cyber security

Cooperation is “the process of groups of organisms working or acting together for common or mutual benefit, as opposed to working in competition for selfish benefit” (Wikipedia).

Thus, mutual benefit seems to be the key ingredient here. Nevertheless, identifying the mutual benefit appears to be an issue in cyber-security (and other fields, for that matter) as the level of cooperation still seems to be quite low, even after more than 15 years of global awareness in the area.

The year 2017 has been a cornerstone in cyber security. The WannaCry and Petya/NotPetya attacks have clearly demonstrated that cyber can easily cause disruptions with strong impact in real life to a large part of the world population. Moreover, earlier attack types like Stuxnet have demonstrated a disruptive capability but only when focused on specific targets and as a result of serious investments. On the other hand, these attacks have clearly demonstrated that everything is possible in cyber and we need to be prepared.

Cooperation plays a big role when it comes to being prepared for cyber attacks. Even if you just rely on different types of solutions deployed within your corporate environment, you can be sure that most of them are using some sort of threat intelligence feeds that have been built based on different types of cooperation agreements that the vendor has.

Cooperation in cyber security  is indeed a very broad term, therefore, for the purpose of this article I am referring to the following:

  • cooperation with partners in case of incidents/attacks: sharing data with industry partners, sharing data with customers so that they can determine impact and act quickly, sharing data with national authorities so that potential disruptive situations can be avoided.
  • partnerships with similar players/competitors in the industry for exchanging best practices on a regular basis: some initiatives are described below, and their number continues to grow.
  • transparency as regards publicly reporting cyber-incidents/attacks: if you offer digital services on which many customers depend, being transparent about any kind of issues with your service is becoming a requirement in many countries. Partners that depend on you, need to be aware of any kind of issues that may affects their activities.

Cooperation is not something new in cyber. We have been discussing about it for at least 10-15 years now, and to be honest, several communities have reached a satisfying level of cooperation. Nevertheless, as cyber-security has become a global issue, it is becoming obvious that we need more of it and at many more levels.

When it comes to CERTs/CSIRTs environments and LEA (law enforcement agencies), cooperation comes as a prerequisite. Achieving results within these communities is strongly related to having as many partners as possible. Here, activities are based on intensive exchange of IOCs and coordinated actions etc. Usually, cooperation in this area appears when there is a strong mutual benefit for both parties, such as taking down a botnet or other type of malicious resource. There are multiple examples of such cooperation initiatives worldwide. [2][3][4][5]

Financial Services Information Sharing and Analysis Center (FS-ISAC), is “the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing”. FS-ISAC acts as an information sharing hub between different financial organizations across the world and offers different kinds of services from physical meetings to threat intelligence feeds. This is a clear example of cooperation within one vertical industry sector, which is finance. This article will give you more insights on other types of ISACs worldwide. As you will notice we don’t have so many of them and we don’t know exactly how efficient many of them are.

Other sporadic cross-industry cooperation initiatives include ICS-CERT, a national state sponsored initiative in the USA that serves all industry sectors relying on Industrial Control Systems (ICS). All in all, that is it, nothing more! You may find out there other initiatives on national or regional level for sectors such as finance, transportation or eHealth, but nothing concrete, with tangible results.

Usually specialized organizations, acting in cyber security area, rely on multiple partners so as to cover the many pillars where cyber can have a serious impact. In this respect, it’s common to see partnerships with technology vendors, cyber insurance companies, law firms specialized in privacy and data breaches, so as to cover the full chain of possible client needs in terms of cyber security. You can find a good example in this area here, from Secureworks, a global leader in managed security services and the company that I currently work for.

So, we might conclude that we do have a certain level of cooperation in cyber security, but mainly at national level and, to a lower extent, at sectorial levels, but only in certain sectors. Specialized cyber security vendors or service providers are usually characterized by a strong policy in this area.

Short analysis

If we turn to game theory we might have a reasonable answer from the classic prisoner’s dilemma. Intensive research done on this topic showed that “the only possible outcome for two purely rational prisoners is for them to betray each other”[1], because this option offers the greatest reward. For cooperation to emerge between rational players, the total number of rounds played, must be unknown to the players. In the iterated version of the prisoner’s dilemma betraying may no longer be a strictly dominant strategy, but only in certain circumstances. Among results shown by Robert Aumann in a 1959 paper, rational players repeatedly interacting for indefinitely long games can sustain the cooperative outcome.

So it could be that it is in our nature to go for the greatest reward, no mater what the consequences upon the others. More details on the topic can be found here, this resource being one out of many interesting research papers out there. According to the source, social cooperation (as any other social dilemmas) can be defined by three characteristics (Dawes, 1980; Messick and Brewer, 1983; Yamagishi, 1986):

(1) a non-cooperative choice is always more profitable to the individual than a cooperative choice;

(2) a non-cooperative choice is always harmful to others compared to a cooperative choice;

(3) the aggregate amount of harm done to others by a non-cooperative choice is greater than the profit to the individual.

So, the non-cooperative choice will harm the others and the amount of harm done is always greater than the individual benefit. And the research continues with the identification of two classes of variables that influence cooperation in commons dilemmas: individual differences (social motives, gender) and situational factors (payoff structure, uncertainty, power and status, group size, communication, causes, and frames).

Cooperation is mostly important in cases of incidents/attacks or when it comes to incident management. Sharing details of a breach is firstly a moral thing to do against your clients, as they might also be impacted by your loss. Secondly, it can also support other similar companies that might be in the same position. Breach disclosure done at the right time and with the right means can minimize the total negative impact towards potential affected parties. Nevertheless, it is in these situations that affected parties try to maintain their current level of benefit by concealing any potential impact that the incident has had. Vendors affected by  a breachwill usually try to reduce any negative reputational damage, so the amount of shared info will be reduced to a minimum, as well as the number of sharing partners.

But in the light of last year’s developments, things are prone to change. The WannaCry and Petya/NotPetya attacks demonstrated the clear need of cooperation at multiple levels. Solving the crisis of last year engaged a lot of stakeholders that needed to work together to solve a problem (vendors, researchers, governmental agencies etc.). It was this cooperation frenzy that helped many organizations recover after the crash and ultimately made available to the public some free decryption tools. Following the principle of “never let a good crisis go to waste” we might assume that the industry (and not only) has learned a valuable lesson from these events and will be better prepared form the next one.

ESET’s senior researcher, Stephen Cobb, provides a very good insight, from the RSA 2018 Conference, on how big players view the current situation: “[…] reading between the lines at I got the sense that there is a growing realization within the industry that working together in the way we have been doing so far might not be enough”.


So, non-cooperation has become clearly visible, even at the highest levels, and response strategies have started to be drafted.  One notable move is the new Cybersecurity Tech Accord, which had their first meeting during the above mentioned conference. The accord was signed between 34 global technology and security companies that agreed to “defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states”. Nevertheless, some time has to pass until we can see some tangible results or we can really assess the usefulness of this accord.

Boosting cooperation in cyber-security is a must. We need to properly face all new types of threats and cooperation can lead organizations one step further in their struggle. Nevertheless, we need to reach beyond our conservative basic need of pursuing the fastest reward and go for the type of reward that can bring benefits to multiple players. But struggling with our own nature can be difficult, therefore various types of measures can be taken to leverage this kind of mind switch:

  • Wider international adoption of mandatory incident reporting policies: following the example of the EU Network and Information Security Directive, mandatory incident reporting at national levels should be encouraged, but not grounded. A comprehensive view upon the types of incidents affecting a particular industry within a country can facilitate the adoption of proper public policies. Being aware of the extend of a phenomenon is never wrong.
  • Encouraging international public policies for information sharing in cyber security. As organizations tend to follow their own benefit without considering the overall harm done at other levels, public policies in this area must encourage information sharing and it’s benefits to different ecosystems
  • Adopting international treaties to regulate activities in cyber-space: a good view on this topic can be found here.
  • Supporting industry ISACs or other means of sharing information within industry sectors.
  • Support public private partnerships: as most of the products and infrastructure are private, their involvement is more than necessary, at any level.

The above list is of course non-exhaustive, so please, feel free to contribute in any way if you feel the need.


P.S. Blog post initially posted on the 15th of May 2018. Reedited and republished 31st of January 2019.

Post available also on:









What does it take to cooperate in cyber-security

Cooperation is “the process of groups of organisms working or acting together for common or mutual benefit, as opposed to working in competition for selfish benefit” (Wikipedia). Thus, mutual benefit seems to be the key ingredient here. Nevertheless, identifying the mutual benefit appears to be an issue in cyber-security (and other fields, for that matter) […]

Read more

The GLORIFIED economic values around cyber security

Almost every source presenting financial facts in cyber security will astonish you with figures going into the area of hundred billions, giving you the impression that, if you work in the industry, you must be one of the luckiest guys in the world to work in such a profitable area. Nevertheless, caution must be used […]

Read more

Newsletter 19 – December 18, 2018

Some interesting stuff that I found online:   SECURITY: Top 100 worldwide influencers in cyber security  – 60 Cybersecurity Predictions For 2019 – The worst cyber attacks of the past 10 years – Secureworks State of Cybercrime Report 2018 – The 6 reasons why Huawei gives the US and its allies […]

Read more

Can AI really benefit cyber security?

  The intro Artificial Intelligence (AI)! Oh my, that sounds exciting and disturbing in the same time. Exciting because man has always fantasized about playing God, and now we are as closer as we ever got to this. Disturbing, because, some say [1] [2] [3], a superior form of intelligence, such as AI, might indisputably […]

Read more

Newsletter 18 – November 26, 2018

Some interesting stuff that I found online:   SECURITY: Possible jail time for ignoring cyber security – President Emmanuel Macron launched the Paris Call for Trust and Security in Cyberspace at UNESCO’s Internet Governance Forum – Weakest link in cyber security is … infrastructure, apparently – About the US Cybersecurity and Infrastructure […]

Read more

Newsletter 15 – October 05, 2018

Some interesting stuff that I found online:   Now you can find my stories also on Check them at   SECURITY: The big hack – the unbelievable story of how China spied US through some tiny chips – Tim Berners Lee on a decentralized platform designed to give every internet user full […]

Read more

Newsletter 12, August 23, 2018

Now you can find my stories also on Check them at   Some interesting stuff that I found online: SECURITY: My last article on the history of cyber security and how it become a “thing” – Microsoft’s Defending Democracy Program offers state-of-the-art cybersecurity protection at no extra cost to all candidates and […]

Read more

How did cyber security become a global issue, and what is to be done about it?

  In the last two decades, one term has become very popular by attaching itself onto many traditional terms related to war, terrorism, security, in order to express the many implications of technological development in our everyday life. “Cyber security” belongs to a wide family of modern terms inspired by the multidisciplinary science called cybernetics. […]

Read more

Newsletter 11, August 2, 2018

Some interesting stuff that I found online:   Now you can find me also on Check all my stories at   SECURITY: A short summary on US cyber security relevant legislation – EU Commission July infringements package, formal notice to 17 Member States to fully transpose into national laws the EU NIS […]

Read more

Newsletter 9 – July 12, 2018

Some interesting stuff:   SECURITY: Apparently, the future of encryption are Quantum Random Number Generators. They generate random numbers by measuring the unpredictable attributes of subatomic particles. And now we have one that is also fast and efficient: UK Drone plans on Dark Web – Forrester Endpoint Security Report Q2 2018: […]

Read more