Christopher Painter
When I helped establish the Office of the Coordinator for Cyber Issues at the US State Department in 2011, the first high-level dedicated cyber diplomacy office in the world, one of the core pillars of our work was coordinating and delivering cyber capacity building particularly in the developing world. Capacity building was seen not just as a way to help countries in need, but also as a powerful tool to help “middle countries” see the value of the democratic view of the Internet as open, interoperable and secure over a more authoritarian view that sought to mandate state control. Moreover, capacity building was seen as undergirding all of the positive things we were advocating – from a cyber stability framework that was based on international law, norms of state behavior and confidence building measures, to an innovation agenda that included economic digital transformation. Today the technical and policy threats have never been greater. Indeed, with greater technical threats and resulting instability, there is a greater risk that more authoritarian control-oriented approaches will gain traction. Yet, just when they are needed most, the resources devoted to capacity building and being cut back and capacity building is being de-prioritized, particularly for programs in potential “swing” countries including those in Africa. This has to change.

From the very beginning of the cybersecurity and cybercrime processes in the United Nations, capacity building was raised as a vital issue by those many countries that lacked the technical and policy capabilities to effectively deal with the realities of cyberspace. In the early cyber focused Groups of Governmental Experts, consensus on the larger stability framework was only made possible when capacity building was included as part of that framework. When the first cyber focused Open Ended Working Group was formed in 2019, comprised of all UN countries, it was notable that a great number of countries, many of whom had not participated in the prior more limited GGEs, expressed strong interest in capacity building as something they desperately needed, even more than participation in seemingly esoteric discussions of stability. The two successive OEWGs both focused on capacity building as a core pillar, making some progress on capacity building principles and incremental progress on other related issues. Capacity building was designated as one pillar of the just launched permanent UN mechanism on cybersecurity, the “G-Mech” including a standing working group on this issue. On cybercrime, capacity building took center stage following the negotiation of the Budapest Convention in 2001 and was the focus of UN efforts for years until the eventual recent negotiation of a UN Cybercrime Treaty (“The Hanoi Convention”). During the negotiations, as reflected in the final text, capacity building and technical assistance was again front and center.

Across the board, capacity building continues to be a demand and a priority for developing world, and small and medium states. The recent focus on AI has only intensified this need, as many states fear being left behind and fear the huge increase in vulnerability new models, like Anthropic’s Mythos, portend. Though it is laudable that the UN cybersecurity processes have focused on capacity building, it is unlikely that UN efforts will deliver much in the way of tangible assistance any time soon. Moreover, it is unclear who has the resources or capability to help deliver promised capacity building on cybercrime, particularly on implementation of the Hanoi Convention. Many in civil society and the private sector fear that without intense implementation assistance, countries will be swayed by more authoritarian views and not implement the Convention in a rights protecting manner, yet resources for this are strained. On cybersecurity and on cybercrime, some authoritarian countries have long sought binding conventions that would, among other things, exert state control, repress dissent and impose obligations with which they would not comply. Given rising threats and the seeming failure of democratic countries to address them, their arguments may gain greater traction. In a recent article I helped co-author with two colleagues who, like me, have followed UN cyber negotiations closely for years, we argue that democratic countries need a new “positive agenda” to counter these moves. See, Has Russia Overplayed Its Hand in UN Cyber Negotiations, Pavlina Pavlova, Christopher Painter and Nick Ashton-Hart, https://www.lawfaremedia.org/article/has-russia-overplayed-its-hand-in-un-cyber-negotiations (May 21, 2026). Surely, given the demand by the developing world who will be pivotal in deciding the future course of multi-lateral processes, an increased emphasis on capacity building is part of any positive agenda.

Yet, perhaps not fully recognizing the larger geopolitical significance, many countries are pulling back from cyber capacity building efforts. The US, in addition to shuttering USAID, has withdrawn from the capacity building centric Global Forum on Cyber Expertise (‘GFCE”) and lowered its cyber capacity building efforts overall. Many European countries have similarly cut back on capacity building efforts given overall financial pressure including the war in Ukraine and now Iran. Capacity building has often become more transactional and tactical versus looking at the larger picture. The GFCE itself has recently been put into receivership given the lack of core funding. Though the Swiss government and the larger capacity building community have engaged in efforts to preserve its functions, the result of those efforts remain unclear. Some countries and potential donors have been distracted by new bright and shiny objects like AI and are less interested in the basic policy and technical needs of countries. Some view capacity building as charity, failing to understand that building the capacity of countries who are used by bad actors to route their attacks helps our own defenses as they can better thwart those efforts and cooperate with us in protecting our populations.

This is not to say that great cyber capacity building efforts don’t exist. The EU, Singapore and others are still doing exemplary work as are other governments, international organizations, and many members of the private sector and civil society. But if we are to deal with rising cyber threats and the rising specter of authoritarian control we need to do more and do it in a more effective and coordinated way.