Cyber Rapid Response Teams: Structure, Organization, and Use Cases
Cyber rapid response teams are becoming an increasingly prevalent form of incident response and mitigation at the national and supranational level. Nation-states and international organizations have begun building out teams to efficiently manage incidents and leverage expertise across borders.
Over the past two decades, NATO and the EU have each developed their own rapid response teams to manage and mitigate the rise in cyberattacks, including incidents that cut across borders and affect international partners. Yet, many questions remain regarding a team’s composition, organizational and legal structures, as well as their overall efficacy.
Under the EU’s Permanent Structured Cooperation (PESCO) arrangement – which is part of the EU’s Security and Defense Policy (CSDP) – Lithuania and several other member states created the Cyber Rapid Response Teams and Mutual Assistance in Cyber Security (CRRT) project in 2018. These teams are generally collaborative between military and civilian organizations. Lithuania leads the CRRT PESCO project, which currently consists of seven participating states (Belgium, Croatia, Estonia, the Netherlands, Poland, Romania, and Slovenia) and five observer states (Finland, France, Greece, Italy, and Spain). The leadership of the CRRT rotates annually among the participating states, with Lithuania maintaining the co-lead function. Although the project has conducted several cyber exercises since its inception, the first CRRT was activated in late February 2022 in support of Ukraine but was never deployed due to the Russian ground invasion.
The inaugural exercises in 2018 – named Cyber Shield / Amber Mist – revealed key weaknesses in the CRRT arrangement, including member states’ uncertainty regarding their own cyber response expertise.2 CRRT membership has also shifted over the past five years: Spain and Finland moved from active membership to observer status, while Germany was an observer but has now left the project entirely. Belgium and Slovenia recently joined the CRRT team as participating states, and in early 2023 Czechia and Denmark also expressed interest in joining the project. Overall, the CRRT project is intended to create a shared repository of cyber expertise and capabilities, and ultimately to foster expanded EU resilience in the face of cyberattacks.