Archive

Do Cybersecurity Bilateral Agreements Do Anything?

In the face of a never-ending onslaught of disruptive and destructive cyber threats ranging from criminal activities, state and industrial espionage, disinformation/propagation, and influence operations, governments realize that they are inadequately positioned to defend themselves from the magnitude of threat.  As consensual international norms of state behavior in cyberspace languish in the United Nations, states eagerly look to establish bilateral cybersecurity agreements with other states in the hopes of improving their cyber security postures.  It is becoming more commonplace for governments to establish such partnerships with one research paper approximating the existence of 196 agreements involving 116 countries at the time of its publication, a number that has likely increased since that time.  In an interconnected domain where countries face similar threats from the same types of adversaries, they are turning toward bilateral, multilateral, and multistakeholder forums in an attempt to ameliorate the situation.

While the specifics of these agreements will invariably alter between governments, there is consistency in the types of cyber issues that such agreements entail including but not limited to: Discussion and Dialogue; Research: Confidence Building Measures; Incident Response; Crime; Capacity Building; Activity Limiting; Defense; and Terrorism. Details are rarely provided as to the extent of how governments will engage their counterparts.  The same can be said for the identification of the specific agencies involved, or what collaboration means on a granular level.  Still, they appear to be notable endeavors, especially in the digital domain where cyber malfeasance and hostile state and nonstate actors are able to maneuver with relative impunity. Disconcerting is the fact that despite announcements of the agreement and the intended goals of collaborating, there is very little follow up as to how the partnership is or has been successful, or the metrics used to quantify and qualify results, raising the question as to the true efficacy of these engagements.

Nonetheless, collaboration is a positive way forward, and when it comes to trying to identify, mitigate, and remediate adversarial operations, mutual assistance seems logical.  Information sharing has been a key tenet of cybersecurity leaders and has been proselytized as being instrumental between the private and public sectors, as well as governments. Rarely does any senior cyber official discuss cyber security without stressing the need for information sharing.  However, information sharing may be more difficult than what it seems to be on paper.  In fact, even the Department of Homeland Security acknowledges its deficiencies in the area, pledging to improve and increase its information sharing habits with local law enforcement.  If it’s cumbersome to do it internally such problems can only be magnified when trying to do it with external partners.

The most obvious area where collaboration has produced visible results is international law enforcement activities that have targeted and taken down cyber criminal operations and forums where actors advertise their criminal offerings. While in many cases these have proven fruitful by disrupting gang operations, arresting individuals, and taking down forums, it appears on the surface that the effort to achieve these results are neither cost nor labor effective.  Notably, ransomware gangs have been known to stop operations only to start new ransomware strains, or else like Conti, disband with members regrouping under other criminal umbrellas.  The shuttering of a crime forum doesn’t alleviate criminal activity as much as forces it to go to other forums, perpetuating the belief that cybercrime cannot be shut down as much as inconvenienced.

There is also evidence indicating that these cyber bilateral agreements may be more for show than actual purpose. That is not to say that these agreements won’t mature over time, but that for the past decade not much has materialized as a result of them.  In fact, despite the willingness of governments to enter these agreements, the cyber domain has been increasingly plagued with state as well as state-proxy activity suggesting that things are becoming more “conflict ridden” than not.  The recent Ukraine conflict has demonstrated how an international crisis can bring more state and nonstate cyber actors into the fray than just the two combating states.  That does not even take into account the volumes of cyber-enabled information activities flooding the Internet looking to influence audiences.

Another reason that these bilateral agreements may not be bearing much fruit is that even among likeminded nations, their respective views of the Internet and the activities that occur therein may not be homogenous.  This will invariably impact the extent to which governments share and engage with one another.  The United Nations’ continued failure to codify cyber norms of behavior is indicative of the challenge of governments completely synching up with one another on terminology and activity thresholds.  If nations engaging in cyber bilateral agreements maintain incompatible ideologies on key issues like Internet governance and hostile cyber activity classification, any agreement made would likely be at the basest and least valuable level.

So, if these agreements are not fulfilling their intended goals, why are countries still willing to enter such partnerships?

First, there is always the hope that they will provide tangible gains for the parties involved.  A little progress is better than no progress.  And between very close governments, they may be more apt to be transparent with one another on these matters.  For instance, any China-Russia cybersecurity cooperation would likely be more beneficial for both Beijing and Moscow than say  China-United States cybersecurity information sharing.  This suggests that governments may look to such engagements with friendly governments first, and hopefully both will be able to provide equal assistance to the other.  Under the current climate, Ukraine is clearly benefiting from signing such an agreement with the United States.

Another proof of value may be as a signaling agent to adversaries.  A government may publicly enter into such an agreement for the purpose of sending a message to a hostile government.  The India-United States agreement and the Saudi Arabia-United States agreement are two examples of this.  In the former, closer cybersecurity information sharing is a response to ongoing Chinese cyber espionage activities that continue to target both India and the United States.  In the latter, closer ties with Saudi Arabia are directed at Iran who has conducted disruptive cyber attacks in addition to cyber espionage against is considered the biggest threat to Middle East stability. With state-driven offensive cyber operations gaining increasing scrutiny during periods of geographical crisis, cyber security agreements with partners sharing the same primary adversary can send a message in the hopes of curtailing or at least lessening that behavior.

There is so much about these cybersecurity bilateral agreements that are not known, as few of the agreements have been fully made public with most known about them coming from public statements. At best, coverage on these agreements is vague at best thereby making it difficult to track and evaluate.  Therefore, there needs to be a better accounting of cybersecurity bilateral agreements to understand their utility. After all, most of the global community wants a safe Internet in which to operate, and transparently showing the successes of these agreements would be a huge step toward informing how countries should enter into them, and perhaps most importantly, with whom.  Otherwise, they remain symbolic gestures that check the cybersecurity box, achieving limited individual gains in a domain that demands more substantive progress for any real relevance.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.