Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

Sowing the seeds of enhanced cybersecurity cooperation within the G7

Massimo Marotti / Matteo E. Bonfanti / Giovanni Faleg 12 May 2025
Share On:
Officials from the Italian National Cybersecurity Agency discuss the challenges and successes of creating the new G7 Cybersecurity Working Group
Main Top Image
G7 leaders at the June 2024 Apulia Summit. Photo: Adam Schultz/The White House

At the June 2024 Apulia Summit, Group of Seven (G7) leaders affirmed their resolve to work together to counter strategic threats and hold malicious cyber actors to account. They committed to taking concrete steps to improve collective resilience through the newly established G7 Cybersecurity Working Group, injecting unprecedented political fuel into this new G7 vehicle.

The authors of this article worked at the core of the Italian National Cybersecurity Agency (ACN) task force mandated to put together the new G7 Cybersecurity Working Group, proposed under Italy’s G7 leadership in 2024. In this piece, we reflect on the development of this working group, as well as its challenges and successes.

Why a new cybersecurity group matters for the G7

Cyber threats and risks are ubiquitous and rising. Ransomware attacks, for instance, increased globally by 74% in 2023. The cyber threat landscape features an ever-growing number of actors and an ever-greater variety, intensity, and complexity of attacks. The 2024 Munich Security Conference report indicated that G7 nations consider cyberattacks their second most significant threat. Italy alone suffers 10% of global cyberattacks; in 2024, a quarter of incidents in the manufacturing sector worldwide were against Italian companies. 

Meanwhile, the provision of cybersecurity does not keep up with the pace of threats. Shortages of skills, capacities, and policy solutions undermine the protection of digitalised societies and their core assets from cyberattacks. The frequently cross-border nature of cybersecurity risks, combined with the pressing need to ensure safe and secure technological innovation, makes transnational cooperation and governance a political imperative.

For these reasons, G7 leaders have stepped up efforts to enhance the security and resilience of cyberspace.

Existing initiatives at the G7 and the need for a new working group

G7 cyber initiatives range from cyber diplomacy and cybercrime prevention to financial sector cybersecurity and the resilience of technological innovation and digital transformation. 

The Ise-Shima Cyber Group, established in 2016, strengthens collaboration among G7 foreign ministries to promote security and stability in cyberspace. The initiative aims to encourage responsible state behaviour in cyberspace, build confidence and protect individuals, societies, and the shared principles of rule of law and democratic values, while reaping the benefits of technology.

The Cyber Expert Group, founded in 2015, coordinates cybersecurity policy and strategy across the eight G7 jurisdictions to improve financial cyber resiliency. It also operates as a channel for sharing information, assessing the financial threat landscape and facilitating incident response. 

Yet, as the G7 members gradually established cybersecurity agencies, the opportunity – and rationale – emerged for a dedicated platform to harmonise their approaches and tackle shared challenges, enabling the G7 to take more coordinated action.

The goal of the G7 Cybersecurity Working Group was to permanently connect the diverse agencies and centres for cybersecurity in the G7 countries plus the European Union. In the G7, national cybersecurity agencies and centres are embedded in diverse institutional frameworks, each reporting to distinct political authorities. The working group aims to create a community of practice among like-minded agencies, built on shared values, shared interests, and a shared vision for the future of the cyberspace, bridging institutional divides to solve common problems and strengthen national and collective security. 

The working group facilitates transnational interagency cooperation, including adaption of tools and operating standards and sharing of knowledge and good practices, while pursuing national security interests. 

How did it happen?

Building the G7 Cybersecurity Working Group took several intense months and a singular focus: joining forces. The Italian National Cybersecurity Agency promoted the initiative, domestically and with G7 partners, and designed the collectively implemented process through discussions with each individual partner. 

The central challenge was building trust and credibility. Domestically, this meant working with other ministries and agencies to fine-tune the scope of the proposal within other pre-established initiatives. Internationally, we had to ensure the new effort would complement rather than duplicate existing frameworks within and beyond the G7. It was crucial to clarify the objectives and scope of the working group, especially amid early scepticism about the added value of a new layer of cooperation. Furthermore, we needed to build confidence in the ability of the ACN, the youngest and smallest of the seven national cyber agencies, to provide sufficient leadership and deliver concrete policy outcomes alongside long-established institutions. 

A small, ad hoc, and deeply motivated task force drove the entire process. Operating in start-up mode and with a clear vision, this ‘SWAT team’ handled everything from logistics and substantive content to delicate policy coordination and diplomatic relations. Time was not on our side. We worked under immense pressure, knowing the mission was to advance cybersecurity cooperation in a group of the world’s most advanced economies, like-minded democracies, and leaders in emerging technologies. For an agency that had not even existed three years earlier, spearheading such an initiative was a formidable challenge, and immensely rewarding.

What has been the impact?

The working group finally held its first meeting in Rome, on 16 May 2024, under the chairmanship of the ACN director general Bruno Frattasi. Representatives from all G7 cyber agencies, the EU Commission, and the European Union Agency for Cybersecurity (ENISA), together with the deputy national security advisors of the United States and Japan, agreed on a programme consisting of two work streams: one on the security of critical infrastructures, focused on the energy sector, and one on the cybersecurity of artificial intelligence. The latter was subsequently divided into two focus areas, dealing with the security of AI supply chains and the protection of critical infrastructures from malicious use of generative AI.

One example of our work was the development of an AI Software Bill of Materials (SBOM). To secure an AI system is to secure its supply chain. Here, transparency is essential. Information about the entire AI life cycle – the process of designing, developing, deploying, and managing an AI model – must be available. The working group addressed this by fostering convergence among members on technical and policy aspects of an SBOM for AI and by defining and operationalising the SBOM concept. Think of an SBOM for AI like a scanner at an airport. The goal of the SBOM is to screen what is inside an AI system. This enhances the transparency, security, and risk management of AI systems. Cooperative efforts led by Italy and Germany have provided G7 members with guidelines on how to build these ‘scanners’, including a common understanding of the key elements needed for these bills of materials to function effectively. 

On 3 December 2024, the group met again in Rome to take stock of the work done. Together, the group’s members created a collaborative space, a sort of fusion centre, despite the slightly different institutional roles that each plays within its respective national security architecture. Based on these achievements, the agencies agreed to expand their areas of cooperation, proposing an ambitious agenda that includes themes such as transitioning to post-quantum cryptography, securing the internet of things, and applying principles for the cybersecurity of health and telecommunications supply chains. 

The G7 Cybersecurity Working Group has gone mostly unnoticed by the wider public – cyberattacks make more headlines than policy efforts aimed at countering them. Nonetheless, the working group delivered a concrete result: a new way for like-minded cybersecurity frontrunners to work together. In the face of a global increase in cyber threats, a collective and cohesive response is a necessity. 

The opinions, findings, and conclusions or recommendations expressed in this article are those of the authors and do not necessarily reflect the views of either the Italian National Cybersecurity Agency or the G7 Cybersecurity Working Group partners.

avatar
Massimo Marotti
avatar
Matteo E. Bonfanti
avatar
Giovanni Faleg

Related

Featured image
Hooked On Trends
Emerging technologies will intensify the North Korean cyber threat
Abhishek Sharma 13 February 2024
Read more arrow
Featured image
Hooked On Trends
Cyber insurance is no silver bullet for cybersecurity
Rodney Adriko / Jason R.C. Nurse 10 February 2025
Read more arrow
Featured image
Hooked On Trends
Re-thinking cybersecurity capacity building
James Barr / Sofia Liemann Escobar / Jessica McClearn / Phil Sheriff 18 June 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.