Reinventing Cyber Defence: Why We Need a New Doctrine to Defend Our Nations

The recent shift in US strategic posture towards Europe and trade is beginning to reveal significant implications, particularly in cyberspace and the role of the private sector.

Europe must not only equip itself with a defence strategy that substantially boosts investment and enhances its own autonomous capabilities, but it must also reframe how it integrates the cyber domain within its broader defence architecture. This article outlines how Europe needs a new doctrine for defence in cyberspace and makes three key proposals to accelerate and consolidate civil-military cyber convergence.

While cyberspace has been formally recognised as the fourth operational domain – alongside land, sea, and air – this designation has yet to translate into making it a central pillar of defence strategy. Being recognised as a domain is not the same as being treated as central in strategic planning and operational doctrine.

Cyberspace is not only a theatre of operations in its own right; it is a critical enabler that underpins and intersects with all other domains. What remains lacking is the ‘how’ – the frameworks, doctrines, and institutional mechanisms needed to embed cyber at the heart of defence planning and execution, also covering the private sector.

Traditional defence doctrine is not readily applicable to cyberspace, due to the fundamentally different nature of the domain. Unlike kinetic environments, cyberspace does not conform to the laws of physical space, and it is shaped by a vastly different set of actors and dynamics.

The private sector plays a decisive role – not only as a provider of technology, but as the operator of essential national services. This dual dependence on infrastructure and private operators demands a radically new approach to integration, coordination, and resilience.

Traditional defence doctrine falls short in cyberspace, necessitating the transformation of National Cyber Coordination Centres into real-time operational hubs that integrate civilian, military, and critical infrastructure actors.

The Limits of Traditional Approaches

It is precisely this complexity that demands new frameworks and doctrines. Rather than treating it as an afterthought, the cyber domain must become a central pillar of Europe’s evolving defence architecture.

Unlike traditional battlefields, cyberspace operates as a single, interconnected domain where technological architecture serves multiple purposes simultaneously. A server that hosts military communications could be technically indistinguishable from one supporting critical financial infrastructure.

Therefore, traditional military strategies, designed for physical spaces governed by kinetic force, fall short in the cyber domain. A bullet, for instance, is universally recognised across contexts as a weapon. In contrast, a string of digital code has no inherent meaning until it is interpreted within a specific technological and operational framework – one that can vary dramatically depending on the context, the technology in question, and the identity of the operator.

This makes cyber defence much more complex and creates a strong link between the infrastructure and its cyber threat detection and attribution, significantly increasing complexity.

To address the limits of traditional approaches, an Extended Permanent Cyber Defence Force composed of cybersecurity professionals embedded in their civilian roles should be established to optimise national resources and ensure scalable and rapid national cyber defence.

A Fragmented System: Gaps in Governance and Risk Management

Most cyberspace operators and assets are privately owned. Consequently, private enterprises are both the primary targets of cyberattacks and frontline defenders against these threats.

National cybersecurity agencies have developed regulatory frameworks aimed at fortifying critical infrastructure protections. However, while the private sector should not only comply with regulations but also proactively collaborate with governmental and military institutions to enhance collective defence mechanisms, this is currently missing from many cyber defence approaches.

The protection of critical infrastructures is almost everywhere the responsibility of civilian agencies, with little or no coordination with the defence side. While many countries have identified a connection between defence and national cyber authorities, these are often in the form of committees that are involved in case of conflicts or major incidents, as for example the model adopted by US with Presidential Policy Directive 42 of 2016, that creates a patchwork of overlapping authorities without a clear operational model.

The UK has been one of the first countries to promote an Integrated Operating Concept, which has been followed by a new version of the National Cyber Strategy, that established the National Cyber Force (NCF), a joint unit between the MoD and GCHQ (intelligence), but only to conduct offensive cyber operations. The integrated operating model is providing ambitious objectives around multidomain integration and developing an integration model that is different from operating and warfighting – something essential for cyber as resilience can only be built overtime in preparation for warfighting. But even these examples show we are still missing the definition of an operational doctrine to develop and fully implement the high-level objectives given by the strategies.

Given the often-overlooked web of interdependencies between infrastructures, the challenge is not just about protecting isolated systems but understanding how failures in one domain can cascade through interconnected systems. These connections form an intricate network where vulnerabilities in one sector can have profound ripple effects across others.

An even subtler form of dependency arises from shared technologies. Independent operators may unknowingly rely on the same technological components, such as widely used software or hardware platforms. A cyberattack exploiting a vulnerability in this shared technology could simultaneously compromise a vast array of seemingly unrelated infrastructures. A particularly telling example is the deployment of identical solar panel controllers across numerous independently managed facilities. In 2024 a targeted attack against this common technological point already disrupted energy generation on a relevant scale, effectively turning what appears to be a decentralised system into a single ‘virtual critical infrastructure’ with national-level consequences.

While many countries have established strong regulatory foundations and dedicated cybersecurity agencies, this must still translate into practical, effective action. Current frameworks often focus too heavily on individual infrastructures without fully considering the broader systemic risks posed by interconnectivity and technological convergence.

For example, countries such as the UK, France, Germany and Italy all place the onus of protection primarily on the individual operators, which are responsible for identifying threats and countermeasures almost autonomously. It is true that all four countries mention information sharing and early warning as key enablers, but most operators of essential services have not integrated cyber risk into their broader risk management frameworks and, on the other side, national authorities struggle to have a systemic view of the national and sectorial risks, as confirmed by the lack of standards and taxonomies for sharing threat scenarios and impact on critical services. Another confirmation comes from the separation on the EU DORA regulation and the NIS2 directive between incident reporting and information sharing arrangements.

Building Integrated Civil-Military Cyber Ecosystems

The convergence between military and civilian authorities in cybersecurity has become an essential component of national and collective defence strategies across NATO and allied nations. Institutional configurations, such as NATO’s Integrated Cyber Defence Centre, the US. Joint Cyber Defence Collaborative, and the UK’s National Cyber Security Centre structurally embed cooperation between armed forces, intelligence agencies, civilian cyber authorities and critical infrastructure operators.

Joint cyber exercises – including NATO’s Cyber Coalition, US Cyber Guard, and Israel’s joint civil-military national drills (Cyber Dome) – serve as crucial testing grounds to rehearse coordinated responses to complex cyberattacks, strengthening interoperability between military cyber units, national CERTs, law enforcement and private-sector operators.

Information-sharing mechanisms have been formalised through platforms like NATO’s Malware Information Sharing Platform, the UK’s Cyber Information Sharing Partnership, and the US Cyber Information Sharing and Collaboration Program, ensuring rapid, bidirectional threat intelligence flows between defence entities and civilian stakeholders.

Public–private partnerships have expanded with initiatives such as the UK’s Defence Cyber Protection Partnership and Israel’s close industry-military ties, reflecting the recognition that national defence relies heavily on securing privately operated critical infrastructure. Additionally, innovative models, such as Estonia’s volunteer Cyber Defence League and Israel’s fluid workforce between military units and the tech sector, illustrate how talent and expertise can seamlessly operate across civil and military spheres.

While these convergence efforts have significantly matured, they often remain reactive, fragmented, or bound by temporary frameworks, primarily mobilised during crises rather than embedded as part of permanent national defence postures. Moreover, legal, cultural and operational barriers continue to slow the full institutionalisation of truly integrated civil-military cyber ecosystems. To overcome these limits, three decisive actions are needed to accelerate and consolidate civil-military cyber convergence into a cohesive and scalable model.

First, national cyber authorities should expand their strategies and frameworks to explicitly integrate the military dimension of cyber defence, establishing clear, permanent coordination mechanisms with armed forces to ensure comprehensive protection of national digital assets. This requires not only aligning responsibilities and processes but also fostering joint planning, information sharing and response protocols. At the NATO level, a common doctrinal and operational framework should be developed to guide member states, ensuring full interoperability in multinational contexts and enabling effective execution of multidomain operations, where cyber defence plays a critical role alongside traditional military domains.

Second, governments should expand the operational capabilities of their National Cyber Coordination Centres (NCCCs), transforming them into real-time operational hubs that integrate civilian, military and critical infrastructure actors. These centres should deliver shared situational awareness, fusing threat intelligence from military sources with civilian network monitoring to better predict the potential impacts of cyber threats on vital services and infrastructure. This joint operational picture would enable dynamic defence actions, improve proactive mitigation strategies and become indispensable during military operations that risk spilling over into the cyber domain – ensuring that civilian systems are defended and national resilience maintained during periods of heightened tension or conflict. Some countries such as the UK, France, Germany, Italy, Israel and Australia have already started this journey. Other national cyber authorities have started to integrate military personnel into their structure to create a stable channel with the military, like the Italian National Cyber Agency (ACN).

Third, an extended permanent cyber defence force (EPCDF) would address structural constraints and optimise national resources. This force would be composed of cybersecurity professionals who remain embedded in their civilian roles – whether in the private sector, critical infrastructure, research, or public administration – while being permanently integrated into national cyber defence efforts under military coordination.

Unlike traditional reservist models, the EPCDF represents a constant, distributed defence capability operating in parallel with formal military structures, ensuring that national cyber defence is not only scalable and rapid but also deeply rooted within the systems it protects. Through joint training, shared platforms, and active participation in national cyber defence strategies, this network of civilian professionals would operate as a standing line of defence, turning the entire national cyber ecosystem into a strategic asset for deterrence, resilience, and response in both peacetime and crisis.

Conclusion

These three actions would transform today’s fragmented and reactive collaborations into a coherent, institutional and enduring national defence framework, bridging the military, civilian and private sectors as a unified force to counter increasingly complex and persistent cyber threats.

In light of this strategic landscape, the development of new frameworks – and, in military terms, a new doctrine – is no longer optional; it is essential. Addressing the challenges outlined above requires institutional initiatives to accelerate the doctrinal process, overcoming the inertia and timelines that traditionally characterise defence reform. Within NATO, the pathway from early conceptualisation to full doctrinal maturity can take up to a decade. When factoring in external actors such as EU institutions, national authorities and private-sector critical infrastructure providers, that timeline could stretch to 20 years before tangible impact is realised.

This is clearly untenable. What is needed is a fundamental acceleration of doctrine development, anchored in a new model of private-sector participation from the outset. This must be accompanied by the immediate, agile adoption of core principles to guide collaboration, resilience, and readiness across sectors. Institutions like the European Union, NATO, and leading research centres must play a catalytic role in initiating this shift – one that aligns strategic urgency with operational agility to meet the moment.

© Andrea Rigoni, 2025, published by RUSI with permission of the authors.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.