What Will Mechanisms for Cybersecurity Aid Look Like?

When Montenegro experienced a “persistent and ongoing cyberattack” last year, France sent a team from its National Agency for the Security of Information Systems, to “support and [assist] in the detection, analysis and remediation of cybersecurity.”

When Costa Rica came under attack, aid came from Spain, Israel, the United States, and corporate partners. The Costa Rican government benefited from information sharing, trained personnel, resources, and software licenses to address the ransomware attack.

And, of course, cybersecurity assistance has been one element of western support to Ukraine during the course of Russia’s full-scale invasion. The transnational nature of cybersecurity threats requires international cooperation, and international cooperation has become a regular feature of the response to attacks on countries with less advanced cybersecurity defenses.

But the response to these incidents highlights a particular challenge: the lack of established processes or mechanisms to request and provide cybersecurity aid. Thankfully, a number of developments this year signal a shift in the way that governments are engaging with this issue.

As part of the Cyber Defense Pledge that NATO allies committed to at the Vilnius summit in July, the group launched a new Virtual Cyber Incident Support Capability, designed “to support national mitigation efforts in response to significant malicious cyber activities.” This is not the first time we are hearing about the awkwardly acronymed “VCISC”; it was already mentioned in the Biden administration’s National Cybersecurity Strategy, released in March. In the strategy, the VCISC is touted as an example of the policies that the administration needs to develop for determining when it is in the U.S. national interest to provide support to allied and partner nations to investigate, respond to, and recover from significant cybersecurity incidents.

The need for a mechanism through which cybersecurity aid can be provided also extends to the European Union. In April, the European Commission proposed the EU Cyber Solidarity Act, which includes the establishment of a Cybersecurity Reserve that could be deployed to help address significant cybersecurity incidents.

The conversation around the request and provision of cybersecurity aid in the U.S. and in the EU provides a useful starting point to explore why and how governments decide to support third countries in dealing with the pernicious effects of cybersecurity incidents.

The Case for Assistance for Cyber Incident Response

The case for robust and regular cybersecurity assistance to third-country victims of attacks is simple. Cybercriminals and nation-state threat actors are not limited by and do not respect borders. And a significant cybersecurity incident in one country can have unexpected ripple effects across the globe. One needs not dig deep for examples of this; the Russian NotPetya cyberattack in 2017, which attempted to disrupt Ukrainian institutions, spread indiscriminately and caused more than $10 billion in total damages across the globe. At the end of the day, the larger cybersecurity ecosystem is only as secure as its weakest links. By ensuring that systems and networks abroad are secure, countries increase their own protection.

Providing cybersecurity assistance to other countries is also a way for governments to advance their own policy priorities. Being involved in cyber incident response efforts can be a way to protect and further foreign policy, national security, and defense objectives. And it can also be a way for countries to advance their own companies’ products: Get help from the U.S., and you’re likely to end up using American software; get help from Israel, and Israeli companies won’t be far behind.

Providing cybersecurity assistance to other countries is also one of the norms that countries have agreed upon in the context of negotiations in the United Nations. In 2015, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) agreed to a consensus report that included 11 voluntary norms of responsible state behavior. One of these norms, Norm H, says that “States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT [information and communication technology] acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty.”

The 11 norms, which have become a crucial element of what is referred to as the framework of responsible state behavior in cyberspace, were endorsed in 2021 by the UN Open-Ended Working Group—a negotiation process akin to the GGE but open to all UN member states. This means that all 193 UN member states have agreed to follow this framework.

And later in 2021, the subsequent GGE implemented additional guidance for the norms. It is of particular note here that, for Norm H, the GGE recommended that states develop “common and transparent processes and procedures” to ask for cyber assistance and to respond to those requests.

Cyber Assistance From the U.S.

U.S. cyber assistance takes different forms. When partner countries request it, the U.S. Cyber Command (USCYBERCOM) can deploy “hunt forward” teams for defensive purposes and to increase local resiliency. Since 2018, hunt forward operations have been deployed “40 times to 21 countries to work on 59 networks,” according to the 2023 posture statement by USCYBERCOM commander Gen. Paul Nakasone. For example, after Iranian cyber threat actors targeted Albania in July 2022, USCYBERCOM sent a team of cyber operators to assist for a three-month deployment.

The cybersecurity support provided to Ukraine demonstrates the various elements that can be included in an assistance package. The U.S. support included the sharing of threat intelligence, provision of emergency communication devices, and even the support of integration efforts of Ukraine’s electrical grid with the European Network of Transmission System Operators for Electricity. And USCYBERCOM deployed the largest hunt forward team yet to aid in the enhancement of cyber resiliency.

Now, the Biden administration seems to be exploring how to develop the right policies to determine how to prioritize the provision of this assistance. The National Cybersecurity Strategy and its implementation plan, along with public comments from Nathaniel Fick, ambassador-at-large for cyberspace and digital policy, offer interesting indicators of the administration’s areas of focus.

Under Strategic Objective 5.3 of the National Cybersecurity Strategy, the administration recognizes that providing support to its allies and partners “will also advance U.S. foreign policy and cybersecurity goals.” The strategy also points out that the U.S. government needs to “establish policies for determining when it is in the national interest to provide such support.” It foresees two areas of work: how to deploy this support efficiently and rapidly, and how to remove any “existing financial and procedural barriers to provide such operational support.”

The implementation plan for the National Cybersecurity Strategy, released in July, directs the State Department to “identify or develop a flexible and rapid foreign assistance mechanism to provide cyber incident response support.” The initiative is expected to be completed in the first quarter of fiscal year 2024 (this December) and features the contributions of the Department of Homeland Security, the Department of Defense, the FBI, and the U.S. Agency for International Development.

Since the National Cybersecurity Strategy came out in March, Ambassador Fick has publicly discussed his thinking on this topic on several occasions. For example, during an event at the Atlantic Council in April, he argued in favor of a “dedicated cyber assistance fund” that allows a rapid and dedicated response—modeled after the fund set up for counterterrorism purposes after Sept. 11. Subsequent reporting indicates that Fick has discussed with Congress how to set up a process for cybersecurity aid.

But there are at least three thorny issues standing in the way. The first is deciding how to prioritize who should receive cyber assistance and when. The second is how to structure a mechanism that is sufficiently flexible to address the diverse circumstances in which requests for aid may arise. And finally, there’s the issue of figuring out how to get U.S. funds to the relevant foreign agencies.

Cyber Assistance From the EU

In the EU, cyber defense is “primarily a national responsibility.” However, noting the increasing cybersecurity risks and the potential for “spill-over” effects from one state to the other, the European Commission proposed the EU Cyber Solidarity Act earlier this year. This act seeks to enhance the EU’s capacities to detect, prepare for, and respond to significant and large-scale cybersecurity threats and attacks. Three main actions would help accomplish this objective. The first is the establishment of a European Cyber Shield, focused on detection and situational awareness. The second action is a Cybersecurity Emergency Mechanism, which would help member states prepare for, respond to, and recover from cybersecurity incidents. The third and final step would establish the European Cybersecurity Incident Review Mechanism, tasked with offering a review and assessment of these significant or large-scale incidents.

It is the second action, the establishment of the Cybersecurity Emergency Mechanism, that is the most significant element for providing needed aid. Its establishment would mean the start of a new, EU-level process for the provision of assistance to governments experiencing significant cybersecurity incidents, and another example of how nations can implement Norm H of the UN framework of responsible behavior in cyberspace.

The proposed act describes three actions that would fall under the responsibility of such mechanism:

(a) preparedness actions, including the coordinated preparedness testing of entities operating in highly critical sectors across the Union;

(b) response actions, supporting response to and immediate recovery from significant and large-scale cybersecurity incidents, to be provided by trusted providers participating in the EU Cybersecurity Reserve established under Article 12;

(c) mutual assistance actions consisting of the provision of assistance from national authorities of one Member State to another Member State, in particular as provided for in Article 11(3), point (f), of Directive (EU) 2022/2555.

Point (b) offers an interesting departure from the sorts of assistance previously discussed. The Cyber Solidarity Act would institute this support in the form of the EU Cybersecurity Reserve. This reserve would play a role in both responding to and recovering from these significant and large-scale incidents “affecting entities operating in critical or highly critical sectors.”

Per the current text, the reserve would “consist of incident response services from trusted providers.” Who will be considered a “trusted provider” depends on whether certain criteria is met. The proposed act lists three items that need to be considered: (1) providers need to be able to deploy their services in all member states; (2) they must protect member states’ “essential security interests”; and (3) they must bring “EU added value”—that is, contributing to the promotion of European tech capacities. However, not all EU governments seem to be on board with this approach, and some even seem to be opposed to a EU-level cyber incident response.

To access the assistance services available through the reserve, the requesting user needs to have taken appropriate steps prior to the incident. Any request for assistance must include:

(a) appropriate information regarding the affected entity and potential impacts of the incident and the planned use of the requested support, including an indication of the estimated needs;

(b) information about measures taken to mitigate the incident for which the support is requested, as referred to in paragraph 2; 

(c) information about other forms of support available to the affected entity, including contractual arrangements in place for incident response and immediate recovery services, as well as insurance contracts potentially covering such type of incident.

This support would also be available to third countries “where Association Agreements concluded regarding their participation in DEP provide for this.” DEP stands for the Digital Europe Program, a funding program focused on supporting programs in key technology and infrastructure areas. Similarly to how the aid would be structured intra-union, the support would be structured through the “competent authorities,” like computer security incident response teams and cyber crisis management authorities. To secure this support, these third countries would also need to submit information on what precautionary measures they have taken that would help them preempt or prepare for qualifying significant or large-scale cybersecurity incidents, ensure that they have designated a point of contact, and share the resources and capabilities they have allocated to the competent authorities.

Pending Questions

So far, most of the international cybersecurity aid provided has lacked established processes and procedures, especially in the mechanisms through which this type of aid is requested and provided, which remain fairly ad hoc. To ensure that cybersecurity aid is provided in the most efficient ways, the processes that are set up will need to balance myriad objectives and tensions. Because these initiatives remain in the initial stages, further study is required into how these mechanisms can be best set up for success. Some of the questions that need to be studied include:

• In delineating the scope of cyber assistance—how will these mechanisms ensure lasting political support? How can governments set useful, yet flexible, thresholds for providing assistance and preventing moral hazard? How can governments work together to avoid duplication of efforts and clarify responsibilities?
• What level of transparency is required regarding the security requirements that necessarily arise when implementing a new process? How can organizations protect the information requested and offered?  How can governments scale assistance?
• What role do other actors, such as the private sector or regional organizations, play?

The proposals discussed in this piece are some, though not a comprehensive review, of the approaches that are shaping up to direct cybersecurity aid in the foreseeable future. Work on these questions is also happening in other regional and multilateral forums. There is an enormous need for cybersecurity assistance and plenty of capacity building efforts that slowly bridge the gaps between countries with different cyber capabilities. Keeping these questions in mind to ensure that there’s a focus and a purpose to the assistance provided can help guarantee the best possible alignment between the needs of the requesting countries and what the providing country can offer.