Building International Partnerships to Combat Foreign Cyberattacks

Editor’s Note: Cybercrime, already high, is growing in scope and scale. My Center for Strategic and International Studies colleagues Emily Harding and Julia Dickson assess the problem and call for forming regional law enforcement hubs as a way to improve intelligence on and action against this threat.

Daniel Byman

***

Cyberattacks by adversary states and criminal organizations cost Americans more than $12.5 billion in 2023 alone. Most malicious cyber activity, however, is conducted by actors operating outside the United States using foreign infrastructure, making it challenging for U.S. law enforcement to address. The incoming Trump administration must expand international collaboration to stop this crime wave.

A good place to start is by building regional, collaborative law enforcement hubs to combat malicious cyber activity. These hubs should be locally organized and run, but seed funded by the United States and its allies. The hubs should be virtual for the first year and then evolve into brick-and-mortar collaborative spaces to build community and trust for deeper information sharing. Over time, seamless, up-to-the minute collaboration will reduce the dark corners of internet infrastructure where criminals like to hide, and these hubs will prove a low-cost, high-impact way to shore up U.S. alliances in areas of the globe poised for dramatic growth. Initial hubs could be established in key partner-states in East Africa, Latin America, and Southeast Asia, with more regional partners brought on board as the program develops.

A Model for Hubs

The European Cybercrime Centre (EC3) could serve as a model for these efforts. Europol established EC3 in 2013 to bolster the law enforcement response to malicious cyber activity in the European Union. Today, EC3 helps coordinate multinational law enforcement responses to cybercrime, provides technical support to EU member states, facilitates training and capacity-building programs, and creates public awareness campaigns.

EC3 has been integral to numerous high-profile interventions that have not only protected the European Union from cybercrime but also safeguarded U.S. citizens and businesses from online threats. In 2022, for instance, EC3 coordinated the takedown of RaidForums, one of the world’s largest illegal online marketplaces. RaidForums sold access to high-profile datasets stolen from U.S. corporations, including Americans’ sensitive financial and personal information. EC3 coordinated five countries’ independent investigations (the United States, Romania, the United Kingdom, Sweden, and Portugal); without EC3, the investigation would have been slower and reliant on five bilateral relationships. In another example, EC3 served a similar coordinating role and also provided “digital forensic, cryptocurrency and malware support” as part of an operation involving seven countries that dismantled a ransomware group in Ukraine that targeted more than 1,800 people in 71 countries.

EC3 is embedded in Europol and the European Union’s existing, well-established system of rules, regulations, and relationships, all of which contribute to a long history of trust and a disposition toward information sharing.

A brick-and-mortar hub like EC3 is the goal, but it is not a necessary first step. Rather, regular online meetings and quarterly gatherings could establish relationships, share information laterally, and build momentum. Once the hub’s value is proved, it can expand to include more countries and move to a physical location where staff members work together in person. It might even replicate the EC3’s dorm-style living for some of its detailees, maximizing the opportunity for building bonds between regional partners and making it more affordable for states to send people.

Aspects of the EC3 model offer an aspirational blueprint for other cyber hubs, but expectations should be modest for how quickly an effort starting largely from scratch will be able to achieve the same level of collaboration.

East Africa

According to SciencePo, seven of the top 50 countries considered the most significant sources of cybercrime are in Africa. Nigeria ranks in the top five. A successful response to the staggering increase in attacks originating from Africa must begin on the ground, with local resources and robust collaboration across regions.

The U.S. government should work with Kenya to establish an EC3-like hub serving east Africa. Nairobi is an eager potential partner and is regionally seen as an honest broker. The country’s two cybersecurity strategies, published in 2014 and 2022, provide a robust framework for increasing capacity and continuing to build a large talent pool. Additionally, Nairobi’s 2018 Computer Misuse and Cybercrimes Act is a strong step toward successfully prosecuting cybercriminals.

This hub should fit under the larger umbrella of the East African Community (EAC) to maximize its credibility. Leaders in the region see moves toward economic integration as a net positive, so they are willing to engage with the EAC. Because it is not a consensus-based organization, not all EAC partner states need to be involved from the start; rather, a select group of countries should be chosen to share information on a robust set of issues, build trust, and demonstrate the success of the hub. With the hub hosted in Kenya, Tanzania and Uganda should be the other founding members. These countries already have robust cyber capabilities, strong and stable relations, and similar common-law judicial systems that could eventually allow for the sharing of both criminal justice information and cyber threat intelligence. Additionally, these states’ comparable cybercrime laws could ease the prosecution of cybercriminals in joint operations. Once a Kenyan operation is up and running, there are opportunities to replicate that success in west and south Africa.

Latin America and the Caribbean

Since the start of the coronavirus pandemic, Latin America and the Caribbean have seen a staggering increase in cybercrime. The region had the world’s highest cyberattack rates in the first half of 2020, reporting nearly three times more attacks via mobile browsers than the global average. Similarly, while global ransomware incidents declined by 4 percent in 2022, there was a 3 percent uptick in cases within the region. To combat this malicious cyber activity, the U.S. government should help the Dominican Republic establish a regional hub to serve Central America. Santo Domingo has made massive strides in developing its cyber governance apparatus since a jump-start in 2018. The Dominican Republic has developed two cybersecurity strategies and adopted comprehensive legislation to investigate, prosecute, and punish cybercrime. It has emerged as a regional leader and demonstrated willingness to support regional partners.

The hub should build on the success of the network of government computer security incident response teams (CSIRTs) of the member states of the Organization of American States (OAS)—also known as the CSIRTAmericas Network. Through this network, OAS distributes cyber threat information and provides technical assistance—including vulnerability assessment, assessment of CSIRT maturity level, web application security, and cyber incident management tools—to member states. Due to the differing capacity levels among the 22 member states, the network has not yet been able to move to bidirectional information sharing, but it already has a legal framework in place for information sharing. Given this legal structure and the fact that the CSIRTAmericas Network has proved its credibility in sharing sensitive and timely information with countries in the region, its leadership will help the hub get running quickly and increase participating nations’ trust and willingness to share data.

The hub should also collaborate with the Latin America and Caribbean Cyber Competence Centre (LAC4), which is located in Santo Domingo and shares an office with the Dominican Republic’s main cybersecurity governing body, the National Cybersecurity Center. LAC4 has relations with cyber professionals throughout the region and collaborates extensively with OAS. LAC4 and OAS have carried out joint exercises and worked together to draft the cybersecurity strategies of Ecuador, Barbados, Colombia, and Uruguay, among others.

With the Dominican Republic as the host, Costa Rica and Panama should be other founding members. Notably, Santo Domingo sees itself as Latin American, rather than Caribbean, and it is Spanish speaking, pointing to a more profitable partnership with Central American countries. Additionally, the Dominican judicial system is similar to that of other Latin American countries, so including other Latin American countries rather than Caribbean nations could facilitate cybercriminal prosecution in joint operations. Further, these countries have some of the region’s most robust cyber capabilities and strong relations that already include exchanging information on cybersecurity best practices. Success among these countries could then be replicated elsewhere in the region, like in the Southern Cone and the Caribbean.

Southeast Asia

Cybercriminals operating out of Southeast Asia scammed Americans out of at least $3.5 billion in 2023, making U.S. cooperation with regional partners to fight online criminal activity an important priority. Southeast Asia has two strong candidates to host the regional cyber hub: Singapore and Malaysia. Singapore has exceptionally strong capacity and talent pools, and it already hosts other efforts with similar missions. However, because it is already a hub for so many other regional initiatives, its neighbors would likely appreciate seeing a different regional lead. Malaysia’s capacity is not yet at the same level as Singapore’s but is rapidly developing. Kuala Lumpur might also have better grounds to build trust among regional partners, which could improve nations’ willingness to share sensitive information. The potential partnership of these two countries on cyber issues would be an asset. Malaysia has strong relations with Singapore, as demonstrated by the Joint Committee Meeting on Information and Communications Cooperation, which works to strengthen personal data protection, cybersecurity, and the digital economy.

Indonesia and the Philippines should also be members. The Philippines could prove a potent counterweight to Chinese influence in the region. There is also precedent for joint operations among Malaysia, Indonesia, and the Philippines through the INDOMALPHI trilateral cooperative agreement, which works to address maritime security issues, including piracy and terrorism, by establishing regular patrols, refining coordination, and improving information sharing. Vietnam could also be a partner in an early expansion.

Seed Money for Start-ups

Start-up costs are likely to amount to approximately $20–$25 million for each hub. If the United States and one or two of its partners each contribute $10 million to each new hub, the hubs would have enough funds to cover their start-up and operating costs for the first few years. Even modest start-up financing can be effective (EC3’s 2023 budget, for example, was 16.1 million euros). This funding would allow for the initial transition from virtual to in-person by allowing time for the hub to prove its value and for the participants to determine how to best sustain the hub with local contributions. If the United States and its allies help build it, regional partners will come, and they will take over the operation and maintenance costs as the model proves useful.

There are existing partnerships and precedent in each region for this type of shared funding model. The European Union contributed 10 million euros for enhancing Kenya’s cybersecurity in October 2023. The European Union also has a robust history of collaboration on cybersecurity in Latin America and the Caribbean through initiatives such as the EU-LAC Digital Alliance and LAC4. In Southeast Asia, the United States should ask Japan, Korea, and Australia to match U.S. contributions, similar to maritime collaborations and counterterrorism efforts of the past.

Working with partners to establish new cyber information-sharing hubs in Africa, Latin America, and Southeast Asia should be a high priority for the Trump administration. Through these hubs, international partners will be able to advance common cybersecurity interests and persecute malign cyber actors, with a direct benefit to the United States and its citizens. Zone defense is the key to winning this team sport.