In today’s ‘deeply cybered’ world, technological developments are racing ahead of both military doctrine and international law (Demchak, 2012; Shackelford, 2013). As cybersecurity challenges conventional ideas of how security is delivered and governed, governments are struggling to adapt their models of cybersecurity cooperation. In many countries, it is not the state but rather the private sector that provides cyber services or that owns critical infrastructure, such as telecommunication networks and online platforms. Much of the cybersecurity expertise thus lies with non-state actors. In seeking to address cybersecurity challenges and build up resilience, governments are not able to go it alone (Dunn Cavelty, 2007; Reveron, 2012; Tropina and Callanan, 2015).

The legal and strategic frameworks of all Western Balkan economies recognize the need – and the opportunities – for public–private partnerships (PPPs) in cybersecurity. DCAF’s analysis of relevant laws and strategies in the region shows that some present the concept of PPPs as an aspirational principle, while others refer to multi-stakeholder cooperation in certain areas of strategic importance. Indeed, certain policies set out specific actions to be taken to establish a cybersecurity PPP.1 Overall, however, there is a lack of practical guidance on how to secure such cooperation and the region has seen few attempts to set up cybersecurity PPPs. Their presence is far more common in Western Europe and North America.

This Guide is designed to support Western Balkan governments and non-state actors that are planning to establish cybersecurity PPPs as part of their public–private cooperation.

Drawing on international best practice, and referencing the region’s distinctive cultural, economic, and social context, it highlights options for establishing suitable cooperation frameworks and methods for overcoming obstacles.

Chapter 1 defines the term ‘cybersecurity PPP’ and sets out the main concepts and principles that underpin the guidance on planning, establishing, and maintaining a cybersecurity PPP. It describes the critical role good governance plays in every stage of cybersecurity cooperation and underscores the benefits of assessing the maturity of a community of cybersecurity actors as part of the PPP planning process.

Chapter 2 provides practical, advice on how to plan, set up, and run a cybersecurity PPP in the specific context of the Western Balkans. It reviews key considerations that can inform various aspects of the process, including the selection and convening of stakeholders, communication among partners, the establishment of PPP objectives and rules, agreement on who leads and administers the PPP, and upskilling of stakeholders who may have limited experience in public–private cooperation.

Chapter 3 presents various types of cybersecurity PPPs and offers concrete examples from the Western Balkans and other parts of the world. It draws out useful lessons, noting what steps stakeholders can take to overcome challenges. The examples reveal the advantages of tailoring the modalities of planning, establishing, and maintaining a cybersecurity PPP to its specific objective.

1 For details, see DCAF