Building Partner Capabilities for Cyber Operations

Executive Summary¹

In December 2015, Russia turned the lights out in Kyiv. In the spring of 2022, they could not. But this was not for lack of trying.² Since the war began, Ukraine has sustained thousands of Russian cyberattacks,³ but the nation has endured because it has spent the better part of the last decade building its cyber defenses, often with the help of the United States and other international partners. The country has demonstrated that one country’s ability to prevent, mitigate, and recover from cyberattacks enhances global economic stability and security. Because of strong Ukrainian defenses, Russian cyberattacks have not cascaded across Europe and America, as was the case in 2017 with the Russian NotPetya malware.⁴

The Biden administration’s National Cybersecurity Strategy argues that a prosperous future requires resilient global digital infrastructure built on the values of democracy, free speech, and innovation.⁵ This means building and strengthening international partnerships to reinforce norms of responsible behavior, disrupt malicious actors, and enhance the ability of allies and partners to secure themselves against cyber threats. The 2023 U.S. Defense Cyber Strategy calls these allies and partners America’s “foundational advantage in the cyber domain.”⁶

The U.S. government conducts partner cyber capacity-building programs across multiple federal departments — to include the Departments of State, Justice, Energy, Homeland Security, Treasury, and Defense and the intelligence community. These programs help allies and partners build cyber resilience, develop national cyber strategies, prosecute cyber criminals, and evict malicious cyber actors from critical networks. They have become so popular around the world that demand “exceeds our capacity to deliver,” Nathaniel Fick, U.S. ambassador at large for Cyberspace and Digital Policy, said in June.⁷

Capacity-building programs help other countries learn to defend themselves in cyberspace. More resilient partners are less likely to succumb to an attack or need recovery assistance. But the U.S. government also helps partners recover, remediate, and conduct forensic analysis to determine the cause and culprit when cyberattacks succeed. These efforts can yield valuable insights about attacker techniques that can then be shared with other governments and the public.

In addition, the Department of Defense (DoD) has developed comprehensive partner capacity-building efforts with its North American Treaty Organization (NATO) allies and others. As part of this effort, U.S. Cyber Command conducts numerous cyber military exercises to practice planning, improve joint actions, and assess interoperability. These exercises reinforce what the U.S. military has long known — military communications and the ability to mobilize, deploy, and sustain forces require resilient U.S. and partner telecommunications systems, electrical power grids, water utilities, rail lines, airfields, ports, and other logistics infrastructure. If an adversary can cripple the backbone of these critical infrastructures, America and its partners could be slow to mobilize or even paralyzed, and their tools of economic statecraft will be weakened. The U.S. military has thus conducted dozens of overseas missions in the past few years to shore up allied infrastructure and gather insights to inform U.S. homeland defense.

While the U.S. government should prioritize, organize, and expand existing cyber defense programs, it should also address the next step in ally and partner capacity building: offensive cyber capabilities. While not all partners have the means or desire to conduct these operations, by refusing to begin to conceptualize how to help select allies and partners responsibly develop these capabilities, Washington is putting its partners and itself at risk. In the middle of a conflict, partners who want to use offensive cyber operations may turn to makeshift, volunteer offensive operators, as has occurred with the “Ukraine IT Army,” if they do not have a professionally trained, accountable force, which takes years to develop.

This report concludes with recommendations for an organized, prioritized, and resourced effort to help embattled democratic U.S. allies and partners operate effectively in cyberspace.

1. Make allied and partner cybersecurity capacity building a key element of the forthcoming international cybersecurity strategy. The strategy should assess current activities and develop a plan of action to advance the administration’s cyber strategy internationally and prioritize resources from both military and civilian U.S. agencies, remove redundancies, and close any seams.
2. Prioritize building allied and partner cyber resilience in critical infrastructure. Building cyber resilience of partner critical infrastructure — particularly ports, rail systems, and air transport systems — protects military mobility for both the host nation and U.S. forces. Other critical infrastructures — power, water, financial services, and pipelines — also undergird economic productivity.
3. Provide additional funding for capacity building. The Biden administration should request — and Congress should appropriate — additional funding to expand existing, successful cyber capacity-building efforts and create new ones. State and Defense capacity building should receive the lion’s share of the increases. Simultaneously, Congress should conduct increased oversight to ensure that authorized programs are getting the resources they require.
4. Consolidate State Department cyber capacity-building funding under its Bureau of Cyberspace and Digital Policy. Having been tasked with the international cyber strategy and given its existing work in traditional and non-traditional cyber capacity building, this bureau is best positioned to prioritize programs and funding.
5. Conduct more bilateral and multilateral cyber exercises. More military and civilian exercises are needed outside of the transatlantic theater. Washington should also explore replicating the annual U.S.-Israel cyber military exercise with other partners, including Taiwan, Japan, and South Korea.
6. Selectively use bilateral memoranda of understanding (MOUs) to improve military cyber defense capabilities of American allies. They should emphasize bilateral cybersecurity training, exercises, and joint operations to defend military networks, infrastructure, and systems.
7. Develop offensive cyber force employment training capability. The United States should develop and offer training events where U.S. operational, intelligence, and legal practitioners provide cyber-specific guidance on basic operational issues, including due diligence, sovereignty, collateral damage assessments, deconfliction with espionage operations, attribution techniques, and targeting processes.
8. Assess future elements of offensive cyber force generation. In preparation for a future in which today’s operational, legal, and resource concerns are mitigated, the Department of Defense should study how best to build or support a partner’s ability to conduct force generation for an offensive cyber capability and determine the resources required to execute such tasking.

Civilian Cyber Capacity-Building Programs

The Biden administration’s National Cybersecurity Strategy envisions a world in which allies can secure critical systems, detect and respond effectively to incidents, share information, and pursue cyber diplomacy. While highlighting the State Department’s unique role to coordinate whole-of-government efforts, the strategy commits the United States to “marshal[ling] expertise across agencies, the public and private sectors, and among advanced regional partners to pursue coordinated and effective international cyber capacity-building and operational collaboration efforts.”⁸

Programs at civilian federal agencies currently focus on strengthening the ability of partners and allies to prevent attacks. With the rise of cryptocurrencies as an enabler of criminal activity, the U.S. government has launched complementary efforts on illicit finance and counter-ransomware.

Separately, the U.S. government also helps partners expand digital connectivity and modernize information technology as part of economic development initiatives.⁹ This is not traditional capacity building as Washington defines it,¹⁰ but it is relevant because such activities advance norms around free and open internet and bolster cyber resilience. Washington also assists allies with incident response.

Building Cyber Resilience Through Preventive Capabilities

Cyber capacity-building programs at the departments of State, Justice, Energy, and Homeland Security strengthen partner nations’ information-sharing capabilities, national policies, and adherence to international norms and standards. These departments, along with the FBI and Secret Service, also provide training and technical assistance to thwart cybercrime or investigate and prosecute it.¹¹

Information-sharing efforts focus on improving the global sharing of technical information. The State Department’s Bureau of International Narcotics and Law Enforcement Affairs (INL) encourages multilateral and bilateral relationships to share cybercrime information. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) hosts the U.S. government’s Cybersecurity Incident Response Teams and works with global counterparts to share technical information about malware and emerging threats.¹² CISA and the FBI often also jointly distribute advisories with other U.S. agencies and partner nations.¹³

In developing national cyber strategies, State’s new Bureau of Cyberspace and Digital Policy (CDP) takes the lead.¹⁴ INL and the Department of Justice also help partners update national policies and strategies. While that work can be duplicative, INL and Justice also provide legal and legislative guidance on how to prosecute cybercrimes and protect intellectual property.¹⁵

State’s CDP further promotes international norms and represents U.S. interests in multilateral and bilateral cyber summits. CDP is also playing an increasingly important role in an often-overlooked area of international collaboration: establishing transparent, rules-based policies at standards setting organizations. Together, Washington and its partners can ensure technical standards bodies advance a free and open internet rather than authoritarian goals that prioritize state control over human rights.¹⁶ Robust diplomatic efforts secured the election of qualified leaders at the World Intellectual Property Organization in 2020 and the International Telecommunications Union in September 2022.¹⁷ The latter effort became more organized after the creation of the CDP in April 2022.

After these successes, the importance of this collaboration has been getting fresh attention. The Biden administration included cooperation with private industry, academia, and foreign partners as a key objective in its May 2023 National Standards Strategy for Critical and Emerging Technology.¹⁸ The strategy commits to enhancing U.S. and “like-minded nations’ representation and influence in international standards governance and leadership.”¹⁹

Outside of international standards bodies, CISA is also working with partners to develop technology standards so that products are engineered to be secure (by design) and include security features as standard rather than as add-on, premium features.²⁰ The goal is to increase critical infrastructure and societal cyber resilience by shifting the cybersecurity burden from the end user to large technology companies.

To further enhance cyber diplomacy and norm development, the State Department (led by CDP) is training its diplomats with the goal of having a cyber and digital officer in every embassy by the end of next year.²¹ This could be transformational. Even though some foreign service officers have some cyber knowledge, and the Department of Homeland Security (DHS) has attachés in more than 60 countries,²² embassies have generally been able to pay only limited attention to cyber missions. Amplifying foreign service and DHS efforts are the FBI’s cyber assistant legal attachés who train local law enforcement and play an important role in intelligence sharing and joint law enforcement operations in more than a dozen European countries, Israel, South Korea, and Taiwan.²³

The FBI’s cyber attaché program is just one piece of Washington’s robust international training and technical assistance programs. CISA offers industrial control systems trainings as well as tabletop and incident response exercises to U.S. industry, state and local governments, and international partners.²⁴ The Department of Energy offers cybersecurity technical training programs to the U.S. private sector and international partners through its national laboratories.²⁵ The Department of Energy is also developing exchanges and training through the Partnership for Transatlantic Energy and Climate Cooperation.²⁶ The Department of Justice’s Criminal Division, meanwhile, works with partners to prosecute criminal cases and trains counterparts on cyber investigations.²⁷ The U.S. Secret Service trains foreign partners on digital forensics, cyber-enabled financial crime investigations, and cryptocurrency tracing.²⁸ These and other law enforcement programs are distinct from incident response assistance in the wake of a specific crime. The training enhances the ability of partners to conduct investigations with or without U.S. personnel on the ground.

State and Justice also co-manage the Transnational and High-Tech Crime Global Law Enforcement Network (GLEN) of attorneys, computer forensic analysts, and law enforcement agents who conduct training on cyber investigations and evidence collection. GLEN currently has attorneys in 12 countries around the world.²⁹

Shortcomings in Civilian Federal Agency Programs

A Government Accountability Office (GAO) assessment of U.S. cyber capacity-building programs at State, Justice, and Homeland Security urged a comprehensive evaluation of the programs to determine overall impact and effectiveness.³⁰ Despite the creation of CDP and its responsibility for many (non-law enforcement related) cyber capacity-building programs, much of the funding still comes from regional programs, like assistance to Eastern Europe, the Economic Support Fund programs in East Asia and the Pacific, and United States Agency for International Development (USAID) programs.³¹ As a result, decisions about where to conduct cyber capacity building are driven by regional considerations that may not account for global, cyber-specific insights. Offices make programmatic decisions independently without coordinating with other departments, countries, or the private sector. This contrasts with the National Security Council’s more effective efforts to achieve interagency alignment on the deployment of trusted infrastructure (discussed below) with about 20 priority countries.

To address GAO’s recommendation, the State Department must assess how to identify and expand successful programs and strategically deploy limited capacity-building resources. Ambassador Nathaniel Fick noted that “demand for capacity building around the world is just overwhelming,” exceeding the government’s ability to deliver.³² Fick highlighted the need for a dedicated cyber assistance fund overseen by the CDP and additional authorities and “autonomy” to move faster to respond to the changing threat landscape.

Illicit Finance and Counter-Ransomware Efforts

In addition to these long-standing programs, the Biden administration launched global efforts to combat cyber-enabled illicit finance and ransomware, most notably the multilateral Counter Ransomware Initiative.³³ Among other capacity-building efforts, member nations have committed to develop tools to aid public-private collaboration and to sharing lessons about proactively combating ransomware threats.³⁴ Members have also used the initiative to kickstart regional cyber resilience efforts.³⁵

Alongside the first Counter Ransomware summit in October 2021, the Treasury Department also announced a bilateral partnership with Israel to “disrupt the ransomware business model” as well as improve information sharing, technical exchanges, and cybersecurity and anti-money laundering exercises.³⁶ About a month later, Israel hosted a multilateral, virtual tabletop simulating a major cyberattack on the global financial system. With treasury officials from 10 countries and participants from intergovernmental financial institutions, the exercise focused primarily on monetary policy responses,³⁷ but this type of exercise improves the coordination critical to cyber incident response writ large. At the end of April 2023, the U.S. Treasury and the Monetary Authority of Singapore similarly conducted an exercise simulating cyberattacks on their banks.³⁸

More recently, the Internal Revenue Service launched a pilot program sending cyber attachés to Australia, Columbia, Germany, and Singapore to help improve partners’ ability to combat financial crimes utilizing cryptocurrencies.³⁹ The new initiative aims to improve counter-ransomware capabilities, given cybercriminals’ heavy reliance on cryptocurrencies for ransom payments.

Incident Response and Recovery Assistance

While U.S. cyber capacity-building programs aim to help partners become resilient against cyberattacks, Washington also deploys resources when foreign countries fall victim. The Biden administration’s National Cybersecurity Strategy notes that this is one way Washington can “expose counter-normative state behavior and impose consequences” on adversaries.⁴⁰

Domestically and internationally, the FBI leads investigations into cyber incidents. The bureau deploys cyber action teams internationally to help investigate crimes and then shares technical details, as appropriate, with interagency partners and the public to help defenders identify similar deficiencies in their own systems.

The FBI deployed a cyber team to Montenegro last summer after a ransomware attack disrupted government services and electricity distribution.⁴¹ When the Albanian government suffered a devastating cyberattack in July 2022, the FBI, along with Microsoft, helped conduct forensic investigations to determine the culprit.⁴² After the United States, Albania, and NATO partners publicly attributed the attack to Iran, the FBI and CISA issued a public advisory on how to avoid similar attacks.⁴³ Cyber Command subsequently helped Albania further harden its systems.⁴⁴

Between July 2022 and February 2023, U.S. cybersecurity experts were continuously deployed to investigate the attack and bolster Albanian cybersecurity, Yuri Kim, U.S. ambassador to Albania, revealed in February.⁴⁵ She also confirmed a $50 million security assistance package, including $25 million “in direct response to Iran’s attacks.”

In addition to the FBI, the U.S. Secret Service works with allies and partners to investigate and prosecute cyber-enabled financial crimes. The Secret Service has an attaché detailed to the Joint Cybercrime Action Taskforce at Europol’s European Cyber Crime Center at The Hague.⁴⁶

Such law enforcement partnerships are indispensable for arresting cyber criminals,⁴⁷ dismantling ransomware network infrastructure,⁴⁸ and deactivating Russian malware.⁴⁹ And yet, the adage “an ounce of prevention is worth a pound of cure” continues to resonate in cyberspace. While the Department of Defense requested $62 million for the 2024 fiscal year for all its hunt forward operations,⁵⁰ the State Department committed $25 million to Costa Rica alone after ransomware attacks severely disrupted daily life and the government declared a state of emergency.⁵¹

Other incident response capabilities, however, lack speed and agility. Pending bipartisan legislation would rectify the problems that prevented CISA from quickly providing cybersecurity support to Ukraine in the wake of the Russian invasion.⁵² CDP’s proposed cyber assistance fund also aims to help allies and partners faster.

Unfortunately, Washington has not yet prioritized helping other countries develop attribution capabilities as part of incident response assistance. While the United States often attributes attacks through joint statements with partners and allies,⁵³ there are no attribution standards or mechanisms for sharing the intelligence and technical analysis.⁵⁴ Capacity building in this area would likely necessitate enhanced cyber forensic investigative training and sharing U.S. intelligence on adversarial tactics. To the extent that public attribution is a political question and not a technical challenge, Washington will need to convince partners that technically grounded, prompt, and multilateral attribution is a prerequisite for joint diplomatic and economic efforts to hold aggressors accountable.⁵⁵

Non-Traditional Areas: Secure ICT, Digital Connectivity, and Research and Development

Alongside efforts to build partner resilience by building preventative, defensive capabilities, Washington helps allies and partners build secure and reliable digital infrastructure. Partners thus avoid insecure telecommunications equipment through which adversarial nations can compromise critical infrastructure.⁵⁶ Digital infrastructure policy is also intertwined with cybersecurity (and cyber capacity-building priorities) because some countries fear cyberattacks if they choose non-Chinese telecommunications suppliers.

The Trump administration launched “The Clean Network” initiative,⁵⁷ highlighting the danger of embedding Chinese telecommunications equipment in critical partner networks because of the Chinese Communist Party’s malign activities. The Biden administration replaced this effort with a “Declaration for the Future of the Internet,” signed by 60 allies and partners.⁵⁸ While the declaration does not mention China, it commits to “promot[ing] and us[ing] trustworthy network infrastructure and services suppliers.”⁵⁹ CDP is also working to convince partners and allies to shun Chinese telecommunications equipment. In early June, for example, Ambassador Fick offered U.S. and European Union (EU) commitments to finance secure 5G infrastructure in Costa Rica.⁶⁰

The Trump administration also launched — and the Biden administration has expanded — the Digital Connectivity and Cybersecurity Partnership (DCCP) initiative.⁶¹ Chaired by USAID and the State Department, the interagency initiative encourages foreign countries to purchase secure information and communication technology (ICT) infrastructure, including U.S. goods and services.⁶² Its programs help create regulatory frameworks, provide technical assistance (including by embedding experts in host country ministries), and raise cybersecurity awareness among foreign government, industry, and civil society stakeholders. DCCP works primarily in Southeast and South Asia but will also “promote an open, interoperable, reliable, and secure digital ecosystem” as part of the White House’s new Digital Transformation with Africa initiative.⁶³

Last year, as part of the CHIPS and Science Act, Congress appropriated $100 million per year for five years for a new State Department fund to support the development of secure ICT.⁶⁴ The budget requests funding to expand international partners’ critical minerals production and ICT manufacturing. This collaboration, while not traditional capacity building, helps secure U.S. and partner digital infrastructure against supply chain disruptions and adversarial attacks.

The U.S. government also promotes secure digital infrastructure through bilateral and multilateral research and development initiatives. More than 15 years ago, Congress established DHS’s International Cooperative Programs Office to foster research and development partnerships on a wide range of homeland security issues.⁶⁵ Among these partnerships is the Israel-U.S. Binational Industrial Research and Development (BIRD) Cyber program. Announced in June 2022 as an outgrowth of nearly 50 years of bilateral, cooperative research and development, this effort will “promote the collaborative development of technologies” to “enhance the cyber resilience of critical infrastructure in the United States and Israel.”⁶⁶

Cyber Abraham Accords: An Opportunity for Regional Capacity Building

In September 2020, the Trump administration brokered a series of normalization agreements between Israel and its Arab neighbors known as the Abraham Accords. The administration has recently sought ways to increase their impact. To that end, in February 2023, DHS Under Secretary for Policy Robert Silvers announced the expansion of the accords to include cybersecurity cooperation.⁶⁷

Middle Eastern states face similar cyber threats from Iran and its terrorist proxies. They are thus well positioned to work together and alongside the United States to combat these threats and improve cyber resilience, particularly as it relates to military mobility (especially given U.S. military basing in the region), critical infrastructure protection, and cyber-enabled disinformation. For example, as part of the Counter Ransomware Initiative, Israel and the United Arab Emirates (UAE) developed a new information-sharing platform. UAE cyber chief Muhammad al-Kuwaiti also revealed in June that Israel helped his country repel a cyberattack.⁶⁸

Washington sees potential for tabletop exercises and other cyber capacity building beyond information sharing.⁶⁹ Pending bipartisan legislation would codify existing information sharing and authorize technical support, joint training, and exercises.⁷⁰

Military Cyber Defense Capacity-Building Programs

Separate but complementary to the federal civilian agency programs, the DoD conducts extensive, well-resourced cyber capacity-building efforts. Most well-known among these are Cyber Command’s hunt forward operations, where U.S. servicemembers engage in defensive cyber operations alongside host nation personnel. Combatant command-assigned forces and National Guard forces conduct military-to-military engagements. And DoD provides resources through the Foreign Military Financing (FMF) program, conducts bilateral and multilateral military exercises, and, in limited cases, executes free-standing bilateral cybersecurity partnerships through MOUs.

Cyber Command and Hunt Forward Operations

Cyber Command’s hunt forward operations are overseas deployments in which U.S. Cyber National Mission Force personnel engage in defensive operations alongside host nation personnel to detect and evict malicious actors from the host’s networks. At the invitation of a foreign partner, the deployments can involve up to 30 servicemembers and last a couple of months.⁷¹ When properly planned and executed, hunt forward operations can not only help a partner secure its networks but transition to helping the partner become more self-sufficient.

Hunt forward operations bring U.S. operators “closer to adversary activity,” noted Major General William J. Hartman, commander of the Cyber Command’s Cyber National Mission Force, helping America “better understand and then defend” itself.⁷² The missions result in “the mass inoculation of millions of systems” against adversarial attacks, Cyber Commander Gen. Paul Nakasone explained.⁷³ And they help build relationships between U.S. and foreign personnel.⁷⁴

Over the past five years, Cyber Command has conducted more than 47 missions in more than 20 countries, with the pace picking up significantly over the past two years.⁷⁵ Many deployments have been to Eastern and Central Europe. Earlier this year, Cyber Command completed its first hunt forward mission in Latin America.⁷⁶

In addition to securing foreign partners, these missions bolster U.S. security by “exposing adversary tactics, techniques, and procedures before they can be used against the United States,” according to Cyber Command.⁷⁷ Hunt forward operations in Montenegro in October 2019, for example, yielded information relevant to foreign interference in U.S. elections.⁷⁸ Multiple hunt forward operations the following year also contributed to efforts to protect the presidential election from foreign interference. Major General Hartman specifically highlighted the discovery of Iranian election interference while on a hunt forward operation.⁷⁹

In 2021, after the discovery of a multi-year Russian cyber espionage operation, Cyber Command and CISA conducted a joint hunt forward operation at a victim’s request.⁸⁰ The U.S. team helped the partner find Russian malicious activity, evict the hackers from the network, and prevent them from re-infecting the system, all “without the adversary having any idea” of Cyber Command’s involvement, according to Hartman.⁸¹ The mission uncovered virus samples that Washington then shared publicly so that other network defenders could bolster their own systems.⁸²

In early May 2023, Cyber Command completed its first hunt forward mission conducted in conjunction with Canadian Forces. Together in Riga, personnel from the three countries worked to harden Latvian infrastructure.⁸³

Military-to-Military Support Programs

The geographic combatant commanders organize and execute bilateral military-to-military capacity-building programs, utilizing resources from across the defense enterprise. In the cyber realm, these programs include cyber subject matter expert trainings,⁸⁴ contractor supported on-site training, and leadership courses, training, and mentoring programs on policy and strategy execution. The George C. Marshall European Center for Security Studies in Germany hosts a three-week-long cybersecurity studies course with students from more than 50 countries, and the DoD Cyber Crime Center hosts a five-week cyber forensics course.⁸⁵

The State Partner Program (SPP) also contributes to military-to-military efforts. The U.S. National Guard runs the SPP, pairing individual state guard programs with a specific partner country based on specific skills the receiving country requires.⁸⁶ For example, Maryland has one of the most comprehensive state guard cyber programs — not surprising given that the National Security Agency is located in Maryland. Maryland is paired with Estonia, one of the most cyber-savvy NATO allies.⁸⁷ Only 20 states, however, have an organic cyber capacity embedded in their guard and can routinely provide cyber-specific security assistance.

In a more direct form of assistance, the Defense Security Cooperation Agency sometimes embeds cyber advisors in foreign defense ministries as part of its Ministry of Defense Advisors Program.

Because training and other capacity-building resources are scarce, geographic combatant commands prioritize and align resources based on partner capacity, regional needs, and the risk to U.S. force mobilization and maneuver.⁸⁸ Based on the assessment, the combatant commands determine where to deploy service component forces, Cyber Command forces, National Guard forces, bilateral or multilateral cyber exercises, cyber classroom activities, and FMF programs.

Not all efforts are applicable or appropriate for every ally or partner. Some countries may be too wealthy for U.S.-funded training. Others may not have a cyber-capable state guard paired with them through the SPP.

NATO partners, meanwhile, may receive a great deal of partner capacity-building assistance from the alliance as part of the accession process. Once they have formally joined NATO, however, this alliance-provisioned funding ceases. It can be a significant problem for newly joined NATO members facing Russian cyberattacks if bilateral military-to-military programs do not immediately fill this gap.

Foreign Military Financing

The State Department’s FMF program provides grants for U.S. allies and partners to acquire U.S. defense services, training, and equipment. Most FMF funds are used to buy armored vehicles, munitions, vessels, aircraft, and other equipment. In the cyber realm, FMF funds pay for training, mentoring programs, contractor support, and exercise participation. It is often the funding source for the DoD programs mentioned in this report.

Annually, a portion of FMF funds is used for the Countering Russian Influence Fund and the Countering the People’s Republic of China Influence Funds.⁸⁹ This year’s budget request includes $350 million in FMF for equipment and training in Europe and Eurasia, a small percentage of which will go towards “cyber and information domain projects.”⁹⁰ For example, Montenegro used FMF funds to add two cyber consultants to its Ministry of Defense.⁹¹ The Czech Republic is using $6 million in FMF funds to create a Deployable Cyber Response Center.⁹² In both cases, Russian cyber threats were the driving force.

FMF funds have played a critical part in U.S. efforts to support Ukraine after Russia’s invasion. The January 2023 announcement of another $3.75 billion in military assistance for Ukraine, for example, included nearly $700 million in FMF funds for European partners to backfill materiel stocks they had donated to Ukraine and strengthen cyber defense.⁹³ A prior package in September 2022 included $1.2 billion in FMF funds for Central and Eastern Europe and Baltic states to strengthen capabilities including cyber defense capabilities to counter Russia.⁹⁴ While they are a small percentage of the funds, cyber capacity-building expenditures are proving effective.

Military Cyber Exercises

Bilateral and multilateral cyber exercises are a core component of cyber defense capacity building. Annually, Cyber Command hosts a multinational exercise called CYBER FLAG “to enhance readiness and interoperability by exercising collaboration through realistic defensive cyberspace training.”⁹⁵ Cyber defense teams detect and mitigate simulated attacks, while Cyber Command hosts briefings on information sharing and regional threats. The most recent exercise, conducted in November 2022, included 250 participants from eight countries. For the first time, the exercises included partners from the Pacific theater.

Cyber Command also conducts bilateral cyber defense exercises, like the annual Cyber Dome with the Israel Defense Forces (IDF).⁹⁶ In the exercise, teams of intelligence and cyber personnel react to complex, realistic scenarios simulating nation-state-level threats.⁹⁷

The United States also participates in NATO’s annual Cyber Coalition exercise in Tallinn, Estonia (which also houses NATO’s Cyber Range).⁹⁸ It is one of the largest cyber defense exercises in the world, with about a hundred experts and operators participating in person and another 900 participants joining remotely.⁹⁹ In December, 26 NATO allies plus Finland, Sweden, Georgia, Ireland, Japan, Switzerland, and the European Union, as well as industry and academic experts, participated. The exercise simulated a sophisticated adversary attempting to compromise a NATO mission using cyber operations to help “prepare cyber defenders for real-life cyber challenges, including attacks on critical infrastructure as well as disruption of NATO and allied assets while in operations,” NATO said.¹⁰⁰

In addition, NATO hosts an annual Coalition Warrior Interoperability Exercise.¹⁰¹ While not explicitly a cyber exercise, participants address interoperability for cyber operations and practice jointly detecting and responding to cyber incidents.¹⁰²

NATO’s Cooperative Cyber Defence Center of Excellence (CCDCOE) in Tallinn, Estonia, also conducts its own annual cyber defense exercise, Locked Shields.¹⁰³ The exercise is larger than Cyber Coalition, boasting 3,000 participants from 38 countries during its last iteration in April.¹⁰⁴ Whereas Cyber Coalition is a collaborative exercise, Locked Shields is a competitive red-blue exercise in which the game creators serve as the attackers in a simulation.¹⁰⁵ Participants compete against each other to see who can best repel a large-scale attack — combining technical skills, strategic decision-making, and crisis communications.¹⁰⁶ CCDCOE also hosts an annual red team exercise, Crossed Swords, which includes technical and leadership training relevant to “planning and executing a full-spectrum cyber operation.”¹⁰⁷

Bilateral Cybersecurity Cooperation Agreements

The United States develops bilateral cybersecurity cooperation with select allies — usually countries facing specific threats or that host U.S. forces. Cooperation includes bilateral cybersecurity training activities and exercises and other joint operations to defend military systems and eradicate malicious cyber activity. Some agreements deploy commercial and military cybersecurity technology and services to harden and defend networks and infrastructure. Pursuant to an agreement with the Kingdom of Jordan, the United States helped establish a regional cybersecurity center. Because these agreements require extensive effort by both Cyber Command and the relevant geographic combatant command, only a limited number of them can be undertaken simultaneously.

Cyber Capacity-Building Efforts by International Partners

Some U.S. allies and partners have their own mature, effective cyber capacity-building efforts. These efforts include those of larger organizations, such as NATO and the European Union, as well as those of individual countries.

Cyber capacity building is a priority for NATO members. As far back as the 2014 Wales summit, NATO affirmed that cyber defense is part of collective defense and that the alliance would incorporate cyber defense into its planning and operations.¹⁰⁸ In 2016, NATO members pledged to improve their cyber defenses through training, education, exercises, and information sharing.¹⁰⁹ The June 2022 Strategic Concept pledges to “boost the resilience of the space and cyber capabilities upon which we depend for our collective defence and security.”¹¹⁰ Most recently, the July Vilnius Summit Communiqué pledged that cyber defense will be a larger part of the alliance’s deterrence posture and announced a new initiative to improve incident response assistance to members.¹¹¹ Alongside the summit, NATO announced new partnerships with South Korea and Japan on cybersecurity and other issues.¹¹²

NATO academies, meanwhile, provide cyber-defense training for operators and strategic decision makers.¹¹³ The NATO CCDCOE offers strategic, legal, operational, and technical trainings. For the past five years, the center has been “responsible for identifying and coordinating education and training solutions in cyber defence” for NATO allies and partners, having been tasked as such by NATO strategic command.¹¹⁴

For its part, the European Union has recognized for at least the last decade the importance of the cybersecurity of its members and partner capacity building.¹¹⁵ The EU’s cybersecurity strategies have repeatedly highlighted this as a key pillar. The most recent strategy, released in December 2020, commits the EU to increasing partner capacity building and developing a cyber capacity-building agenda.¹¹⁶ A year prior, Brussels founded the EU CyberNet to help EU members and other partners find the right experts for their training and advising needs. EU CyberNet is also building an information-sharing platform and a curriculum to “train the trainers” for cybersecurity awareness.¹¹⁷ Over the decade, EU investment in capacity building has increased ten-fold (although the figure is a fraction of what the United States spends on civilian programs). With the increased investment, the EU has expanded its programs to include strategic partnerships on cyber norms and ICT standards.¹¹⁸

Meanwhile, the World Bank has incorporated cybersecurity into its development efforts. While all countries struggle with cybersecurity investments and workforce development, the bank determined that the way that low- and middle-income economies fund cybersecurity is “neither feasible nor sustainable.”¹¹⁹ In 2016, the World Bank launched its Global Cybersecurity Capacity Program, piloting cybersecurity awareness and technical training in Albania, Bosnia and Herzegovina, North Macedonia, Ghana, Kyrgyzstan, and Burma.¹²⁰ After initial successes, the program expanded,¹²¹ and the World Bank launched a Cybersecurity Multi-Donor Trust Fund.¹²²

Australia and Japan also have bilateral and multilateral cyber capacity-building programs in Asia. Australia’s programs focus on government, industry, academia, and civil society partnerships in Southeast Asia and the Pacific. Over the past two years, Canberra expanded its efforts to include cooperation on critical technologies.¹²³ Japan, meanwhile, conducts tabletop exercises, workshops, and trainings with ASEAN members.¹²⁴ These countries provide an example of how more cyber-mature nations can help elevate the defenses of regional partners.

The Role of the Private Sector

Cybersecurity and technology companies provide a vast amount of the goods and services that serve a nation’s cyber resilience. In addition to the products these companies offer, an increasing number of for-profit companies and nonprofit organizations, like the Cyber Readiness Institute, offer free or heavily discounted services to help small businesses, underserved populations, civil society organizations, and countries.¹²⁵ The Cyber Defense Assistance Collaborative has pulled together many of these resources to align capacity-building needs and private sector capabilities.¹²⁶ The Global Forum on Cyber Expertise has similar clearinghouses.¹²⁷

To close the cyber workforce gap globally, private companies are also offering free cybersecurity training. Microsoft, for example, partners with global and local organizations to train cyber educators and to encourage more women to join the field.¹²⁸ The World Economic Forum also offers free training in partnership with Salesforce, Fortinet, and the Global Cyber Alliance.¹²⁹

These private initiatives complement rather than replicate U.S. government efforts. They do not directly address the ability of governments to protect their citizens, implement national strategies, and prosecute cyber criminals, but private companies are often crucial to identifying cyber threats and remediating attacks, as demonstrated repeatedly during the war in Ukraine. Recognizing this, CDP is seeking to broker arrangements between private companies and international partners who have suffered attacks.¹³⁰

Ukraine: A Case Study in Successful Capacity Building

After the Russian cyberattack on Ukraine’s electric grid in December 2015, Washington dispatched an interagency team of industrial control system and incident response experts to assist with remediation and forensic analysis.¹³¹ Based on what the response team learned, the Department of Energy developed (and continues to run) a specialized training for energy infrastructure operators to understand how to mitigate the kind of attacks Kyiv suffered.¹³² While U.S.-Ukrainian energy security collaboration predated the 2015 attack,¹³³ it accelerated in September 2017 with the first U.S.-Ukraine Bilateral Cyber Dialogue. Washington announced new cyber assistance funds for Ukraine and efforts to improve “cybersecurity policy structures and cyber incident response procedures.”¹³⁴

Over the next five years, the U.S. government provided Ukraine with more than $40 million in cyber assistance. Through a USAID grant program, Washington embedded technical experts within the Ukrainian government to help strengthen laws and regulations and expand university cyber courses for workforce development. The program also deployed hardware and software to bolster Ukraine’s incident response and recovery capabilities.¹³⁵

The U.S. Treasury Department, meanwhile, worked with the National Bank of Ukraine to improve cyber information sharing with its financial sector. This initiative and the Department of Energy’s long-standing collaboration increased in the lead-up to Russia’s February 2022 invasion.¹³⁶ Cyber threat information sharing with the FBI and CISA also escalated in the run up to the invasion, helping Ukrainian defenders thwart Russian operations.¹³⁷

On the military side, beginning in 2017, the U.S. Army funded a joint cybersecurity, command and control, and information system for the Ukrainian Ministry of Defense¹³⁸ to help transition Ukrainian infrastructure from old Russian systems. At the time, U.S. officials warned that the older, Russian equipment “may have back doors that the Russians are aware of.”¹³⁹ Within three years, the U.S. Army transitioned operational responsibility of the system to Ukraine.¹⁴⁰

A decisive piece in the capacity building was Cyber Command’s December 2021 hunt forward mission in Ukraine. Alongside other European partners,¹⁴¹ more than three dozen U.S. servicemembers (the largest team ever deployed) spent months in Ukraine — supported remotely with additional personnel conducting analytical and advisory activities.¹⁴² Cyber Command revealed that U.S. personnel were in-country “when Russia began executing destructive cyber-attacks in mid-January.”¹⁴³ Working with Ukrainian counterparts, U.S. operators identified Russian intrusions and prevented crippling cyberattacks.

Since the war began, U.S. government cyber assistance has only expanded. The FBI is sharing threat information and investigative methods, disrupting disinformation campaigns, and helping Ukraine procure network defense tools.¹⁴⁴ USAID is providing technical experts and emergency communications equipment. The Department of Energy is helping Ukraine implement cyber resilience standards so its electric grid can be integrated into Europe’s. And CISA and Cyber Command are exchanging technical information. During the annual U.S.-Ukraine Cyber Dialogue in June, the State Department affirmed that the White House is “working with Congress to deliver an additional $37 million in cyber assistance to Ukraine, which would bring the total to $82 million since February 2022, and over $120 million since 2016.”¹⁴⁵

Meanwhile, U.S. allies have also provided indispensable cybersecurity support. In 2021, the EU launched efforts to help Ukraine strengthen cybersecurity laws. In the lead-up to the war, the United Kingdom provided intelligence briefings on Russian cyber operations. After February 2022, the EU deployed a team to help with threat detection and has provided about $31 million in cybersecurity assistance.¹⁴⁶

Private U.S. cybersecurity and technology companies have also contributed to Ukraine’s defense in a “powerful way,” noted former Google CEO Eric Schmidt.¹⁴⁷ Some of these companies had (and continue to have) contracts with Ukrainian government and private sector entities to provide network defense.¹⁴⁸ These companies blunted Russian attacks by updating systems “at scale in near real time, based on collaboration with the U.S. intelligence community,” according to Ambassador Fick.¹⁴⁹ As the war began, Microsoft, Cisco Talos, and others thwarted Russian malware targeting Ukrainian government networks.¹⁵⁰ And in the weeks preceding and immediately following the invasion, Kyiv worked with Microsoft and Amazon to shepherd its critical data to cloud platforms hosted outside the country.¹⁵¹

Joanna LaHaie, CDP’s acting director of international engagement and capacity building, noted that the private companies moved much more rapidly than government actors.¹⁵² Some companies donated equipment and product licenses.¹⁵³ Others provided threat intelligence and monitoring services. In still other cases, the U.S. government subsidized the licenses and training by private companies.¹⁵⁴ Nearly a dozen private companies joined together to provide cybersecurity assistance services.¹⁵⁵

Together with allies and industry, the United States helped Ukraine harden its defenses against cyber aggression. Ukraine remains in peril, but cyber capacity building has worked.

Conceptualizing Offensive Cyber Capacity Building

Until now, U.S. cyber capacity-building programs have focused almost exclusively on cyber defense. As U.S. partners become more capable in cyberspace, they will begin to reach a threshold where they could successfully conduct offensive operations.¹⁵⁶ Washington will need to ask itself a simple question: would it not be better if we collaborated with our partners rather than letting them independently develop new capabilities where their mistakes or miscalculations could risk wider conflict and loss of human life?

The risks of ignoring the issue have already materialized in Ukraine. Prior to the war, despite significant investments in national resilience against cyberattacks, the Ukrainian armed forces lacked a dedicated offensive cyber capability. When the war started, the Ministry of Defense quickly recruited a volunteer, mostly civilian “IT Army” to disrupt Russian government assets online. While this may have been a propaganda victory, its impact has been limited.¹⁵⁷ Moreover, the use of a volunteer force comes with risks. These operators lack a broader view of the operational and strategic battlefield and thus may inadvertently hinder a Ukrainian military effort or provoke Russian escalation.

Relying on NATO to provide persistent offensive capacity building is not feasible. Only a few countries — Denmark, France, the Netherlands, the United Kingdom, and the United States — acknowledge having offensive cyber capabilities. NATO policy for addressing national offensive cyber contributions, the Sovereign Cyber Effects Provided Voluntarily by Allies, ensures only the nation contributing the offensive cyber capabilities knows the details of those capabilities.¹⁵⁸ This mechanism is fundamentally different from how NATO operates in other domains where weapons systems are integrated into alliance planning and operations mechanisms.

Some partners and allies may decide to refrain from conducting offensive operations, the same way some partners choose not to field certain weapons systems, such as fighter aircraft or submarines. Many countries have eschewed the development of offensive cyber capabilities for legal, technical, financial, or other reasons. Some countries may be comfortable relying on an equipped ally or partner like the United States. Others, however, are likely to see offensive cyber operations as a necessary tool for deterring or punishing adversaries. Having determined offensive cyber capabilities are necessary for their national security, these countries will pursue the capabilities with or without U.S. assistance.

Effective offensive cyber operations take years of personnel training and infrastructure, tool, and organizational development. Offensive capacity building, therefore, is not about selling computer viruses and zero-day exploits to every country willing to buy. Rather, it involves judiciously enhancing the ability of select partners and allies to develop the people and tools to observe adversarial tactics, thwart attacks before they occur, and rapidly respond to emerging conflicts.

How Offensive Cyber Operations Are Used

The purpose of offensive cyber operations is to gain access, pursue adversaries where they operate, and deliver effects against the adversary when warranted. The cyber domain is dynamic; opportunities are often short-lived, and adversaries are agile and adaptive. Therefore, countries often use offensive cyber operations to gain situational awareness and provide early warning for defenders. Operators observe adversary tactics then deploy countermeasures to thwart or mitigate them.

Offensive operations can also counter an adversary’s own cyber capabilities, dismantle the infrastructure that supports adversarial campaigns, and force adversaries to shift to alternate targets and divert resources. The United States calls this “defending forward,” with U.S. operators persistently engaging the adversary and “defending against malicious cyberspace activities as far forward as possible,” General Nakasone testified to Congress.¹⁵⁹ Ahead of the 2018 midterm elections, Cyber Command reportedly blocked a Russian troll farm from interfering in the election.¹⁶⁰ Prior to the 2020 presidential elections, U.S. Cyber Command conducted more than two dozen operations to prevent foreign interference.¹⁶¹ Without offensive cyber capabilities, countries have less situational awareness about adversarial capabilities and are less able to prevent and thwart attacks.

Offensive cyber capabilities provide another option for rapidly responding to emerging geopolitical situations. Offensive cyber operations can provide decision makers with “cyber options” to support crisis bargaining and responses that are independent of existing cyber campaign plans. Public information about this kind of highly classified operation is limited. Reportedly, Cyber Command disabled the internet access of North Korea’s military spy agency in 2017.¹⁶² In 2019, Cyber Command reportedly carried out cyberattacks twice in response to Iranian interference with international shipping and proxy attacks on Saudi oil fields.¹⁶³

In conflict, offensive cyber operations can deliver a direct strike, or they can amplify, enable, or enhance kinetic strikes with non-kinetic cyber effects. Offensive cyber capabilities are important for placing adversary command and control networks at risk and enabling long-range strikes into heavily defended areas, two challenging missions for kinetic effects alone.

Potential Components of Offensive Capacity Building

Preparations for the use of cyber forces, as with any military forces, involves force generation (building the force in question) and force employment (how one utilizes that force in operations). While force generation is the process of creating a capability, force employment is the process of utilizing, sustaining, and deploying a capability in routine operations, crisis, and combat. It allows the force employer to develop a wide range of options and quickly deploy capabilities for emerging requirements while maintaining readiness to respond to contingencies.¹⁶⁴ In the United States, the force employer for offensive cyber operations is Cyber Command.

In many other domains, the United States assists partners with both force generation and force employment. Even in cyber defense capability development, Washington does the same. For offensive cyber operations, assistance with force generation may be possible, but as an initial matter, assistance with force employment is more feasible in the short and medium term.

In force generation, required resources are produced to provide an operational commander with the necessary capabilities at the right scale and readiness to accomplish the task. The United States has historically viewed force generation through the DOTMLPF model: Doctrine (the way to fight); Organization (how to organize to fight); Training (both individual and unit level training up to large-scale exercises); Materiel (the equipment the forces need); Leadership and education (preparing soldiers to lead the fight from squad leader to general); Personnel (recruitment of qualified personnel); and Facilities (installations and infrastructure that support the forces). Cyber scholar Max Smeets has developed a cyber-specific model he calls PETIO: Personnel (both recruitment and training); Exploits (the vulnerabilities that will be taken advantage of); Tools (the computer programs used to support operations); Infrastructure (the processes and structures used to support operations); and Organization (structures used to conduct operations).¹⁶⁵

If an ally or partner were to ask for assistance with force generation, the request is most likely to be in the personnel and training areas. Smeets identifies 15 specialties requiring offensive cyber-specific training. (This includes not just operators but other personnel like lawyers.) This number of specialties expands significantly, however, with the disaggregation of functional job descriptions (such as “vulnerability analyst”) into specific technologies and skill sets. Currently, the U.S. service schools’ offensive cyber curriculum is long and challenging, with a high dropout rate.

U.S. military services each conduct cyber force generation and are already operating at maximum capacity. In fact, Cyber Command recently had to readjust its planned force expansion because of the U.S. Navy’s inability to meet readiness requirements.¹⁶⁶ Washington may not overtly offer force generation support in part because its services barely have the bandwidth to man, train, and equip the forces they are required to generate for Cyber Command.

That said, if the United States were to provide allies with force generation support, offensive cyber-specific personnel training would be a logical first step. The United States could help establish the intake, initial training, and specialty training. U.S. military services could establish “train the trainer” models where they provide a notional curriculum, work with a handful of high-proficiency partner servicemembers, help the partner build its own school, and then continuously assess progress. This tasking would be challenging, however, as it draws on a personnel training system already under duress. Nevertheless, U.S. special forces have successfully used this model.

Cooperation in the development of exploits, tools, and infrastructure is even more complicated. The U.S. military services and Cyber Command are responsible for this work, and there is little excess bandwidth for partner capacity building. Beyond that, sharing exploits and tools is complicated for operational, legal, and risk assessment reasons. Smeets and others have referred to this aspect of force development as “arms transfers.” In addition to the usual risks in arms transfers in other domains, transferring “cyber weapons” carries the risk that adversaries will more easily compromise the tools or development techniques once the United States is not the sole holder of that information. There could also be unintended collateral damage when an ally or partner uses an exploit.

Given all these challenges, mentions of offensive cyber operations in a training or exercising environment with allies and partners likely refer only to America demonstrating its ability to impose cyber effects in the exercise or training rather than any effort to build the offensive cyber capabilities of its partners.

There are more opportunities, however, for offensive cyber capacity building in the force employment process. Through classroom training, tabletop exercises, and operational exercises, U.S. operational and legal practitioners could provide cyber-specific guidance on basic legal issues such as due diligence, sovereignty, and jurisdiction as well as more complex operational issues such as collateral damage assessments, clarification on when states can “hack back,” and when states can engage in self-defense. Intelligence practitioners could assist in deconfliction with espionage operations, developing timely and accurate attribution techniques and implementing a comprehensive targeting process.

Bandwidth issues in the force employment area are also less challenging than those for force generation. And the activities can be done in the United States or with alliance support organizations like NATO’s CCDCOE.

The United States has spent the better part of two decades grappling with the policy decisions surrounding offensive cyber operations. The Defense Department has established doctrine about acceptable collateral damage in cyberspace. Even as the commander of Cyber Command is dual hatted as the head of the National Security Agency, Washington delineates between military operations and espionage operations both in practice and in law. America’s democratic partners and allies — while each operating under unique legal regimes — will need to establish their own similar rules and could benefit from training on doctrinal development.

Conclusion and Recommendations

American cyber capacity-building efforts should promote and reinforce cyber resiliency of allies and partners to help maintain their warfighting capabilities, ensure the mobility of U.S. forces within the host nation, and support global economic productivity. While the United States needs allies and partners with more skilled cyber defenders, Washington also must begin thinking about training select partners and allies in elements of offensive cyber operations. The following recommendations outline how to meet these challenges.

1. Make allied and partner cybersecurity capacity building a key element of the forthcoming international cybersecurity strategy. As part of the National Defense Authorization Act (NDAA) for Fiscal Year 2023, Congress required the president to develop an international cyberspace and digital policy strategy to advance cyber norms, improve collaboration with allies and partners, and deter foreign threats.¹⁶⁷ The strategy is due to Congress in December 2023. It should align with the National Cybersecurity Strategy, the National Security Strategy, National Defense Strategy, and the Defense Cyber Strategy.

   Ambassador Fick confirmed that the Bureau of Cyberspace and Digital Policy is drafting the strategy in accordance with the statute.¹⁶⁸ He must ensure it examines more than just State Department equities. According to the congressional directive, the strategy should assess current activities and develop a plan of action for all departments to advance the administration’s cyber strategy internationally. It should recognize Cyber Command hunt forward operations’ importance to capacity building and strategic partnership building. And the strategy should prioritize resources from both military and civilian U.S. agencies, remove redundancies, and close any seams. It should also account for the role that cyber-developed allies and partners and the private sector will play. The State Department and its interagency partners must then follow through on an implementation plan that promotes partner cyber resiliency to support their warfighting capabilities, America’s ability to maneuver forces across host nation battle space, and global economic productivity.

2. Prioritize building allied and partner cyber resilience in critical infrastructure. Building cyber resilience of partner critical infrastructure — particularly ports, rail systems, and air transport systems — protects military mobility for both the host nation and U.S. forces. Other critical infrastructures — power, water, financial services, and pipelines — also undergird economic productivity. Capacity building should focus on critical infrastructure resilience, and priority should be given to countries whose infrastructure is most critical to U.S. force maneuver. CISA and sector risk management agencies have also developed programs, collaboration frameworks, and industry-specific guidance that partners could adapt rather than create anew.
3. Provide additional funding for capacity building. The Biden administration should request — and Congress should appropriate — additional funding to expand existing, successful cyber capacity-building efforts and create new ones. With more dedicated funds, Energy and DHS can provide more training and expand information-sharing initiatives. The FBI, meanwhile, needs more cyber assistant legal attachés.

   State and DoD capacity building should receive the lion’s share of the increases. Ambassador Fick has stated that his bureau wants to create a dedicated fund for cyber, digital, and emerging technology assistance.¹⁶⁹ U.S. responses in Albania, Costa Rica, and elsewhere were too slow. The federal government must respond faster and with more agility and autonomy. Washington could draw lessons from changes to counterterrorism assistance after 9/11 for how to tackle endemic challenges. Fick also noted the bureau wants to scale capacity building and broker more relationships between cybersecurity companies and foreign partners. This will likely require more appropriations if not also additional authorizations from Congress. Fick has requested $250 million. This is a reasonable starting point, but the number may need to grow over time.

   As allies and partners see the benefits of hunt forward operations, Cyber Command will likely need more funding to conduct more missions, and the military services will need more resources to generate the forces. To the extent that some partners view the term “hunt” as implying aggressive actions, this expansion could be paired with a rebranding that more explicitly markets these deployments as capacity-building operations where U.S. personnel teach counterparts their techniques and leave behind some technology.

   Simultaneously, Congress should conduct increased oversight to ensure that authorized programs are getting the resources they require. For example, despite language in appropriations bills indicating congressional intent that the U.S.-Israel Cybersecurity Cooperation Grant Program and the Binational Industrial Research and Development (BIRD) be funded through DHS’s Science and Technology Directorate, members of Congress are concerned these programs have not been resourced. Congress should ensure that the executive branch is using increased resources to develop stronger bilateral relationships between civilian agencies as well as military-to-military and intelligence community-to-intelligence community.

4. Consolidate State Department cyber capacity-building funding under CDP. Simply throwing more money at cyber capacity building is not a responsible way to spend taxpayer dollars. Having been tasked with drafting the international cyber strategy and given its existing work in traditional and non-traditional cyber capacity building, CDP is best positioned to prioritize programs and funding rather than the disparate regional bureaus. The Bureau of International Narcotics and Law Enforcement Affairs, however, should retain all funding related to law enforcement and legal cybersecurity training.
5. Conduct more bilateral and multilateral cyber exercises. Between Cyber Command exercises and NATO exercises, the United States and its partners have a robust schedule. More military and civilian exercises, however, are needed outside of the transatlantic theater. As Washington helps Abraham Accord signatories deepen their information sharing, it should explore tabletop exercises on shared threats. Washington should also explore replicating the annual U.S.-Israel cyber military exercise with other partners, including Taiwan, Japan, and South Korea. This will help strengthen military-to-military relationships.
6. Selectively use bilateral MOUs to improve military cyber defense capabilities of American allies. Last year’s NDAA established a program to expand cooperation with Jordan on military cybersecurity activities.¹⁷⁰ Congress is considering a similar provision for Taiwan this year.¹⁷¹ The bipartisan legislation, the Taiwan Cybersecurity Resiliency Act, directs the Defense Department to conduct training and exercises and leverage U.S. commercial and military technology to harden Taiwan’s networks.¹⁷² Bilateral MOUs tax resources across national security agencies. Where prospective partners (like Taiwan) are both critical to America’s ability to maneuver forces and under duress from capable cyber adversaries, the effort is warranted. These MOUs should emphasize bilateral cybersecurity training, exercises, and joint operations to defend military networks, infrastructure, and systems. They can also deploy commercial and military cybersecurity technology and services to harden and defend networks.

7. Develop offensive cyber force employment training capability. The United States should develop and offer bilateral and multilateral training events for select partners and allies where U.S. operational, intelligence, and legal practitioners provide cyber-specific guidance on basic operational issues including (but not limited to) due diligence, sovereignty, collateral damage assessments, deconfliction with espionage operations, attribution techniques, and targeting processes. These force employment development opportunities could be delivered through classroom training or exercises and should leverage willing partners with cyber offensive experience. The effort may also be able to leverage the existing trainings at the NATO CCDCOE.
8. Assess future elements of offensive cyber force generation. There appears to be limited appetite today to build partner capacity to generate forces for offensive cyber operations. In preparation for a future in which existing operational, legal, and resource concerns are mitigated, however, the Department of Defense should pick a military service to study how to best build or support a partner’s ability to conduct force generation for an offensive cyber capability and determine the resources required to execute such tasking.

***

The United States has a robust, if somewhat ad-hoc, program for supporting the cyber capacity-building needs of its allies and partners. Unfortunately, adversaries are continuously improving and developing new avenues of attack. Even non-state criminal actors can have serious national security impacts. As such, the United States needs to maintain or even increase its support for the cyber defense capabilities of its partners and allies and begin thinking about training them in elements of offensive cyber operations.