms for generating, validating and sharing threat intelligence
• Interoperable cyber capabilities that function across national and Alliance structures
• Strengthening the cyber workforce through continuous training and joint exercises

By pursuing these efforts, NATO and its partners can ensure that cyber resilience becomes a fully embedded element of the Alliance’s deterrence posture, supporting mission continuity and limiting the strategic gains adversaries can achieve.