Cybersecurity transcends national boundaries in many ways: The internet’s technical infrastructure is global in scope; threat actors based in one country can disguise their identities by taking control of computers in other countries; global businesses sell software, hardware, and security services that may introduce or combat vulnerabilities; and the consequences from a disruptive attack can spread far beyond the initial victim. Even the most cyber-savvy country cannot protect itself completely unless it wants to disconnect from the global internet and strictly limit who can use information technology and for what purposes inside its own borders. And this course of action is infeasible because it would result in dire consequences for the national economy, military, and all other systems that depend on advanced information technology. International cooperation to improve cybersecurity is a much more realistic and viable path. Information sharing is the most commonly promoted type of international cooperation, but very little is known about what type of cybersecurity information is currently being shared with whom, for what purposes, and under what conditions.
As a first step towards answering this larger question, the International Cybersecurity Information Sharing Project undertook to survey, catalog, and analyze publicly available government-to-government cybersecurity-related sharing agreements to determine what types of information various governments have committed to share, and to identify gaps in information sharing. The ultimate aim of the larger project is to assess how multilateral cybersecurity sharing practices can be encouraged and improved in order to strengthen global cybersecurity.
The project team started from the assumption that formal cyber sharing agreements and memoranda of understanding (MoU) are an important part of the foundation for the development of norms on cyber cooperation. Over the past several years, various international fora have reiterated that sharing information about cyber threats and vulnerabilities, national approaches to cyber protection, best practices, incidents of concern, and response mechanisms could increase mutual cybersecurity while reducing risks of misunderstandings and conflict.
Different types of information sharing can be used to improve cybersecurity in various ways. By sharing threat perceptions and national policies, states can better understand each other’s concerns and priorities. By conducting multilateral exercises and sharing best practices for protection of networks, critical infrastructure, and software/hardware, states can help each other ensure safe data transfer across borders. Cooperation to build capacity in states with weaker infrastructure for managing the use of information and communications technologies (ICTs) can help in identifying threats and responding to crises.
This research found that cybersecurity information agreements are more numerous, but less specific than anticipated. The project documented and analyzed 196 agreements involving 116 different countries and 2,349 signatures. Extensive signature of agreements and associated commentary shows widespread accord on the principle that information sharing is necessary. However, it is unclear how much and what type of information sharing occurs in practice. Few agreement texts are public, and those that are often use vague language. And, despite the potential benefits of sharing more cyber-security information, many disincentives and logistical barriers remain. This project collected as much information as possible, not only about what states have agreed to do, but also what they actually do, and why they make those choices.
After a brief summary of the approach taken and some limitations encountered, the study provides summary statistics about international cyber information sharing agreements. It then looks in more detail at sharing agreements and behaviors by some of the most active and/or important countries in regional organizations, and in multilateral fora that have focused on this topic. A summary of key findings, conclusions, and next steps is followed by annexes with more methodological information and texts for some of the most important agreements.