NATO at the digital frontline

NATO today is facing threats of a scale and complexity it has not dealt with before. The Alliance’s eastern members—especially the Baltic states and Poland—are under constant pressure from cyberattacks, disinformation, and sabotage. Since 2014, the Kremlin has steadily expanded its hybrid warfare strategy against the West. Cyber operations, sabotage attempts, and systematic disinformation campaigns have been reported one after another in Poland, Romania, and the Baltic region, showing how much these threats have grown. Russian-backed operations often exploit loopholes in international law and institutional gaps, aiming to cause unrest without triggering a direct NATO response. As a result, these low-intensity “grey zone” attacks in cyberspace and the information sphere have become a serious test for NATO’s collective defense reflexes.

In May 2024, a massive fire broke out in a shopping mall in Warsaw, destroying more than 1,400 shops and businesses. Investigations linked the arson to Russian intelligence. This case shows how bold Moscow has become in its hybrid operations. In response, Polish authorities blamed Russian agents for the Warsaw fire and decided to close the Russian consulate in Kraków. European security agencies point out that Russia organizes similar acts of sabotage, sometimes against war-related targets in Ukraine and sometimes at random locations, with the main goal of spreading fear and insecurity. For example, the 2024 arson attack on an IKEA store in Lithuania and several suspicious fires in the UK were also connected to Russian activity. These incidents reveal that even civilian infrastructure has become part of the hybrid battlefield and that destabilization within NATO’s borders is a deliberate objective.

NATO’s 2022 Strategic Concept gave a clear assessment of this new threat environment. In the earlier 2010 version, Russia was not even mentioned. But in 2022, it was described as the “most significant and direct threat.” Alliance leaders declared that the Euro-Atlantic area is no longer at peace and that Russia is openly violating the principles and norms that had ensured security. The document also stressed that NATO’s challenges are not only conventional military threats. “Malicious hybrid and cyber operations, together with aggressive rhetoric and disinformation,” are being used by authoritarian actors to weaken Allied societies and harm NATO’s security. This marked the first time that cyberspace and the information domain were placed at the center of NATO’s collective security framework. China was also mentioned for the first time as a challenge, with the document noting that Beijing seeks to undermine NATO’s values and interests through hybrid and cyber means, including disinformation.

This shift in the strategic concept has also shaped NATO’s structure. Back in 2016, the Alliance had already recognized cyberspace as its fifth operational domain, alongside land, sea, air, and space. In principle, a destructive cyberattack against one member can now trigger collective defense under Article 5. After 2021, NATO updated its Cyber Defence Pledge to strengthen deterrence and defense, calling for more investment in this field. At the 2023 Vilnius Summit, Allies confirmed plans on how they would respond together to a large-scale cyberattack, reinforcing the idea of “collective cyber defense.” NATO also announced the creation of an Integrated Cyber Defence Centre to further develop its capabilities. These steps show the Alliance’s determination to be more prepared and unified on the digital front. Yet in practice, NATO’s response still depends heavily on the initiative and political will of its member states. For instance, the “Counter Hybrid Support Teams” agreed upon in 2019 are deployed only upon request and so far have been used just once—in Montenegro, under heavy Russian pressure. These measures are important but not yet consistent or broad. NATO is still at an early stage in building a fast and flexible mechanism against hybrid threats.

One of NATO’s most innovative tools in this area is the network of Centers of Excellence created by member and partner states. The Strategic Communications Centre of Excellence (StratCom COE) in Riga, Latvia, and the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, are among the most prominent. StratCom COE, a multinational hub accredited by NATO, focuses on disinformation, propaganda, and information warfare tactics. For example, in 2019–2020 it published a detailed report mapping Russian influence across Northern Europe and the Baltic information space, showing how pro-Kremlin narratives spread and which weaknesses in local media ecosystems were exploited.

The center was also among the first to study the threat of deepfakes, releasing a 2020 report that argued AI-generated fake videos and audio are real risks but often exaggerated, while the bigger issue remains ongoing disinformation campaigns. Alongside research, StratCom COE also provides training and exercises to NATO states. Still, an important point is that the center is not part of NATO’s formal command structure. This means its findings and advice only become action if member states choose to adopt them. In other words, StratCom COE helps diagnose problems and raise awareness, but its influence on NATO’s actual reflexes remains indirect.

The Cooperative Cyber Defence Centre of Excellence (CCDCOE) also acts as NATO’s main think tank and training hub in the cyber field. Established in Tallinn after the large-scale Russian cyberattacks against Estonia in 2007, the center now works with contributions from over 30 Allied and partner nations. Although it is not part of NATO’s official command structure, it has become the most broadly supported Centre of Excellence, with almost all Allies participating. CCDCOE provides expertise across technical, strategic, operational, and legal dimensions. Each year, it organizes large-scale cyber exercises such as Locked Shields, which test the skills of Allied teams. In the 2023 edition, teams from 38 countries worked together in real time to defend more than 5,500 information systems in a simulated cyberattack. Such exercises strengthen the protection of critical infrastructure while also proving the importance of international coordination in practice.

Another key contribution of CCDCOE is its work on legal and doctrinal gaps in cyberspace. The Tallinn Manual, drafted by international law experts, attempts to set principles on questions such as when a cyberattack counts as an armed attack and the limits of states’ rights to self-defense in cyberspace. This manual has become a central reference for NATO legal advisers and policymakers, helping to clarify the grey areas of cyber law. Its third version is now under preparation, further shaping NATO’s approach to the legal and ethical aspects of cyber defense. In short, CCDCOE not only develops know-how and human resources but also plays a central role in shaping the doctrines that form the basis of cyber deterrence.

The Centres of Excellence and the updated Strategic Concept show that NATO has made progress in recognizing threats and developing strategies. But when it comes to implementation and real-time reflexes, structural weaknesses remain. Hybrid attacks require coordination across institutions and disciplines, yet responsibilities within NATO are still fragmented. At NATO headquarters, the Joint Intelligence and Security Division monitors hybrid threats, while on the EU side, the East StratCom Task Force focuses on exposing Russian disinformation. However, as one analysis highlights, these bodies often operate with overlapping mandates and limited coordination, which undermines effectiveness.

Gaps in communication and unclear responsibilities mean that responses to hybrid threats are usually reactive and at the national level, which weakens overall deterrence. Since 2016, NATO has called for greater resilience against hybrid warfare, but areas such as countering disinformation are still mostly left to individual states. The Alliance has also been cautious about engaging directly in counter-propaganda, emphasizing instead the protection of open societies and democratic values. Official statements often condemn Russian disinformation but frame the issue mainly as a challenge for Allies to handle through national resilience measures. This results in a fragmented picture rather than a unified response. In short, NATO’s institutional reflex against hybrid attacks is strong in identifying and condemning the problem but still falls short when it comes to proactive action.

Among the hybrid threats NATO focuses on, the most worrying are combined scenarios where cyberattacks and disinformation overlap. The rise of AI-driven techniques is changing the face of information operations very quickly. Deepfake videos are the most striking example. It is now possible to create fake clips showing a political leader saying things they never actually said. In 2022, for instance, Ukrainian TV was hacked to broadcast a fake video of President Zelensky calling for surrender. Around the same time, rumors about Zelensky’s poor health were spread through local radio, aiming to damage morale. Even though these fakes were quickly exposed, they still succeeded in undermining public trust in media. Experts warn that artificial intelligence can expand disinformation both in scale and in sophistication.

Large language models can create social media accounts that are almost indistinguishable from real people and can generate thousands of convincing fake news stories in seconds. Voice-cloning technology can be used to broadcast emergency messages in the voices of presidents or generals, causing panic among the public. In the near future, advances in AI are expected to make deepfakes even easier to produce, while breakthroughs in quantum computing could threaten current encryption systems. All this risks blurring the line between truth and lies, leaving societies vulnerable. For this reason, NATO and its members will have to strengthen not only their technological defenses but also the awareness and resilience of their populations. Combating AI-driven disinformation will require not just technical solutions but also educated citizens and close cooperation between governments and the private sector.

AI-driven disinformation often works hand in hand with cyberattacks, multiplying its effect. Strikes against critical infrastructure are deepened by parallel information operations. Russia has long worked on combining conventional attacks with cyber and information fronts. Just before the invasion of Ukraine in 2022, malware such as HermeticWiper and WhisperGate was planted in government systems, destroying many computers and disabling the servers of banks and ministries. Even before the first shots were fired, many Ukrainians woke up to blank screens, as power grids and satellite internet in some areas had been knocked out. In Russian doctrine, creating such digital chaos is seen as preparation for physical assault.

This is not new: during the 2008 Georgia war, pro-Kremlin hacker groups launched DDoS attacks on government sites, while in 2014, phishing campaigns targeted Ukrainian officials ahead of the annexation of Crimea. In 2015, hackers linked to Russia infiltrated power distribution centers in western Ukraine, leaving 225,000 people without electricity. These operations were often paired with disinformation. For example, during the 2015 blackout, exaggerated rumors were spread through local media to fuel panic. Similarly, the 2022 sabotage of a major satellite internet provider (Viasat/KASAT) happened at the same time as Russian forces entered Ukraine, disrupting communications in Ukraine and parts of Europe. Clearly, cyberattacks and disinformation now function as a double-edged weapon: when a cyber operation causes physical damage or service disruption, it is immediately reinforced with efforts to spread fear and confusion in the information space. In this way, attackers strike not only infrastructure but also the minds of societies.

Russia’s hybrid methods are tested most intensively in the eastern flank countries such as the Baltics and Poland. Geography and social-historical factors make them primary targets of Kremlin disinformation. Russian-speaking minorities in Latvia, Lithuania, and Estonia are often the audience of Moscow’s propaganda. Outrageous fake stories have been used to smear NATO’s presence in the Baltics. In 2017, for instance, a Lithuanian news site was hacked to publish a fabricated story that German NATO soldiers had raped a young girl. Although quickly debunked in local media, similar lies circulated in pro-Russian networks to stir anti-NATO sentiment. Between 2018 and 2020, the so-called “Ghostwriter” campaign revealed just how systematic these tactics had become.

Hacker groups linked to Russia infiltrated Polish and Lithuanian media outlets, replacing real articles with fake stories meant to discredit NATO. In one case, a Lithuanian newspaper’s archive was altered to include a fake report accusing German soldiers of desecrating a Jewish cemetery. In 2020, Polish websites carried fabricated quotes from American commanders mocking the Polish military, and a fake letter was posted on a military academy’s official site calling on Polish officers to resist “American occupation.” These texts were spread through email, boosted by bot accounts on social media, and repeatedly recycled. The goal was to plant distrust between NATO allies and raise suspicion about Allied troops. During the early COVID-19 pandemic, even a fake letter claiming “NATO is withdrawing from the Baltics because of the outbreak” was circulated under Stoltenberg’s name.

When researchers later connected at least 14 separate incidents reported since 2017, it became clear they were all part of a single long-term operation. Cybersecurity firms traced the actors back to the Kremlin and showed how the narratives matched Russia’s strategic interests. NATO officials admitted they were aware of the campaign but often avoided directly accusing Russia in public, preferring instead to use vague language about “certain disinformation attacks targeting the Alliance.”

These sophisticated operations, supported by state resources, aim to deepen social fault lines in the Baltics. Yet over time, the targeted countries have begun to build digital immunity. In Lithuania, volunteer “elf” groups fight disinformation online; Estonia has added digital literacy classes to school curricula; Latvia uses multilingual media to reach its Russian-speaking citizens. In short, the eastern flank states are trying to build their own resilience against information warfare. Still, because these efforts remain mostly national rather than fully integrated under NATO, the Kremlin continues to gain partial success with its divide-and-rule tactics.

The war in Ukraine, which broke out in 2022, has served as a testing ground full of hard lessons for NATO. The hybrid tactics that Russia had experimented with in the Baltics and Eastern Europe were deployed on a much larger scale in Ukraine. In the early days of the war, while Russian troops tried to advance on the ground, Moscow’s media machine spread lies to the world: claims that “Ukraine is run by neo-Nazis,” “the Russian army does not target civilians,” and “Ukraine is about to surrender.” To counter this wave of disinformation, NATO countries tried an unusual method—making intelligence public.

Before the invasion, the United States and Britain openly revealed that Russia was preparing false flag operations and false pretexts for war. This proactive transparency aimed to discredit Russia’s narrative before it could take shape, and it worked to some extent: the Kremlin failed to gain the international support it hoped for and found itself on the defensive in the information war. The Ukrainian government also proved highly skilled in strategic communication. President Zelensky addressed his people and the world daily through video messages, boosting morale and pressing the West for help. This created a form of “real-time truth diplomacy” that countered Russian disinformation.

Meanwhile, Russia’s cyberattacks had limited effect thanks to Ukraine’s preparations. For years, NATO and the EU had been supporting Ukraine with training and expertise in cyber defense. U.S. Cyber Command even conducted “hunt forward” operations before the war, identifying Russian malware inside Ukraine. When the invasion began, Europe showed unprecedented solidarity. In late 2023, the so-called Tallinn Mechanism was launched to coordinate cyber assistance for Ukraine. Within a year, it raised more than €200 million, trained hundreds of Ukrainian cyber specialists, and set joint priorities for protecting critical systems.

In 2025, large-scale exercises brought together 387 Ukrainian experts with international teams to practice detecting and repelling cyberattacks. Thanks to this, Ukraine became a model of digital resilience closely watched by the world. Behind the front lines, telecom teams repaired cables immediately after missile strikes, power plants set up backup systems despite repeated attacks, and Starlink provided more than 47,000 terminals to keep communication alive. In some schools, Wi-Fi routers were even installed in bomb shelters to ensure students and families stayed connected. These innovations showed that communication is a lifeline, even in war. Ukraine’s ability to quickly repair and sustain its digital infrastructure helped block one of Russia’s main goals—creating chaos and forcing rapid surrender in occupied areas.

Another lesson from the war was the need to adapt NATO’s idea of collective defense to the cyber and hybrid domain. In July 2025, the North Atlantic Council condemned Russia’s cyber operations in Ukraine, noting that similar activities were also being directed against NATO members. It singled out GRU-linked hacker groups targeting governments and critical infrastructure, framing these acts as part of the Kremlin’s aggression. For the first time, NATO explicitly described cyberattacks as a threat to collective security and reaffirmed that “the Alliance is committed to collective defense in cyberspace,” including joint responses if necessary. Following this, NATO decided to set up a new coordination center for cyber crisis management and to integrate national cyber defense plans.

Alongside this, NATO and the EU began to strengthen cooperation on critical infrastructure resilience. A joint working group, launched in 2023, produced a comprehensive report on protecting energy, transport, digital networks, and space systems. It recommended deeper information sharing and regulatory cooperation to defend against attacks on pipelines, undersea internet cables, and satellite networks. These initiatives were shaped by incidents such as the Nord Stream sabotage and the damage to the Finland–Estonia undersea cable. The lesson is clear: hybrid threats are a collective problem, and only a united response can effectively meet them.

At this stage, NATO has clearly improved its awareness and organizational capacity against digital and hybrid threats compared to a decade ago. From strategic documents to concrete structural steps, the Alliance shows signs of transformation. Eastern flank members in particular bring lessons from their own experience under attack to the NATO table, helping raise preparedness across the Alliance. The Baltic states feed their cyber defense know-how into NATO exercises to raise joint resilience, while Poland pushes for tougher measures against information warfare at both EU and NATO levels. Yet despite these improvements, critics argue that NATO’s performance against hybrid warfare is still not where it should be.

The first problem is decision-making speed. A 30-member alliance requires political consensus, which slows down reflexes. In fast-moving areas like disinformation, NATO lacks a joint response mechanism. Most of the time, it is national governments—not NATO—that reply to fake news campaigns. This gives propaganda more impact in its early stage. A second weakness is NATO’s limited authority in areas such as internal security or the civilian information sphere. For example, when outside interference was suspected during Romania’s 2024 elections, NATO could only express support, leaving the real burden on national institutions.

This plays directly into the hands of hybrid warfare practitioners, who seek fragmented and inconsistent responses. A third issue is ethical and legal restraint. Unlike authoritarian rivals, NATO avoids countering lies with lies, as this would betray its principles. But this moral high ground also makes the Alliance more vulnerable, as it faces opponents unconstrained by rules. Finally, NATO–EU coordination is still incomplete. The EU has created its own sanctions and countermeasures for disinformation and cyber espionage, but integration with NATO remains weak. For instance, while the EU sanctions Russian and Chinese entities for cyberattacks, NATO does not take a united stance, creating perceptions of double standards and institutional gaps.

All of this shows that NATO still has much to do in facing the challenges of the digital age. Just as it once built doctrines and force structures to counter conventional threats, today it must do the same in cyber and hybrid warfare. First, NATO should set clear red lines to strengthen deterrence. A destructive cyberattack on critical infrastructure or direct interference in democratic processes through disinformation must be declared unacceptable—and matched with costs, whether political, economic, or even cyber countermeasures. Deterrence must be backed by real action: for example, coordinated sanctions on individuals and groups behind hybrid attacks or automatic intelligence-sharing among Allies when a cyber strike is detected. Some experts even suggest that NATO should consider limited offensive measures—striking back at identified Russian infrastructures responsible for repeated cyberattacks, not just defending passively.

In addition, NATO could create a permanent Hybrid Threats Task Force that brings together its Centers of Excellence and relevant EU institutions. Such a body could track disinformation in real time, build counter-narratives, and work with social media platforms to limit harmful content quickly. Combining NATO and EU efforts under a single umbrella would not only avoid wasting resources but also increase the overall impact of the response.

On the other hand, much more investment is needed in the social resilience dimension. While NATO is usually careful not to interfere directly in domestic affairs, it can still encourage media literacy programs in member states and give indirect support to civic initiatives that fight disinformation. In the eastern flank especially, targeted information campaigns are critical for communities more exposed to false narratives. The Alliance could deploy strategic communication experts fluent in Russian and other local languages to produce content that counters Kremlin propaganda.

This would not be counter-propaganda, but rather a way of presenting NATO’s values and the facts to local audiences. For example, when false stories attempt to demonize NATO troops in the Baltics, a joint communication strategy could highlight their real contribution to regional security, backed with concrete data. Similarly, in the context of AI-driven threats, NATO could work with technology companies to create standards for detecting and labeling deepfake content. The efforts of platforms like Facebook and X (Twitter) to fight disinformation could be made stronger with NATO’s support.

In the end, NATO must build a full-spectrum defense and deterrence strategy for the digital frontline. This strategy must protect not only networks and military systems but also the psychology of societies and the integrity of democratic institutions. Wars in the 21st century often begin long before tanks or missiles appear—they start at keyboards and behind cameras. The Alliance must stay alert and adapt quickly to the enemy’s tactic of “capturing minds first.” It must be remembered: an alliance does not need to be invaded to be defeated; if societies are internally weakened and lose trust in one another, the result is the same. NATO’s task is therefore to defend both the borders and the minds of its members. For this, it must be ready to adopt new and tougher policies when needed.

The mission of defending the free world now extends into cyberspace and the information domain. If NATO shows determination consistent with its values and fills the existing gaps quickly, the masters of hybrid warfare will face a far more resilient target than they expect. If not, the transatlantic security architecture of the digital age will continue to be tested at its weakest links—until the chain finally breaks. For this reason, building institutional reflexes suited to the digital era is not optional for NATO but a necessity. Achieving this through shared will and collective action will mean passing one of the greatest tests of collective defense in the 21st century.