Main Logo Expert commentary on tech and security

Learning to supply cyber capabilities

Joseph Jarnecki 10 June 2024
Share On:
As international cyber capability support mechanisms grow, they must also mature
Main Top Image
Image created with the assistance of Dall-E 2

Montenegro, Costa Rica, Vanuatu, Albania and Ukraine have all experienced large-scale cyber incidents with significant effects. Government systems have been taken down and critical service delivery delayed or denied. In each case, international actors, notably governments such as the United States and France, and companies including Microsoft and AWS, have provided reactive cyber capability support.

This kind of ad hoc, reactive international cyber capability support is giving way to formalised mechanisms. For example, three such mechanisms have been spun up to provide cyber support to Ukraine: the private sector-led Cyber Defence Assistance Collaborative and the government-led Tallinn Mechanism and IT Coalition

Taking lessons from Ukraine, international actors are creating and amending wider programmes for cyber capability support. While some are reactive to incidents, others aim to be proactive, providing preventative capabilities in anticipation of large-scale incidents. 

National mechanisms include the US Cyberspace, Digital Connectivity, and Related Technology (CDT)-focused Foreign Assistance Fund and Australia’s Pacific-focused Cyber RAPID Teams. Multinational mechanisms include NATO’s Virtual Cyber Incident Response Capability (VCISC) and the EU’s PESCO Cyber Rapid Response Teams (CRRT). The EU has also proposed a Cyber Reserve

As more resources are committed to these mechanisms, policymakers will face questions about their efficacy. 

The term ‘cyber capability support’ (CCS) is not yet widely used. I apply it here to describe activities involving the direct provision of cyber security products and services that have immediate operational impacts with the goal of achieving short-to-medium-term objectives. Similar attempts to describe these kinds of activities have used the terms cyber defence assistance, deployed cyber defence, and cybersecurity support deployments

Making mechanisms work 

The first challenge is to decide the ‘impact objective’. Without a clear objective, decision-makers will struggle to buy into mechanisms. Moreover, without impact objectives, they will be prone to mission creep, taking on too many activities. Current mechanisms concentrate on security, humanitarian, influence, and commercial impacts. These fit within conventional foreign and security policy priorities and should continue to act as a guide for CCS.

Once the objectives have been identified, participating actors will ask what they stand to gain. Motivations include capturing telemetry and cyber threat information, denying adversaries, supporting allies and partners, receiving financial or other capital for providing support, and preserving a free, open, and secure cyberspace. The challenge for mechanisms is to understand who has what motivation, how and when this changes, and what the impact is when it does. For example, would private companies support Taiwan as they have Ukraine? 

The private sector’s role in CCS mechanisms is significant. As in Ukraine, private companies have provided licenses, personnel, hardware, and other support to multiple large-scale cyber incidents. Governments or international organisations that attempt to operate a CCS mechanism without the private sector may be able to launch limited deployments, but they will be unable to scale activities. 

Involving the private sector is not easy. National treasury departments will resist paying for long-term costs like software licenses. Companies that conduct CCS for non-financial reasons may be reluctant to participate in mechanisms that limit their decision-making power compared with acting alone.

Even if you can bring all the necessary actors to the table, programmes need funding. The US has committed around US$50 million annually to its CDT fund, the EU Cyber Reserve funding will be tens of millions of euros, and Australia is spending A$26.2 (US$17.4) million to establish Cyber RAPID. While significant, these commitments are a drop in the ocean when we consider that Microsoft states it has provided US$520 million in aid to Ukraine as of April 2024. Funding is further complicated by eligibility criteria. Can, for example, official development aid fund CCS mechanisms? 

Presuming a mechanism has set a strategic objective and value proposition, has brought in the private sector, and has acquired funding, it still needs to measure and report on its activities. Some CCS activities, such as incident response, can leverage extensive data; for example, identifying and removing malicious network access is observable and measurable. Other activities, however, are less measurable. They either rely on inaccurate baselines to test effectiveness or they look to measure hard-to-grasp strategic impacts, such as whether adversaries are deterred. 

Making mechanisms wobble? 

While CCS mechanisms have proliferated, their unintended strategic impacts have been given patchy consideration in public. Privately, however, officials have expressed concern. 

The knee-jerk response from some is that reactive mechanisms represent a moral hazard, dissuading potential recipients from investing in cyber security resilience. One solution is to make CCS responses conditional on certain domestic preparations. But this relies on a flawed assumption that the only cost of a large-scale cyber incident is the technical response. Lost revenue, social harms, and reputational cost are more than sufficient motivating factors. 

A more substantial concern is how adversaries will understand and exploit CCS mechanisms.

It is not far-fetched to think adversaries will see CCS mechanisms as escalatory, particularly where there is an ongoing conflict. Deploying private or public sector capabilities to support partners in countering cyber incidents may be intended as a defensive action yet it can be perceived as an offensive one. Adversaries may point to the mechanism’s activities as evidence of threatening behaviour and, in turn, feel justified in conducting hostile activity. 

Adversaries may also look to exploit mechanisms. If a mechanism clearly states where, when, why, and how it will respond, adversaries may look to repetitively and widely break the minimum threshold for response. This could trigger a waterfall of demand for CCS, straining mechanisms. 

Political decision-making will ultimately decide when and where mechanisms operate. Nonetheless, clear thresholds for deployment and withdrawal are necessary to avoid excessive resource strain. Officials should integrate technical criteria into deployment decisions to provide nuance to political decision-makers. By including technical factors to determine response and withdrawal, decision-makers can be dissuaded from hasty deployment, and relationships with recipients can be insulated from necessary withdrawals. Even after adopting these measures, deciding when to activate and deactivate mechanisms will be controversial and carry a significant reputational risk. 

A final strategic question is the legitimacy of the private sector within CCS mechanisms. Though companies are crucial to scaling CCS, are they legitimate in the same way as national governments? Are they engaged for the right reasons? And can they be counted on going forward? 

Looking forward 

Cyber capability support mechanisms are an interesting solution to large-scale cyber incidents. Ideally, they would be used infrequently, and cyber security capacity building would prevent incidents in the first place. The current climate makes this unlikely. 

Assuming that mechanisms will be used regularly over the coming years, their members must therefore make them work as well as possible. As a foundation, mechanisms need clear objectives, a value case for those involved, private sector buy-in, sufficient funding, and efficient measurement. Nevertheless, strategic risks and uncertainties persist even when mechanisms have strong foundations.

The above article draws on research from a paper by the author published in NATO CCDCOE’s 16th International Conference on Cyber Conflict entitled ‘Innovations in International Cyber Support: Comparing Approaches and Mechanisms for Cyber Capability Support’

avatar
Joseph Jarnecki

Related

Featured image
Binding Edge
Responsibly disrupting cyber-enabled counterterrorism operations
Michael Genkin 8 October 2024
Read more arrow
Featured image
Binding Edge
Tech and security songs at full volume 
Alex Bollfrass 8 January 2024
Read more arrow
Featured image
Binding Edge
The magic of sophisticated cyber attacks
Max Smeets 4 December 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.