With Russian cyberattacks on the rise, NATO nations ready to play offense
People walk by a departures board after a cyberattack caused delays at Brussels Airport in Zaventem, Belgium, Sept. 20, 2025.
Harry Nakos/AP
Tallinn, Estonia
A cyberattack shut down some of Europe鈥檚 biggest airports last month聽鈥 including London Heathrow, Berlin Brandenburg, and Brussels聽鈥 stranding thousands of passengers as hackers held online data for ransom. The target, Collins Aerospace, builds check-in systems for airlines, but it had also recently scored a contract to help NATO wage electronic warfare.
It was yet another in a series of high-profile cyber incursions in Europe. A few months earlier, hackers opened a Norwegian dam鈥檚 floodgates by exploiting a weak password 鈥 a mixture of real-life and cyber sabotage that authorities attributed to Russia.
Such cyberstrikes are on the rise, warns a report this month by the European Union鈥檚 Agency for Cybersecurity, and they are often carried out by China and Russia to 鈥渆rode the resiliency鈥 of Western nations.
Why We Wrote This
As China and Russia try to weaken NATO nations through cyberattacks, the alliance is responding with plans for better coordination 鈥 including for counterattack.
NATO, as a result, is beefing up its cyberdefenses and is getting better at tracking online intruders, compiling databases of hacks that experts liken to fingerprints. Internally, alliance members are also wrestling with questions at the heart of deterrence. These include strategizing about when to play defense and when to go on offense. NATO member states are also debating what sort of cyberattacks merit real-world military retaliation.
Offensive cyberwarfare is not a topic traditionally discussed openly among NATO officials. But like the online landscape itself, this is rapidly changing.
鈥淪ometimes, an attack is the best defense,鈥 says Lt. Col. Christoph K眉hn, the chief of staff at NATO鈥檚 Cooperative Cyber Defense Center of Excellence here in Estonia鈥檚 capital, once a major medieval trade center and now a culture and technology hub.
As officials here on the digital front lines grow accustomed to repelling increasingly sophisticated waves of cyberattacks, they are more willing, analysts say, to discuss the benefits of rooting around in adversaries鈥 systems.
鈥淵ou can train teams to defend when under attack. You can also 鈥 and we have to be able to talk about it 鈥 train offensive teams,鈥 says Lauri Almann, former permanent secretary of the Estonian Defense Ministry. 鈥淧assive defense [alone] is not an option.鈥
There is also a psychological aspect to it: Playing offense, Mr. Almann adds, helps officials understand the mindset of cyber adversaries.
Yet, as some NATO members develop more offensive-style cyber capabilities, the alliance is grappling with how these moves, which might bolster the security of the whole, could also compromise hard-won cybersecrets of individual member states by inadvertently revealing capabilities or showing key cards in the cyberdefense hands of other states as well.
鈥淚t鈥檚 a very complicated kind of dance,鈥 says Hans Horan, a strategic analyst at the Hague Center for Strategic Studies who specializes in cyberthreat intelligence and security. 鈥淗ow do you engage in a cyberattack while ensuring that the priorities of the individual nation-states aren鈥檛 compromised in the process?鈥
On the forefront of cyberdefense
NATO was not particularly interested in improving its cyber offenses, or defenses for that matter, back in 2004.
That was the year Estonia joined NATO. It was also the year that officials in Tallinn, warily eyeing the Kremlin, suggested the alliance set up a special center to study cyberwarfare.
The idea was promptly rejected by NATO officials at the time.
But officials in Tallinn forged ahead, and the city built its own research arm. 鈥淚t was one of the best decisions鈥 his country of just 1.3 million people 鈥 a population the size of Dallas 鈥 has ever made, says Mr. Almann.
In 2007, Estonia became the first NATO member to be the victim of a massive cyberattack targeting a country, widely considered one of the first major examples of cyberwarfare. The attacks were attributed to pro-Russian groups responding to the Estonian government鈥檚 decision to relocate a Soviet-era war memorial, the 鈥淏ronze Soldier,鈥 a sore point for Estonia and Russia. The attack went on for weeks. But Estonia fought back, thanks in part to the war-gaming exercises it had been conducting.
After that, Estonian officials convinced NATO to set up the cyber center they had proposed three years earlier.
Since then, Mr. Almann has applied what he learned at the Defense Ministry to launch a company, CybExer, that builds online practice ranges. Clients, including European government agencies and airport executives, pay to 鈥減ractice鈥 responding to artificial cyberattacks.
Behind him, a simulated map of London lights up on a cyber range as cell towers stop working and electrical grids collapse.
The war-gaming scenarios here are varied: A plane refueling pump at an airport gate won鈥檛 stop, and in a matter of minutes, a runway could be filled with gasoline. In another, the cooling system of an internet server farm is hacked, causing a fire聽鈥 echoing an event that actually happened in Estonia.
Even officials who might not be steeped in computer know-how can wrestle with big-picture problems, Mr. Almann says. 鈥淚n cyber security, not all questions are technical.鈥 They might involve everything from which system shutdowns society will demand be addressed first to whether to pay a ransom demand.
Similarly, just down the road at NATO鈥檚 Cyber Center, there are war-gaming exercises in which participants are not simply trying to eject intruders and erect firewalls, but also practicing the critical art of strategic decision-making, Lieutenant Colonel K眉hn says.
During a single exercise, some 8,000 virtual systems might be subjected to 8,000 simulated cyberattacks from criminal gangs, state-sponsored actors, or the states themselves. It is a chance for participants to practice responses, he adds. 鈥淎re they going to say, 鈥榊ou have attacked us, so we鈥檙e attacking you?鈥 That is strategic thinking, and we try to train this.鈥
Offense, defense, or survival?
Within the cyber realm, there are NATO members that are primarily defensive-minded and others more inclined to attack. Regardless, some have recently decided they now have little choice but to go on the offensive, Lieutenant Colonel K眉hn says.聽
These counterattacks are typically not the sort of good-guy sabotage that plays out in spy films. Instead, they most likely involve reconnaissance operations, or lurking, in adversaries鈥 systems. Anything that involves crossing from a state鈥檚 own system into the system of another state is considered an offensive operation.
NATO, as an alliance, has no offensive cyber capabilities of its own, so part of the NATO cyber center鈥檚 role in Tallinn is to help countries develop policies on that front.
鈥淲e give the right and left border, and it鈥檚 the governments鈥 [job] to decide鈥 their own strategies and policies, Lieutenant Colonel K眉hn says.
The challenge is, however, that this every-nation-for-itself framework can create a disjointed approach to cyber challenges within the alliance, says Mr. Horan of the Hague Center.
Some members, for example, prefer not to share secrets with countries that they believe don鈥檛 take cybersecurity seriously. For example, when Spain signed a contract with the Chinese corporation Huawei to provide components for its 5G infrastructure, it caused 鈥渜uite a big kerfuffle鈥 within NATO, Mr. Horan adds, about whether countries should continue trading intelligence with Madrid.
鈥淲e don鈥檛 share as much evidence as we should,鈥 acknowledges T玫nis Saar, the director of NATO鈥檚 Cooperative Cyber Defense Center of Excellence. 鈥淭hat鈥檚 definitely one thing which we should practice more.鈥
But there is progress on other fronts, analysts say. NATO countries are gradually getting better at attributing cyberattacks as they build databases that track different hacker styles.
Lieutenant Colonel K眉hn uses the example of fingerprints that are indexed in crime labs. When they first started being used, 鈥測ou didn鈥檛 have a lot of examples,鈥 he says. 鈥淣ow, we are getting more and more.鈥
Still, the improvement is what he describes as 鈥渁 small amount better. Not, like, hugely better.鈥
At the same time, the question remains of how NATO should respond once it identifies the culprit in a hack. The problem with retaliation is that it often reveals adversaries鈥 vulnerabilities that attacking countries would rather keep secret until they absolutely must use them.
There has also been debate about invoking Article 5, the pledge of NATO members make to treat an attack on one member as an attack on all.
When the Geneva Conventions were created, no one was thinking about whether a computer virus should be considered a weapon or an attack that could result in retaliation, Lieutenant Colonel K眉hn says. 鈥淎nd it鈥檚 not quite clear yet.鈥
At the same time, cyberattacks are 鈥渕uch, much more sophisticated鈥 than they were back in 2007, Mr. Almann says, when Russia laid online siege to the Estonian government.
There should not be 鈥渁ny automaticity鈥 to invoking Article 5, though there could come a time when these attacks warrant it, he adds, if they usher in 鈥渃onsequences and the kind of damage that we haven鈥檛 seen yet.鈥