Criteria for Cyber Situational Awareness

Cyber threats against South Korea and the United States have increased in recent years, prompting both nations to strengthen cooperation on cyber issues. South Korean domestic public institutions saw a 36 percent increase between 2022 and 2023 to 1.6 million cyberattacks, and the number of detected cyberattacks against U.S. targets surged 136 percent between October 2024 and April 2025. Both countries have enhanced their cyber cooperation to combat these cyber risks through the U.S.-ROK Joint Leaders’ Statement in 2022 and the declaration that the U.S.-ROK mutual defense treaty extends to cyberspace in 2024. Both countries must establish criteria for cyber situational awareness to maintain robust cyber cooperation. Cyber situational awareness aims to provide a comprehensive view of the environment, threats, and malicious activity that can form the basis for action in cyberspace. Maintaining awareness of this environment requires continuous monitoring, analysis, and evaluation of cyber activities to identify vulnerabilities, threats, and the potential effects on the economy, society, and national security.

A cooperative approach to cyber situational awareness between the United States and South Korea will require both nations to develop processes and agreed standards for coordinating real-time communication, to make more timely and better-informed decisions, and to take proactive measures to defend digital assets and infrastructure from cyber threats. The categories of information needed for cyber situational awareness include:

• threat intelligence;
• network monitoring;
• vulnerability assessments;
• incident detection and analysis;
• all-source risk assessment; and
• near real-time situational reporting.

At its core, cyber situational awareness involves three fundamental dimensions: (1) acquiring knowledge about what is happening in the digital environment, (2) understanding and being able to explain why these events are occurring, and (3) assessing what impacts these developments could have on national security, economic stability, and public safety. This process necessitates sophisticated data collection methodologies, advanced analytical frameworks, and well-organized information management systems. Most importantly, to establish cyber situational awareness, there must be agreement between both nations regarding information sharing protocols, task allocation procedures, and prioritization frameworks, using the existing framework of collaborative efforts by the two countries.

Data Collection and Intelligence Infrastructure

Establishing effective cyber situational awareness first requires producing capabilities for collecting and sharing aggregate data from diverse sources. This data should cover government networks, critical infrastructure sectors (e.g., energy, finance, healthcare, transportation, and water systems), private companies, academic institutions, and open-source intelligence. The data must be processed to identify malicious activities and understand the tactics and techniques of various threat actors, including state-sponsored entities, sophisticated cybercriminal organizations, and ideologically motivated hacktivists.

AI Tools

Artificial intelligence (AI) tools can improve cyber situational awareness by processing and analyzing vast amounts of security-related data at speeds and scales beyond human capabilities. This enables organizations to gain a more comprehensive understanding of their security posture and the evolving threat landscape. The United States and South Korea can jointly develop algorithms to identify patterns and anomalies in network traffic and (where appropriate) user behavior that might indicate malicious activity with greater accuracy and speed than traditional rule-based systems. AI can also automate parts of the incident response process and enhance vulnerability scanning by prioritizing vulnerabilities. The effective implementation of AI for cyber situational awareness requires a combination of specialized tools supported by skilled security analysts who can interpret AI-produced insights for appropriate action.

Proactive Defense and Predictive Capabilities

Beyond simply reacting to immediate threats, comprehensive cyber situational awareness involves analyzing trends and patterns to predict future cyberattacks and emerging threats, and should be done collaboratively between the United States and South Korea. This predictive capability is essential for proactive cyber defense as it allows for preemptive defensive measures rather than purely reactive responses. The foundation of effective situational awareness between these allied nations relies on robust mechanisms for sharing cyber threat intelligence and information in a timely, secure, and actionable manner.

Shared Analytical Standards

In creating a common approach to situational awareness, the United States and South Korea would benefit substantially from shared analytical criteria designed to identify patterns, relationships, and potential incidents across both nations’ digital ecosystems. These analytical frameworks could be integrated with other threat intelligence sources to create a more comprehensive understanding of the threat landscape facing South Korea. The information generated should include both high-level strategic summaries for senior decisionmakers and more granular, technically detailed reporting for operational analysts. To facilitate this level of cooperation, South Korea and the United States will need to significantly expand existing communication channels and develop standardized processes for sharing sensitive cybersecurity information. This could build on greater collaboration with the existing National Cyber Awareness System (NCAS) at the Cybersecurity and Information Security Agency (CISA). This tool provides situational awareness to technical and nontechnical audiences by dispensing timely information about cybersecurity threats and issues as well as general security topics. NCAS products include technical alerts, control systems advisories and reports, weekly vulnerability bulletins, and tips on cyber hygiene best practices. The U.S. and ROK governments could consider establishing a similar system between their governments to share data.

Any agreed-upon standards for collective work should establish clear guidelines for timeliness, completeness, and accuracy of shared information. In many cases, real-time or near-real-time data sharing is critical for responding effectively to rapidly evolving cyber threats. All shared data should be consistently formatted and structured to enable effective cross-agency analysis and joint defensive operations. A collaborative effort must include common standards regarding the appropriate level of detail to be exchanged, balancing the need for actionable intelligence with legitimate concerns about sources and methods protection.

These standards and protocols represent critical topics to be jointly developed and agreed upon by cybersecurity authorities from both nations. The creation of joint U.S.-ROK standards for collective cybersecurity must address timeliness to enable rapid defensive actions. These standards should define specific timeframes for sharing different categories of threat intelligence, including immediate notification (within minutes) for critical zero-day vulnerabilities and active attacks against critical infrastructure, and 24-hour windows for less urgent but still significant threat information. The framework should include protocols that automatically accelerate information sharing during crisis situations, such as widespread attacks. Additionally, both nations must further invest in compatible secure communication channels and automated sharing systems that can transmit encrypted data in standardized formats with minimal human intervention, thereby reducing the delay between threat detection and defensive response.

Joint standards should establish minimum data requirements for different types of cyber threat intelligence to give a full picture of the shared information. These requirements must specify which technical indicators (e.g., IP addresses, malware signatures, and command-and-control infrastructure) and contextual information (targeting patterns, adversary techniques, and potential impacts) must be included in various categories of threat reports. The standards should also clarify expectations about the inclusion of raw data versus analytical conclusions, as well as delineate circumstances under which certain details may be withheld due to classification concerns or source protection. To ensure proper implementation, both countries should create joint review mechanisms to periodically assess the completeness of shared intelligence and identify systematic gaps or areas for improvement in information exchange practices. Both countries will also need to develop common approaches to privacy and personally identifiable information.

With respect to accuracy in reporting, joint U.S.-ROK standards must develop and implement rigorous verification protocols for shared cyber threat intelligence. These protocols could include confidence ratings for different types of information. They should also involve clear sourcing requirements (using a common format for referencing) and procedures for differentiating between confirmed facts and analytical judgments derived from those facts. Both nations should establish joint technical working groups to validate significant technical findings before they trigger major defensive actions while maintaining the ability to rapidly share time-sensitive intelligence with appropriate caveats. Additionally, the standards should include feedback mechanisms that allow recipients to report on the actionability and accuracy of received intelligence, creating a continuous improvement cycle. This focus on accuracy must be balanced with timeliness requirements through established procedures for sharing preliminary information with clear uncertainty markers, followed by more thoroughly verified updates as additional confirmation becomes available.

Strategic Importance

In today’s digitally interconnected domain, the United States and South Korea effectively share a border in cyberspace, making improved intelligence sharing not only beneficial but essential for mutual defense. By establishing a comprehensive framework for cyber situational awareness, both nations can enhance their collective ability to detect, analyze, and respond to sophisticated cyber threats targeting their shared strategic interests and critical infrastructure systems.

Beyond countering specific threats, U.S.-ROK cyber cooperation involves extensive information and best practices sharing, facilitated by agreements like the memorandum of understanding between CISA and South Korea’s National Intelligence Service. This includes collaboration on cyber crisis management, critical infrastructure resilience, and policies related to emerging technologies. While there are challenges such as differing threat perceptions and difficulties in operationalizing active cyber defense on a bilateral basis, future U.S.-ROK cybersecurity collaboration should aim for deeper integration through proactive responses.

Julia Brock is a program manager and research associate with the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. James Andrew Lewis is senior adviser (non-resident) with the Economic Security and Technology Department at CSIS.

This commentary is made possible through support from the National Security Research Institute of Korea.