Learning to supply cyber capabilities
Montenegro, Costa Rica, Vanuatu, Albania and Ukraine have all experienced large-scale cyber incidents with significant effects. Government systems have been taken down and critical service delivery delayed or denied. In each case, international actors, notably governments such as the United States and France, and companies including Microsoft and AWS, have provided reactive cyber capability support.
This kind of ad hoc, reactive international cyber capability support is giving way to formalised mechanisms. For example, three such mechanisms have been spun up to provide cyber support to Ukraine: the private sector-led Cyber Defence Assistance Collaborative and the government-led Tallinn Mechanism and IT Coalition.
Taking lessons from Ukraine, international actors are creating and amending wider programmes for cyber capability support. While some are reactive to incidents, others aim to be proactive, providing preventative capabilities in anticipation of large-scale incidents.
National mechanisms include the US Cyberspace, Digital Connectivity, and Related Technology (CDT)-focused Foreign Assistance Fund and Australia’s Pacific-focused Cyber RAPID Teams. Multinational mechanisms include NATO’s Virtual Cyber Incident Response Capability (VCISC) and the EU’s PESCO Cyber Rapid Response Teams (CRRT). The EU has also proposed a Cyber Reserve.
As more resources are committed to these mechanisms, policymakers will face questions about their efficacy.
The term ‘cyber capability support’ (CCS) is not yet widely used. I apply it here to describe activities involving the direct provision of cyber security products and services that have immediate operational impacts with the goal of achieving short-to-medium-term objectives. Similar attempts to describe these kinds of activities have used the terms cyber defence assistance, deployed cyber defence, and cybersecurity support deployments.
Making mechanisms work
The first challenge is to decide the ‘impact objective’. Without a clear objective, decision-makers will struggle to buy into mechanisms. Moreover, without impact objectives, they will be prone to mission creep, taking on too many activities. Current mechanisms concentrate on security, humanitarian, influence, and commercial impacts. These fit within conventional foreign and security policy priorities and should continue to act as a guide for CCS.
Once the objectives have been identified, participating actors will ask what they stand to gain. Motivations include capturing telemetry and cyber threat information, denying adversaries, supporting allies and partners, receiving financial or other capital for providing support, and preserving a free, open, and secure cyberspace. The challenge for mechanisms is to understand who has what motivation, how and when this changes, and what the impact is when it does. For example, would private companies support Taiwan as they have Ukraine?
The private sector’s role in CCS mechanisms is significant. As in Ukraine, private companies have provided licenses, personnel, hardware, and other support to multiple large-scale cyber incidents. Governments or international organisations that attempt to operate a CCS mechanism without the private sector may be able to launch limited deployments, but they will be unable to scale activities.
Involving the private sector is not easy. National treasury departments will resist paying for long-term costs like software licenses. Companies that conduct CCS for non-financial reasons may be reluctant to participate in mechanisms that limit their decision-making power compared with acting alone.
Even if you can bring all the necessary actors to the table, programmes need funding. The US has committed around US$50 million annually to its CDT fund, the EU Cyber Reserve funding will be tens of millions of euros, and Australia is spending A$26.2 (US$17.4) million to establish Cyber RAPID. While significant, these commitments are a drop in the ocean when we consider that Microsoft states it has provided US$520 million in aid to Ukraine as of April 2024. Funding is further complicated by eligibility criteria. Can, for example, official development aid fund CCS mechanisms?
Presuming a mechanism has set a strategic objective and value proposition, has brought in the private sector, and has acquired funding, it still needs to measure and report on its activities. Some CCS activities, such as incident response, can leverage extensive data; for example, identifying and removing malicious network access is observable and measurable. Other activities, however, are less measurable. They either rely on inaccurate baselines to test effectiveness or they look to measure hard-to-grasp strategic impacts, such as whether adversaries are deterred.
Making mechanisms wobble?
While CCS mechanisms have proliferated, their unintended strategic impacts have been given patchy consideration in public. Privately, however, officials have expressed concern.
The knee-jerk response from some is that reactive mechanisms represent a moral hazard, dissuading potential recipients from investing in cyber security resilience. One solution is to make CCS responses conditional on certain domestic preparations. But this relies on a flawed assumption that the only cost of a large-scale cyber incident is the technical response. Lost revenue, social harms, and reputational cost are more than sufficient motivating factors.
A more substantial concern is how adversaries will understand and exploit CCS mechanisms.
It is not far-fetched to think adversaries will see CCS mechanisms as escalatory, particularly where there is an ongoing conflict. Deploying private or public sector capabilities to support partners in countering cyber incidents may be intended as a defensive action yet it can be perceived as an offensive one. Adversaries may point to the mechanism’s activities as evidence of threatening behaviour and, in turn, feel justified in conducting hostile activity.
Adversaries may also look to exploit mechanisms. If a mechanism clearly states where, when, why, and how it will respond, adversaries may look to repetitively and widely break the minimum threshold for response. This could trigger a waterfall of demand for CCS, straining mechanisms.
Political decision-making will ultimately decide when and where mechanisms operate. Nonetheless, clear thresholds for deployment and withdrawal are necessary to avoid excessive resource strain. Officials should integrate technical criteria into deployment decisions to provide nuance to political decision-makers. By including technical factors to determine response and withdrawal, decision-makers can be dissuaded from hasty deployment, and relationships with recipients can be insulated from necessary withdrawals. Even after adopting these measures, deciding when to activate and deactivate mechanisms will be controversial and carry a significant reputational risk.
A final strategic question is the legitimacy of the private sector within CCS mechanisms. Though companies are crucial to scaling CCS, are they legitimate in the same way as national governments? Are they engaged for the right reasons? And can they be counted on going forward?
Looking forward
Cyber capability support mechanisms are an interesting solution to large-scale cyber incidents. Ideally, they would be used infrequently, and cyber security capacity building would prevent incidents in the first place. The current climate makes this unlikely.
Assuming that mechanisms will be used regularly over the coming years, their members must therefore make them work as well as possible. As a foundation, mechanisms need clear objectives, a value case for those involved, private sector buy-in, sufficient funding, and efficient measurement. Nevertheless, strategic risks and uncertainties persist even when mechanisms have strong foundations.
The above article draws on research from a paper by the author published in NATO CCDCOE’s 16th International Conference on Cyber Conflict entitled ‘Innovations in International Cyber Support: Comparing Approaches and Mechanisms for Cyber Capability Support’