CyberWire Daily - Cyber without borders: The human side of cyber defense. [Special Edition]
Episode Date: February 23, 2026In this second installment of our three-part series on Cyber Coalition 2025, Maria Varmazis, host of T-Minus Space Daily and CyberWire Producer Li...z Stokes, take listeners inside a single day at NATO’s cyber headquarters in Tallinn, Estonia — focusing on the human side of cyber defense. Hosted by the NATO Cooperative Cyber Defence Centre of Excellence and led by NATO Allied Command Transformation, Cyber Coalition is a defensive-only exercise built around collaboration, coordination, and information sharing across allied nations. This episode highlights how that plays out in practice, from legal teams working through cross-border policy questions to military defenders coordinating with civilian infrastructure partners inside NATO’s secure cyber range. In case you missed the first episode of this three part series, check it out here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Welcome back to our special three-part series on NATO's 2025 Cyber Coalition exercise.
I'm Liz Stokes, and in this second episode, we're diving into the day-to-day of cyber defense,
how nations detect threats, defer attacks, and work together to defend critical networks.
In this episode, my brilliant colleague Maria Vermazas will guide you through our journey
in Tallinn, Estonia, sharing the sights, sounds, and human stories that bring this exercise
to life.
Together, we'll take you behind the scenes of one of the world's most complex and high-stakes
cyber exercises, meeting the people who make it happen and show you why the human factor
is just as important as the technology in defending against modern cyber threats.
So, let's open our time capsule and step into a day at NATO's CyberRexamination.
range.
Hi, everyone.
Maria Vermazza's here.
And as I'm writing and reading this script,
it's late January,
2026. And like a lot of
us living in the United States,
I am trying to make sense
of fast-moving political turmoil,
primarily comments and actions
from the U.S. president that are
quickly upending, long-established
geopolitical world order,
and causing a lot of
global worry and outcry about how the United States treats its allies, along with the future
of NATO and the United States' place in it or not.
Now, this is not something I would normally share about the sausage-making of a podcast,
but in this case, the greater context really matters.
Quite simply, because the event you're about to hear about was recorded just before all
of this upheaval really began. And all of that upheaval will undoubtedly influence how we and
you interpret what we're about to share here. My colleague producer, Liz Stokes, we'll get you
a little bit up to speed now. Let's recap what we mentioned in the previous episode.
Marie and I were in fact not in the United States, but in Tallinn, Estonia, during NATO's
Cyber Coalition. It's a NATO cybersecurity exercise focused on cooperation,
trust and mutual defense between allies. Much of it was happening quietly, far from the headlines.
Since by the time we put this episode to air, there could be more geopolitical changes that may
affect NATO. So we're going to treat this episode as a time capsule of what we saw and learned
in one day where we were a guest of NATO at their cyber headquarters in Tallinn. We'll save
our reflections on what we saw and what it all means for the third episode.
With that said, let's crack open our audio time capsule.
Let me walk you through our day with NATO for the 2025 Cyber Coalition exercise.
It is Tuesday, December 2, 2025.
And we actually saw the sun and some blue sky for the very first and only time this morning
for just a few minutes as we headed out from our hotel at 8.30 a.m.
On our walk, Liz and I walked past the Estonian-Fourced.
foreign ministry. The Estonian flag is flying proudly out front, and right next to it, same
level and size, the Ukrainian flag. It's top of mind for me, and I'm sure many Estonians as well,
that later today, Russian President Putin is due to meet in Moscow with a U.S. envoy to negotiate a peace
agreement in Ukraine. It's been all over the news just about everywhere we've gone. I get the
impression that people don't have much faith that it'll happen, but hold out hope just in case.
As Liz and I walk along, we quickly figure out that we're going in the right direction when we see
a number of uniformed military soldiers walking along with us. We turn a corner and see a building
with two cannons in front. It's the Estonian Ministry of Defense, and like the foreign ministry,
out in front, the Estonian flag flies proud right alongside the Ukrainian flag. And a bonus,
NATO's flag flies proudly on a flagpole out front.
After checking in at the Estonian Ministry of Defense, presenting our credentials and going through the understandably high level of security,
we start our day with a full morning briefing describing this year's NATO Cyber Coalition exercise.
We hear a crucial phrase a lot this morning and throughout the day.
We mentioned it in episode one, but that phrase is collaboration, cooperation, coordination, coordination.
We learn about all the various exercises that the defenders from across NATO nations and allied partner nations are working on.
They're all ripped from the headlines type situations that would be familiar to cyber defenders.
Network compromises, attacks on critical infrastructure, hacked backups, bread and butter situations for defenders in this line of work.
And there were some that I didn't expect to see but was delighted to find out we're there.
For example, a cyber readiness in space scenario, practicing what to do should.
a cyber attack occur on space-based assets and networks.
And there was an exercise entirely for cyber legal teams to hash out.
Makes sense for military legal teams to ponder Infosec law when they are at the home of the
Talon Manual, after all.
Now, I was really curious what a legal exercise would look like in this context.
Major Tyler Smith, cyber operations attorney with the 16th Air Force, told me a bit more
about his experience.
As we've been planning this, we try to think of questions, legal questions, to go along with the cyber play.
How can we make this relevant to the different legal audiences?
And information sharing is one of the key things that we focus on, right?
And we're putting out questions that are requiring our legal audience to look at their nation and look at their national laws and look at their domestic policy on, hey, how do we share?
How if this happened and we knew a partner was going to have or was having a similar thing,
how do we do that?
And so there's not an overriding international law basis to share that information.
That's domestic policy, domestic law.
And so it's a good opportunity to kind of blend that international flavor of what we're doing,
but then have them also honed down and look at, hey, well, how would we do this?
If it was with this partner nation or that partner nation, how do we share it?
So of the seven possible scenarios or storylines in the NATO parlance, including the legal one,
it was ultimately up to the participating national teams to decide what they wanted to try out during the two-week exercise,
one storyline or many, a veritable buffet of tabletop exercises to refine their tactics, tools, and procedures,
while also finding and fixing gaps in their capabilities,
solving new problems, threat hunting, patching, and still keeping vigilant against perennial threats,
and deterring and countering any adversarial action.
And this being a military exercise, of course, adds an entire level of interesting complexity
above what we might normally think of as tabletop exercises.
The defensive work being practiced here is not just within a NATO alliance or a national
military level, but importantly, it is also with national or international civilian industry.
Think about it. Usually the military doesn't own the networks that it operates on, but military
operations on that infrastructure can absolutely affect many, if not all of its users. So coordination,
there's that word again, with the civilian side, is a major part of this exercise.
as is planning and understanding the operational effect of doing military operations on civilian cyber infrastructure,
mitigating risk while still working effectively.
And crucially, you've got to make sure you're not missing anything.
And like any good training exercise, there were boundaries, of course.
For example, everything was non-offensive work.
No hackbacks, no red teaming.
there are other exercises for that.
Cybercoolition is all about detection, deferment, defense.
And while NATO was happy to share some information
about the tools and tactics that they've been developing
to aid their defenders,
it was clear that the core of the entire exercise
is really all about the human factor,
getting people to talk to each other,
learn how to better work with each other,
find new ways to more efficiently gather
and quickly share the kinds of information
that can turn the tide of battle.
A phrase that can sound like hyperbole most of the time,
but in this case, not an exaggeration.
Here's U.S. Navy commander Brian Kaplan again
on the human challenges at play.
We would love the nations to, you know, jump right in and share stuff,
but it's never the case.
You know, really it takes sometimes nations
that have participated in the exercise for years.
They're more comfortable.
They have a better system in place.
knowing what they can share, what they can't.
Some of the newer nations that are participating,
they're more timid to really either ask questions to other nations
or provide information to nations.
So it is a challenge and the key for us to kind of keep things moving
in the direction that we would like it to go,
which is the collaboration, the coordination,
the coordination, and the cooperation,
is to have mechanisms in place that kind of steer the nations during the storylines,
to get them to kind of go outside their comfort zone,
to coordinate and work with the nations to try to get further along in the story.
Usually the reps that come from the nations during the planning cycle,
you know, by the time we execute, they have, you know, built a good rapport with the other
representatives from the nation. So because we do ice breakers at events kind of to try to get people
to communicate, talk, get comfortable. So when it comes to the execution part, they're more willing to
help. Now, the more difficult part is their nation back at home to, to be willing to provide
the representatives here with some of that information to then share it. So yes, it's definitely
challenging, but it's a good challenge. And that's why we really have the exercise to kind of push
those boundaries and get the flow of information, you know, up and down, left and right. And it really
does help out. In our previous episode, I talked about NATO's Article 5, and that would be the
mutual self-defense clause. NATO officials many times made a point that the entire Cybercoalition
exercise operates below Article 5.
Again, whatever that means.
But I should note that it's actually a different part of the NATO Charter
that was more frequently mentioned throughout my conversations and interviews that day,
especially as it related to efficiency in information sharing.
And that would be NATO Article 3.
Here's Irene Gibson, who is a storyline briefer from NATO's Cyber and Digital Transformation Division.
Article 3, which is specifically says that,
Allays may, and I'm quoting this so that I don't get it wrong, separately and jointly,
by means of continuous and effective self-help and mutual aid, maintain and develop their
individual and collective capacity to resist an armed attack.
Keeping in mind that the NATO treaty was written in 1949, it's interesting to think
what continuous and effective self-help and mutual aid could mean in the context of cybersecurity.
NATO's answer to that is improving speed and clarity of information, truly the sharpest blade
and the arsenal of the defender being able to separate that signal from the noise.
And to do that, they've deployed a tool that they're calling the virtual cyber incident
support capability, or V-SISC.
So V-SIC is like a fancy phone of friend.
So oftentimes when nations experience cyber crises and they wish to.
request aid, they will do so bilaterally, which basically means nation A will talk to nation B and say,
hey, I have this crisis. Can you help me with it? This enables Nation A to talk to 31 other nations
at the same time and say, okay, I'm having this serious crisis and I'm interested in anyone
who can help me that is an ally within NATO. The interesting thing about this is that in cyber,
we don't normally think of cyber as an armed attack, but the founding of visas sort of elevated
cyber to the concept of an attack where Article 3 doesn't just apply in terms of an armed attack.
Article 3 can apply in terms of the cyber domain.
This exercise is being run because increasingly cyber capabilities are really defining
modern warfare.
And frankly, cyber is one of our greatest force multipliers within NATO.
And it's really a critical enabler to ensuring readiness and information superiority as well.
I think oftentimes in the military sphere,
as part of the military staff.
We think of sort of classic concepts of defense,
you know, like historic things,
like hard weapons, high quantity, visible assets.
And I think it's important that in the modern era,
we have a fundamental paradigm shift
to expanding those classic concepts
to the constantly evolving cyberspace.
And that means that we need iterative evolution and creativity
because in cyber, to stand still is to be left behind.
At this point, I was pretty.
eager to actually see some of the people doing all of this crucial work and using these new tools.
And after the briefing at the Estonian Ministry of Defense, we headed pretty much right next door
to CR 14, which is the facility that houses the NATO cyber range.
Now, CR 14 was even more lockdown than the Ministry of Defense.
for those that know the military parlance of a SCIF or sensitive, compartmented information facility
that is essentially where we were headed.
A SCIF is a space where highly sensitive military intelligence is shared.
So security is intense.
We were instructed to leave behind anything that could transmit a signal.
No Wi-Fi or Bluetooth at all, which meant phones and laptops were obviously out.
Personal smart devices had to go too, including.
my smartwatch and marias, along with earbuds.
Thankfully, though, we were allowed to bring our audio recorders
since it doesn't have any radio capabilities.
And since I'm never without a notepad and pen,
falling back on analog in a cyber range,
allowed me to take a few notes.
As media, our presence in this military facility
required specific protocol to protect classified information.
Perhaps as a little girl in my wildest princess fantasy days,
I might have dreamt of a dedicated escort
and having my presence announced to a room before I entered it.
But the reality of it was nothing like what kid me might have imagined.
We were loudly announced before we entered any kind of room for the defender's benefit,
not so they could look busy for us media types,
but so they could specifically not look busy.
Stop handling sensitive information, close down important windows on your workstations,
don't talk about anything secret, everybody, the press is here.
The inside of NATO's cyber range in many ways looked unremarkable and indistinguishable from an average and beige cube farm.
I was relieved to not see anything flashy, because while complex dashboards and threat maps may look cool for cameras,
that's the kind of thing you show to try and impress people who don't know any better.
The real work of cybersecurity is decidedly unglomerous.
And the cyber range cubicles lined a long room.
Each cubicle was labeled with a nation's flag, with two or more service members representing their component commands from that nation, seated at their workstations, heads down and typing away, or otherwise coordinating with larger teams back home, or sometimes teams that were in the room with them from other nations.
The cyber range room had heavy coverings lining all of the windows, so absolutely no daylight or prying eyes could peep in.
And in the center of the room was a table with a few snacks, because snacks are always a good idea.
And of all things, a little paper turkey, like a Thanksgiving turkey table centerpiece of all the things?
Well, given that the Cyber Coalition exercise is two weeks long and starts just before U.S. Thanksgiving does,
when I got a chance to sit down with U.S. service members for an interview later that day, I had to ask about the turkey.
Here's Candace Sanchez, Chief of Exercises for the 16th Air Force, telling me more.
There's a number of Americans out here.
We're like, hey, let's just have Thanksgiving together.
And then we started inviting our partners to come over.
And a lot of them, this was their first time experiencing Thanksgiving.
We learned just recently this year, they liked doubled eggs.
We gave them the experience of we brought cranberry sauce in a can.
We brought it over so that they could have that experience as well.
Some enjoyed it.
Some didn't.
but it was definitely a staple we had to have.
We found a turkey this year.
Thanks to our Estonia partner,
they were able to find us a turkey in the local area,
so we were able to do that.
The only other room that we went to at the NATO Cyber Range
was what I presume was a sock, or something like one.
All of the workstations were locked, and that's good.
And the large monitors against the wall were off,
and just like all the windows,
many of the monitors were also physically covered with sheets.
There wasn't really anything for us to see.
And then I couldn't help but shake the feeling that perhaps there was, at some point, going to be some kind of tech demonstration in here for us to see, but current events overruled.
Perhaps the fraught failed peace negotiation in Moscow, but that is just conjecture on my part.
It bears repeating that NATO cyber coalition is a defensive military exercise.
On its own, it's kind of extraordinary that we even know of its existence.
No one here is going to be imparting any tips and tricks here for the practitioners.
nor was there much concrete detail about what the defenders at this exercise did.
So temper your expectations, okay?
Without tipping their hand too much, NATO wants us to know that they are practicing for a lot of different scenarios.
They also want any potential adversaries of NATO to know this as well.
And over the course of the day, I found many interesting parallels on how over the years this specific exercise seems to
followed the maturity of the cybersecurity world in general.
For a long time when talking about tactics, tools, and procedures, that last bit, the procedures,
seemed to get a bit shortchanged compared to the tools.
The promise of that single pane of glass, that one perfect tool from that vendor, that's
definitely not over-promising, that might be the silver bullet to make up for major gaps in
security hygiene.
Oh, if only.
Tools are bits.
gadget, they represent potential for efficiency, maybe even ease. Generally, they work or they
don't. Binary. Humans, however, we're messy. We poke holes where they don't belong. We break things
that we're doing just fine. So it stands to reason for both the industry and for military
alliances like NATO that the human side of cybersecurity is where a lot of work remains to be done.
And to me, the best perspective on that is from Major Tobias Malm of the Swedish Armed Forces.
He's been a participating member of the NATO Cyber Coalition for 13 years now.
A highlight for me was hearing his thoughts on how much this cybersecurity exercise has changed.
When I started like 13 years ago, it was very focused on the technical part
where you had this technical training audiences who sold some technical issues.
And then it has developed to what it is today, where you have a much more complex system of sharing information, its emphasis, the importance of cooperation within the alliance.
So it had changed a lot, I would say.
And when I look upon what Sweden has done during these years, we started with a technical.
team and today we have technical teams, we have the cyber command, we have the national
cybersecurity center and a lot of other agencies within Sweden.
So it's much larger and it's much more complex and it's more focus on operations and sharing
of information, how do we do it, which system we use and etc.
It is always tempting to point to the technical solution and certainly there are those, but
truly a lot of the growth and the challenges come down to the human factor.
It's those three Cs again. Collaborate, cooperate, cooperate, coordinate.
And in the end, there really one big C, communicate.
The whole domain with cyber, since it's not geographically locked,
we need to share information and work together with others.
And we need to train that because it's not that easy as,
you can imagine so.
For us, this exercise is very important to actually know which system should you use for
which information, how do you pack the information, which information is relevant to the
others and sort of just train how you communication, I would say, because we are usually
not that good at communication as a human.
So we need to train that.
And this is an excellent opportunity to do that.
Thank you for listening to this second episode of our three-part series.
I enjoyed cracking open the time capsule of our day with NATO in Tallinn back on December 2, 2025.
Hope you enjoyed coming along with us.
In our next part, we're staying in the present and reflecting on what we learned
and the broader meaning for global cybersecurity in a fraught geopolitical moment.
This episode was written and hosted by me, Maria Vermazas.
It was produced by Liz Stokes.
Mixing, editing, and sound design by Trey Hester.
Our executive producer is Jennifer Ibin,
with content strategy by Mayon Plout.
Peter Kilpe is our publisher.
Thank you so much for listening.