Cyber without borders: The human side of cyber defense.

Liz Stokes: Hello, welcome back to our special three-part series on NATO's 2025 Cyber Coalition exercise. I'm Liz Stokes, and in this second episode, we're diving into the day-to-day of cyber defense, how nations detect threats, defer attacks, and work together to defend critical networks. In this episode, my brilliant colleague, Maria Varmazis, will guide you through our journey in Tallinn, Estonia, sharing the sights, sounds, and human stories that bring this exercise to life. Together we'll take you behind the scenes of one of the world's most complex and high-stakes cyber exercises, meeting the people who make it happen, and show you why the human factor is just as important as the technology in defending against modern cyber threats. So let's open our time capsule and step into a day at NATO's Cyber Range. [ Music ]

Maria Varmazis: Hi, everyone, Maria Varmazis here, and as I'm writing and reading this script, it's late January 2026. Like a lot of us living in the United States, I am trying to make sense of fast moving political turmoil, primarily comments and actions from the U.S. President that are quickly upending long-established geopolitical world order and causing a lot of global worry and outcry about how the United States treats its allies, along with the future of NATO and the United States' place in it or not. Now, this is not something I would normally share about the sausage making of a podcast, but in this case, the greater context really matters, quite simply because the event you're about to hear about was recorded just before all of this upheaval really began, and all of that upheaval will undoubtedly influence how we and you interpret what we're about to share here. My colleague, producer Liz Stokes, will get you a little bit up to speed now.

Liz Stokes: Let's recap what we mentioned in the previous episode. Maria and I were, in fact, not in the United States, but in Tallinn, Estonia, during NATO's Cyber Coalition. It's a NATO cybersecurity exercise focused on cooperation, trust, and mutual defense between allies. Much of it was happening quietly, far from the headlines. Since by the time we put this episode to air there could be more geopolitical changes that may affect NATO, we're going to treat this episode as a time capsule of what we saw and learned in one day where we were a guest of NATO at their Cyber Headquarters in Tallinn. We'll save our reflections on what we saw and what it all means for the third episode.

Maria Varmazis: With that said, let's crack open our audio time capsule. Let me walk you through our day with NATO for the 2025 Cyber Coalition exercise. [ Music ] It is Tuesday, December 2, 2025, and we actually saw the sun and some blue sky for the very first and only time this morning for just a few minutes as we headed out from our hotel at 8:30 a.m. On our walk, Liz and I walked past the Estonian Foreign Ministry. The Estonian flag is flying proudly out front, and right next to it, same level and size, the Ukrainian flag. It's top of mind for me and I'm sure many Estonians, as well, that later today, Russian President Putin is due to meet in Moscow with a U.S. Envoy to negotiate a peace agreement in Ukraine. It's been all over the news just about everywhere we've gone. I get the impression that people don't have much faith that it'll happen but hold out hope just in case. [ Music ] As Liz and I walk along, we quickly figure out that we're going in the right direction when we see a number of uniformed military soldiers walking along with us. We turn a corner and see a building with two cannons in front. It's the Estonian Ministry of Defense, and like the Foreign Ministry, out in front, the Estonian flag flies proud right alongside the Ukrainian flag, and a bonus, NATO's flag flies proudly on a flagpole out front. After checking in at the Estonian Ministry of Defense, presenting our credentials, and going through the understandably high level of security, we start our day with a full morning briefing describing this year's NATO Cyber Coalition Exercise. [ Music ] We hear a crucial phrase a lot this morning and throughout the day. We mentioned it in Episode 1, but that phrase is "collaboration, cooperation, coordination." We learn about all the various exercises that the defenders from across NATO nations and allied partner nations are working on. They're all ripped from the headlines type situations that would be familiar to cyber defenders -- network compromises, attacks on critical infrastructure, hacked backups, bread-and-butter situations for defenders in this line of work, and there were some that I didn't expect to see but was delighted to find out were there. For example, a cyber readiness in space scenario, practicing what to do should a cyberattack occur on space-based assets and networks, and there was an exercise entirely for cyber legal teams to hash out. Makes sense for military legal teams to ponder InfoSec law when they are at the home of the Tallinn Manual after all. Now, I was really curious what a legal exercise would look like in this context. Major Tyler Smith, Cyber Operations attorney with the 16th Air Force, told me a bit more about his experience.

Major Tyler Smith: As we've been planning this, we try to think of questions, legal questions to go along with the cyber play. How can we make this relevant to the different legal audiences? Information sharing is one of the key things that we focus on, right? We're putting out questions that are requiring our legal audience to look at their nation and look at their national laws and look at their domestic policy on, hey, how do we share? How, if this happened and we knew a partner was going to have or was having a similar thing, how do we do that? And so, there's not an overriding international law basis to share that information. That's domestic policy, domestic law. And so, it's a good opportunity to kind of blend that international flavor of what we're doing, but then have them also hone down and look at, hey, well, how would we do this if it was with this partner nation or that partner nation? How do we share? [ Music ]

Maria Varmazis: Of the seven possible scenarios or story lines in the NATO parlance, including the legal one, it was ultimately up to the participating national teams to decide what they wanted to try out during the two week exercise, one storyline or many, a veritable buffet of tabletop exercises to refine their tactics, tools and procedures, while also finding and fixing gaps in their capabilities, solving new problems, threat hunting, patching, and still keeping vigilant against perennial threats and deterring and countering any adversarial action. This being a military exercise, of course, adds an entire level of interesting complexity above what we might normally think of as tabletop exercises. The defensive work being practiced here is not just within a NATO alliance or a national military level, but importantly, it is also with national or international civilian industry. Think about it. Usually, the military doesn't own the networks that it operates on, but military operations on that infrastructure can absolutely affect many, if not all of its users. So coordination -- there's that word again -- with the civilian side is a major part of this exercise, as is planning and understanding the operational effect of doing military operations on civilian cyber infrastructure, mitigating risk, while still working effectively. Crucially, you've got to make sure you're not missing anything, and like any good training exercise, there were boundaries, of course. For example, everything was non-offensive work. No hackbacks, no red teaming, there are other exercises for that. Cyber Coalition is all about detection, deferment, defense, and while NATO was happy to share some information about the tools and tactics that they've been developing to aid their defenders, it was clear that the core of the entire exercise is really all about the human factor, getting people to talk to each other, learn how to better work with each other, find new ways to more efficiently gather and quickly share the kinds of information that can turn the tide of battle, a phrase that can sound like hyperbole most of the time, but in this case, not an exaggeration. Here's U.S. Navy Commander Brian Kaplan again on the human challenges at play.

Brian Kaplan: We would love the nations to, you know, jump right in and share stuff, but it's never the case. You know, really, it takes, sometimes, nations that have participated in the exercise for years. They're more comfortable. They have a better system in place, knowing what they can share, what they can't. Some of the newer nations that are participating, they're more timid to really either ask questions to other nations or provide information to nations, so it is a challenge, and the key for us to kind of keep things moving in the direction that we would like it to go, which is the collaboration, the coordination, and the cooperation, is to have mechanisms in place that kind of steer the nations during the storylines to get them to kind of go outside their comfort zone, to coordinate and work with the nations to try to get further along in the story. Usually, the reps that come from the nations during the planning cycle, you know, by the time we execute, they have, you know, built a good rapport with the other representatives from the nation. So these -- we do icebreakers at events kind of to try to get people to communicate, talk, and get comfortable so when it comes to the execution part, they're more willing to help. Now, the more difficult part is their nation back at home to be willing to provide the representatives here with some of that information to then share it. So, yes, it's definitely challenging, but it's a good challenge, and that's why we really have the exercise, to kind of push those boundaries and get that flow of information, you know, up and down, left and right. It really does help out. [ Music ]

Maria Varmazis: In our previous episode, I talked about NATO's Article 5, and that would be the mutual self-defense clause. NATO officials many times made a point that the entire Cyber Coalition Exercise operates "below Article 5," again, whatever that means, but I should note that it's actually a different part of the NATO charter that was more frequently mentioned throughout my conversations and interviews that day, especially as it related to efficiency in information sharing. That would be NATO Article 3. Here's Irene Gibson, who is a storyline briefer from NATO's Cyber and Digital Transformation Division.

Irene Gibson: Article 3, which is -- specifically says that allies may, and I'm quoting this so that I don't get it wrong, "Separately and jointly by means of continuous and effective self-help and mutual aid, maintain and develop their individual and collective capacity to resist an armed attack."

Maria Varmazis: Keeping in mind that the NATO treaty was written in 1949, it's interesting to think what "continuous" and effective," "self-help and mutual aid" could mean in the context of cybersecurity. NATO's answer to that is improving speed and clarity of information, truly the sharpest blade in the arsenal of the defender, being able to separate that signal from the noise. To do that, they've deployed a tool that they're calling their Virtual Cyber Incident Support Capability or VSISC.

Irene Gibson: So VSISC is, like, a fancy phone or friend. Oftentimes, when nations experience cyber crises and they wish to request aid, they will do so bilaterally, which basically means Nation A will talk to Nation B and say, hey, I have this crisis. Can you help me with it? This enables Nation A to talk to 31 other nations at the same time and say, okay, I'm having this serious crisis, and I'm interested in anyone who can help me that is an ally within NATO. The interesting thing about this is that in cyber, you know, we don't normally think of cyber as an armed attack, but VSISC -- the founding of VSISC sort of elevated cyber to the concept of an attack, where Article 3 doesn't just apply in terms of an armed attack. Article 3 can apply in terms of the cyber domain. This exercise is being run because, increasingly, cyber capabilities are really defining modern warfare, and frankly, cyber is one of our greatest force multipliers within NATO. It's really a critical enabler to ensuring readiness and information superiority as well. I think, oftentimes, in the military sphere, as part of the military staff, we think of sort of classic concepts of defense, you know, like, historic things like hard weapons, high quantity, visible assets, and I think it's important that in the modern era, we have a fundamental paradigm shift to expanding those classic concepts to the constantly evolving cyberspace. That means that we need iterative evolution and creativity because in cyber to stand still is to be left behind. [ Music ] [ Background Discussion ]

Maria Varmazis: At this point, I was pretty eager to actually see some of the people doing all of this crucial work and using these new tools, and after the briefing at the Estonian Ministry of Defense, we headed pretty much right next door to CR14, which is the facility that houses the NATO Cyber Range. [ Background Discussion ] Now, CR14 was even more locked down than the Ministry of Defense. For those that know the military parlance of a SCIF or Sensitive Compartmented Information Facility, that is essentially where we were headed.

Liz Stokes: A SCIF is a space where highly sensitive military intelligence is shared, so security is intense. We were instructed to leave behind anything that could transmit a signal, no Wi-Fi or Bluetooth at all, which meant phones and laptops were obviously out. Personal smart devices had to go, too, including my smartwatch and Maria's, along with earbuds. Thankfully, though, we were allowed to bring our audio recorders since it doesn't have any radio capabilities.

Maria Varmazis: Since I'm never without a notepad and pen, falling back on analog in the Cyber Range allowed me to take a few notes. As media, our presence in this military facility required specific protocol to protect classified information. Perhaps as a little girl in my wildest princess fantasy days, I might have dreamt of a dedicated escort and having my presence announced to a room before I entered it, but the reality of it was nothing like what kid me might have imagined. We were loudly announced before we entered any kind of room for the defenders' benefit, not so they could look busy for us media types, but so they could specifically not look busy. Stop handling sensitive information, close down important windows on your workstations, don't talk about anything secret. Everybody, the press is here. [ Background Discussion ] The inside of NATO's Cyber Range in many ways looked unremarkable and indistinguishable from an average and beige cube farm. I was relieved to not see anything flashy, because while complex dashboards and threat maps may look cool for cameras, that's the kind of thing you show to try and impress people who don't know any better, the real work of cybersecurity is decidedly unglamorous, and the Cyber Range cubicles lined a long room. Each cubicle was labeled with a nation's flag, with two or more service members representing their component commands from that nation seated at their workstations, heads down and typing away or otherwise coordinating with larger teams back home or sometimes teams that were in the room with them from other nations. The Cyber Range room had heavy coverings lining all of the windows, so absolutely no daylight or prying eyes could peep in. In the center of the room was a table with a few snacks because snacks are always a good idea, and of all things, a little paper turkey, like a Thanksgiving turkey table centerpiece of all the things. Well, given that the Cyber Coalition exercise is two weeks long and starts just before U.S. Thanksgiving does, when I got a chance to sit down with U.S. service members for an interview later that day, I had to ask about the turkey. Here's Candace Sanchez, Chief of Exercises for the 16th Air Force, telling me more. [ Music ]

Candace Sanchez: There's a number of Americans out here. Were like, hey, let's just have Thanksgiving together, and then we started inviting our partners to come over, and a lot of them, this was their first time experiencing Thanksgiving. We learned just recently this year they like deviled eggs. We gave them the experience of we brought cranberry sauce in a can. We brought it over so that they could have that experience as well. Some enjoyed it, some didn't, but it was definitely a staple we had to have. We found a turkey this year thanks to our Estonia partner. They were able to find us a turkey in the local area, so we were able to do that.

Maria Varmazis: The only other room that we went to at the NATO cyber range was what I presume was a SOC or something like one. All of the workstations were locked, and that's good, and the large monitors against the wall were off, and just like all the windows, many of the monitors were also physically covered with sheets. There wasn't really anything for us to see. Then I couldn't help but shake the feeling that, perhaps, there was, at some point, going to be some kind of tech demonstration in here for us to see, but current events overruled, perhaps the fraught failed peace negotiation in Moscow, but that is just conjecture on my part. [ Music ] It bears repeating that NATO cyber coalition is a defensive military exercise. On its own, it's kind of extraordinary that we even know of its existence. No one here is going to be imparting any tips and tricks here for the practitioner, nor was there much concrete detail about what the defenders at this exercise did, so temper your expectations, okay? Without tipping their hand too much, NATO wants us to know that they are practicing for a lot of different scenarios. They also want any potential adversaries of NATO to know this, as well, and over the course of the day, I found many interesting parallels on how, over the years, this specific exercise seems to have followed the maturity of the cybersecurity world in general. For a long time, when talking about tactics, tools, and procedures, that last bit -- the procedures -- seemed to get a bit shortchanged compared to the tools. The promise of that single pane of glass, that one perfect tool from that vendor that's definitely not overpromising, that might be the silver bullet to make up for major gaps in security hygiene, oh, if only. Tools are bits. They're a gadget. They represent potential for efficiency, maybe even ease. Generally, they work or they don't, binary. Humans, however, we're messy. We poke holes where they don't belong. We break things that were doing just fine, so it stands to reason for both the industry and for military alliances like NATO, that the human side of cybersecurity is where a lot of work remains to be done. To me, the best perspective on that is from Major Tobias Malm of the Swedish Armed Forces. He's been a participating member of the NATO Cyber Coalition for 13 years now. A highlight for me was hearing his thoughts on how much this cybersecurity exercise has changed.

Tobias Malm: When I started, like, 30 years ago, it was very focused on the technical part where you had these technical training audiences who solved some technical issues. Then it has developed to what it is today where you have a much more complex system of sharing information, its emphasis, the importance of cooperation within the alliance. So it has changed a lot, I would say, and when I look upon what Sweden has done during these years, we started with a technical team, and today, we have technical teams. We have the Cyber Command. We have the National Cyber Security Center and a lot of other agencies within Sweden, so it's much larger and it's much more complex, and it's more focused on operations and sharing of information. How do we do it, which system we use, and etc. [ Music ]

Maria Varmazis: It is always tempting to point to the technical solution, and certainly, there are those, but truly, a lot of the growth and the challenges come down to the human factor. It's those three Cs again -- collaborate, cooperate, coordinate. In the end, the really one big C -- communicate.

Tobias Malm: The whole domain with cyber, since it's not geographically locked, we need to share information and work together with others. We need to train that because it is not as easy as you can imagine, so for us, this exercise is very important to actually know which system should you use for which information? How do you pack the information? Which information is relevant to the others and sort of just train how you -- communication, I would say, because we are usually not that good at communication as a human, so we need to train that. This is an excellent opportunity to do that. [ Music ]

Maria Varmazis: Thank you for listening to this second episode of our three-part series. I enjoyed cracking open the time capsule of our day with NATO in Tallinn back on December 2, 2025. Hope you enjoyed coming along with us. In our next part, we're staying in the present and reflecting on what we learned and the broader meaning for global cybersecurity in a fraught geopolitical moment. This episode was written and hosted by me, Maria Varmazes. It was produced by Liz Stokes, mixing, editing and sound design by Tré Hester. Our Executive Producer is Jennifer Eiben, with content strategy by Ma'ayan Plaut. Peter Kilpe is our Publisher. Thank you so much for listening. [ Music ]