International multistakeholder cyber threat information sharing regimes: Policy considerations for scaling trust and active participation

The paper looks at the United States as a model for the development of cybersecurity information sharing policies over time, and establishes a model based on the United States that could be applied in some other jurisdictions, although it may not be suitable for all other legal, economic, political, and technological situations. It suggests key architectural elements for constructing such a mechanism, based on the results of the survey of policy attempts thus far and other relevant conversations in the information security field. It also provides insights into the impact on international cybersecurity, should those policy objectives be met.

Finally, it concludes that while large scale information sharing networks can overcome the challenges identified, including building trustworthiness into a large-scale sharing regime, and that the so-called “network effect” applies to information sharing regimes, such that larger networks can provide more value to stakeholders. It also determines that policy leapfrogging may not be a viable alternative to the slower, but stable, policy development course charted by the United States.  The paper identifies that there are continuing needs for measurement of the activities of information sharing networks, a deeper understanding of the information sharing agreements in place, and further review of non-state (i.e, private sector) active participation in information sharing regimes.