Men in black – NATO’s cybermen

  • 24 Apr. 2015 -
  • |
  • Last updated: 24 Apr. 2015 14:57

There are six men. All dressed in black like the ones in the famous movie. They have black cases too but they are not using their technology to erase your memory. Their name: NATO Rapid Reaction Team, or RRT. Their aim: to provide assistance to NATO nations or facilities suffering a cyber attack.


"The RRT can act on very short notice to deal with an attack that affects the operational capability of a NATO system during a crisis or to assist a member state, at its request, in the event of a significant cyber attack at national level," says Jean-François Agneessens, a cyber security expert at the NATO Communications and Information Agency (NCIA) in Mons, Belgium.

He is one of six civilian members of the RRT who can be deployed to NATO sites, in operational theatres or in support of an Ally, in order to provide technical assistance or respond to incidents arising from a cyber attack.

Cyber threats are becoming more intense and complex. Every day, NATO has to manage more than 200,000,000 events; after analysis, about ten on average turn out to be sophisticated attacks requiring remedial action.

Cyber attacks can have devastating consequences, potentially as serious as conventional attacks with bombs and tanks. For this reason, cyber defence is considered part of the Alliance’s collective defence commitment under Article 5 of the North Atlantic Treaty. The decision to send the RRT to help an Ally is taken by the North Atlantic Council, the Alliance's highest political decision-making body.

Experts with complementary profiles

Trained at the Belgian Royal Military Academy and a former army officer, Jean-François is familiar with security flaws in the communication protocols of information systems. He is also in charge of a pool of cyber experts who can be called on to reinforce the RRT.

Jean-François and the other RRT members have complementary skills: experts in security audit, system penetration tests, forensics or computer codes. They work out of the NATO cyber defence centre which is situated in Mons, Belgium and is responsible for NATO's front-line cyber defence.

RRT members have all the equipment they need in a few black travel cases: computer and telecommunications equipment, instruments for intrusion detection, forensic analysis (remote or on the affected system), vulnerability analysis, network security, etc.

Jean-François and his colleagues train regularly with this kit and act out various scenarios for assistance in the event of cyber attacks. "We try to imagine what we might be called for, what equipment would be needed, what skills would be required, and where they can be found. We study all the most likely scenarios and the responses.”

Improve responsiveness

In order to remain operational, RRT members take part in NATO exercises in which they can practise their ability to respond to a crisis, in realistic conditions.

Jean-François tested his responsiveness during the international exercise “Locked Shields”, held on 22-23 April 2015 and organised by the NATO Cooperative Cyber Defence Centre of Excellence, the Alliance’s cyber defence think-tank. During this 48-hour war game, which involved 15 experts from each of the 15 participating nations, he and the other RRT members simulated deployment to a fictitious country under cyber attack. Their mission was to restore the primary drone control facility of this fictitious NATO member state and help secure the auxiliary control system which can take command of the military drones.

In November 2014, during another exercise called “Cyber Coalition”, cyber activists managed to take control of the aerial detection system of a NATO AWACS surveillance aircraft deployed on an operation. The RRT was sent to an airbase in Greece to identify the problem and put the aircraft back into service as quickly as possible. 

The defence against other types of sophisticated cyber attacks was tested during Exercise Cyber Coalition, ranging from the hacking of deployed forces’ smartphones with malware to the kidnapping of a senior NATO officer’s family in order to blackmail him to steal thousands of classified data records on the Alliance's military networks.

"The RRT will never take action in respect of an ordinary cyber defence problem or day-to-day cyber attacks," says Jean-François. And the deployment of the RRT is never planned – it is a last resort. "We must be prepared for action in an unknown environment – we may not know which infrastructure network, or what software we will be faced with. All these unknowns make it harder for us to be prepared, but this difficulty is what makes our job even more attractive," he adds.

The support of external experts

"Cyber espionage, or dormant codes which can disable national or NATO systems, pose new threats with a higher level of sophistication, and the Alliance and the nations must be well prepared against them," says Jean-François. In addition, the development of Cloud-type environments, with virtual services and machines, presents more and more security problems for which NATO and the private sector have to find joint solutions.

The malicious cyber attacks used in all recent crises show that it is important for the Alliance to have a comprehensive approach to cyber defence and acquire skills and appropriate tools.  

“The RRT is actually a modest resource; however, it constitutes a strategic core capability which would be reinforced, as needed, by experts from nations, when NATO is responding to an assistance request from a nation,” states Suleyman Anil, Head of the Cyber Defence Section of the Emerging Security Challenges Division at NATO Headquarters.

These national experts from Computer Emergency Response Teams (CERT) are not the only ones involved in such reinforcement. "We work with industry to exchange security information and also to identify the profiles of experts in certain areas of technology who could contribute to the team,” says Jean-François. The NATO-Industry Cyber Partnership, agreed by Allies at the 2014 Wales Summit, helps to strengthen this cooperation with industry.


  • NATO’s main cyber responsibility is to defend its own networks, while Allies protect theirs. NATO also helps Allies to boost their defences.  NATO does this by sharing information about threats, by helping to develop capabilities, and through education, training and exercises. 
  • The creation of the Rapid Reaction Team was a result of the Alliance's revised cyber defence policy of 2011, which was enhanced at the 2014 Wales Summit and is now part of the Alliance’s collective defence framework.
  • Cyber attacks could reach a level posing a threat to the prosperity, security and stability of the Euro-Atlantic states, and their impact could be just as disastrous as a conventional attack. At the Wales Summit , NATO leaders decided that a cyber attack could trigger Article 5, the Alliance’s collective defence clause.
  • The NATO Computer Incident Response Capability (NCIRC) is responsible for the defence of NATO's communication and information systems.