Yellow banner with pen and letters

Author: Ryan Johnson

International multistakeholder cyber threat information sharing regimes: Policy considerations for scaling trust and active participation


This paper examines cybersecurity information sharing mechanisms. It looks at the research into public-private partnership (PPP) theory, their application for cybersecurity, and the burgeoning field of international cybersecurity collaboration, and draws conclusions on what policy elements are needed to foster success in architecting a platform for cybersecurity information sharing on a large scale. The paper surveys existing information sharing regimes and the policy objectives they attempt to reach, including capacity building, standardized languages for information sharing, liability protections, anonymization requirements, reducing free riders, and building trust.

The paper looks at the United States as a model for the development of cybersecurity information sharing policies over time, and establishes a model based on the United States that could be applied in some other jurisdictions, although it may not be suitable for all other legal, economic, political, and technological situations. It suggests key architectural elements for constructing such a mechanism, based on the results of the survey of policy attempts thus far and other relevant conversations in the information security field. It also provides insights into the impact on international cybersecurity, should those policy objectives be met.

Finally, it concludes that while large scale information sharing networks can overcome the challenges identified, including building trustworthiness into a large-scale sharing regime, and that the so-called “network effect” applies to information sharing regimes, such that larger networks can provide more value to stakeholders. It also determines that policy leapfrogging may not be a viable alternative to the slower, but stable, policy development course charted by the United States.  The paper identifies that there are continuing needs for measurement of the activities of information sharing networks, a deeper understanding of the information sharing agreements in place, and further review of non-state (i.e, private sector) active participation in information sharing regimes.

icon for right PDF