Cybersecurity is about managing risks and to ascertain that, to a certain extent, proper procedures and adequate security measures are being taken. Exposed to constant cyber threats, military organisations rely on a vast number of communication and information systems. They require the capacity to assess, on a regular basis, the successful deployment of these security measures.
Cyber red teams (CRT) – commonly performing penetration testing – focus on threats from adversaries in the cyber world. They mimic the mind-set and actions of the attacker in order to improve the security of one’s own organisation. As a standing capability in a military environment, these tools can be used in order to enhance preparedness and improve training capacities.
Building on different doctrinal documents and best practices observed in the private sector, this study reviews the requirement and the possible barriers for military units to perform cyber red teaming. After clarifying the definition issues surrounding the notion of CRT, the study addresses and discusses the main policy, organisational, technical, and legal considerations regarding the implementation of military CRT. This study takes a broad approach as these implications are dependent on country-specific factors such as available resources and level of ambition for developing a cyber red teaming capability.