Collaborative Cyber Defense: Why Algeria Needs Open Threat Intelligence Sharing

The Shared Threat That No One Shares

Algeria blocked over 70 million cyberattacks in 2024, according to Kaspersky data, ranking 17th globally among the most targeted nations. Beyond the headline number, Algerian systems also intercepted more than 13 million phishing attempts and nearly 750,000 malicious email attachments during the same period. When a phishing campaign hits one Algerian bank, the same campaign is likely targeting every other bank in the country within hours. When ransomware encrypts files at a logistics company in Oran, the same malware variant is probing networks in Algiers and Constantine. The threats are shared. The intelligence about them is not.

This is the fundamental problem with Algeria’s current cybersecurity posture: despite a rapidly maturing legal framework and new institutional architecture, most organizations still defend alone. Each ministry, each bank, each telecom operator, each energy company maintains its own security operations center, detects its own threats, and responds to its own incidents — without systematically sharing what it learns with peers facing identical adversaries. The International Telecommunication Union’s 2024 Global Cybersecurity Index places Algeria in Tier 3 (“establishing” stage), reflecting structured government engagement that remains in a consolidation phase. The concept of open innovation — where competitors collaborate on shared challenges while competing on execution — is well established in technology development. Applied to cybersecurity, it means collaborative defense through structured threat intelligence sharing: when one organization detects an attack, every organization in the ecosystem benefits within minutes, not months.

Algeria’s National Cybersecurity Strategy 2025-2029 creates the institutional conditions for this shift. But building the actual mechanisms for cross-sector intelligence sharing requires deliberate action that goes beyond what the decrees mandate.

The Institutional Foundation Is Now in Place

Algeria’s cybersecurity governance architecture has undergone a complete overhaul in the past year. Presidential Decree No. 25-321 of 30 December 2025 formally adopted the National Cybersecurity Strategy 2025-2029, establishing a five-year roadmap for defending public administrations and critical digital infrastructure. The strategy was prepared through a participatory approach engaging multiple sectors. Presidential Decree No. 26-07 of 7 January 2026 went further, mandating that every public institution create a dedicated cybersecurity unit — separate from IT management — reporting directly to the head of the organization. These units must design threat maps, deploy remediation plans, and coordinate with ASSI (the Information Systems Security Agency) on incident response. The decree also mandates compliance with personal data protection legislation and the integration of cybersecurity clauses into outsourcing contracts.

The cybersecurity leadership mandate is particularly significant. For the first time, Algerian public institutions are required to designate dedicated cybersecurity leadership with defined responsibilities and direct access to organizational heads. This creates a professional layer of security decision-makers across government and critical infrastructure who could, in principle, form the nodes of a national threat intelligence network.

The institutional architecture now includes ASSI as the operational technical agency — with its own operational center (CNOSSI) — operating under the Ministry of National Defence; CNSSI (the National Information Systems Security Council, created by Law No. 20-05 of 20 January 2020) as the strategic policy body; and DZ-CERT (hosted by CERIST) as the national computer emergency response team, which is a member of FIRST and AfricaCERT. Algeria also established the ANPDP (Autorite Nationale de Protection des Donnees Personnelles), the data protection authority installed in August 2022 under Law No. 18-07, which intersects with cybersecurity through data breach notification and privacy-by-design requirements.

What is still missing is the connective tissue between these nodes — the structured, real-time mechanism for threat intelligence to flow between organizations, between sectors, and between government and the private sector.

The Case for Threat Intelligence Sharing

Threat intelligence sharing is not an abstract concept. It has a precise operational definition: the structured exchange of indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), vulnerability disclosures, and incident context between organizations facing common adversaries.

When it works, the economics are compelling. A single security analyst at one Algerian bank who identifies a new phishing domain targeting Algerian financial institutions generates intelligence that, if shared immediately, protects every bank in the country. Without sharing, each of those banks must independently discover and analyze the same threat — multiplying response time, cost, and the window of vulnerability. In a country facing a documented cybersecurity talent shortage, sharing intelligence effectively multiplies the value of every security professional.

The international model for this is the ISAC — the Information Sharing and Analysis Center. In the United States, ISACs began forming in 1999 following Presidential Decision Directive 63 (PDD-63), which mandated public and private sectors share information about cybersecurity threats. Today, ISACs operate in virtually every critical sector: financial services (FS-ISAC, founded 1999), energy (E-ISAC), healthcare (H-ISAC), aviation (A-ISAC), and more than a dozen others. These are sector-specific organizations where competitors share threat data under structured agreements that protect proprietary information while enabling collective defense. FS-ISAC alone now has over 5,000 member firms across more than 75 countries, representing $100 trillion in assets. When one member detects a new banking trojan variant, the indicator is distributed to all members within minutes.

Europe follows a similar model through ENISA (the European Union Agency for Cybersecurity), which coordinates threat intelligence across 27 member states and maintains the EU’s vulnerability database and threat landscape reports. CISA (the Cybersecurity and Infrastructure Security Agency) in the United States operates real-time threat sharing with the private sector through its Automated Indicator Sharing (AIS) program, a free service using STIX/TAXII standards that was certified in March 2016 under the Cybersecurity Information Sharing Act of 2015.

Algeria has no equivalent structure. No sector-specific ISAC exists for banking, energy, telecom, or government. No automated indicator sharing system connects organizations. Each security team operates as an island, duplicating effort, missing threats that a neighbor has already detected, and losing institutional knowledge when analysts change positions.

CERIST as the Natural Anchor

If Algeria is to build a national threat intelligence sharing platform, CERIST (the Centre de Recherche sur l’Information Scientifique et Technique) is the natural anchor institution. CERIST already hosts DZ-CERT, Algeria’s computer emergency response team, which collects and disseminates threat intelligence to both public and private sector entities. It manages Algeria’s Academic and Research Network (ARN) and the .dz domain registry through NIC.DZ — a role it has held since the introduction of Internet in Algeria in 1994. It maintains active cybersecurity research labs with partnerships across Algerian universities — USTHB, ESI, University of Constantine 2, and University of Batna 2.

CERIST’s existing mandate, infrastructure, and institutional relationships — including proximity to Cyberparc Sidi Abdellah and its innovation hub ecosystem — position it to evolve DZ-CERT from a reactive incident response team into a proactive threat intelligence sharing hub — one that aggregates indicators from across Algerian organizations, enriches them with analysis, and distributes actionable intelligence back to member organizations in near-real-time. DZ-CERT’s membership in international networks like FIRST and AfricaCERT provides ready channels for cross-border intelligence exchange.

The technical standards already exist. STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) are the international standards for machine-readable threat intelligence sharing, now managed under OASIS and used by ISACs, CERTs, and security vendors worldwide. Open-source platforms like MISP (Malware Information Sharing Platform), developed by CIRCL Luxembourg and used by NATO, CERT-EU, and more than 6,000 organizations globally, provide the infrastructure for threat intelligence sharing at low cost. Algeria does not need to build from scratch — it needs to deploy existing tools and create the governance framework for organizations to contribute and consume shared intelligence.

Open Innovation Models Already Emerging

The broader open innovation ecosystem in Algeria is beginning to produce cybersecurity-relevant initiatives, even if they are not explicitly framed as threat intelligence sharing.

Bug bounty programs represent the most direct application of crowdsourced security. While no major Algerian organization has launched a formal public bug bounty program, informal vulnerability disclosure is happening — Algerian security researchers identify and report vulnerabilities in domestic systems, sometimes through channels like Shellmates (ESI’s cybersecurity club, founded in December 2011 as OWASP Student Chapter Algeria) and BSides Algiers, which Shellmates has organized since 2012. Formalizing this process would channel Algeria’s CTF talent — teams that rank among Africa’s best — into structured vulnerability discovery.

The UNDP Smart Energy Efficiency Innovation Challenge (December 2025 through June 2026), launched in partnership with APRUE, focuses on intelligent energy management and digitalization across Algerian infrastructure. While primarily targeting energy efficiency, its emphasis on automation and smart grid management inherently intersects with cybersecurity requirements for critical infrastructure protection. The National Hackathon for Vocational Formation, launched by the Ministry of Formation and Vocational Education, features dedicated tracks for AI, cybersecurity, and Industry 4.0, attracting hundreds of participants from across Algeria’s 37 wilayas. These hackathons create environments where cross-disciplinary teams tackle security challenges.

Programs like AOIP and Hadina Tech’s open innovation initiatives show that Algeria’s startup ecosystem is ready to collaborate across institutional boundaries. These initiatives are valuable but fragmented. What they lack is the institutional framework that connects hackathon outputs, vulnerability discoveries, and research findings to operational cyber defense. The gap between producing a winning CTF team and producing a national threat intelligence feed is not talent — it is infrastructure and governance.

Regional Models Worth Studying

Algeria does not need to look only to the US or EU for models. Closer to home, Morocco operates maCERT under the DGSSI (Direction Generale de la Securite des Systemes d’Information), with activities that began in 2010, coordinating threat intelligence sharing across government and critical infrastructure operators. Tunisia’s ANSI (Agence Nationale de la Securite Informatique), established in 2004, ran tunCERT with structured relationships to international CERT networks — though Tunisia has since transitioned to a new National Cybersecurity Agency (ANCS) in 2023, reflecting the evolving nature of institutional cyber defense. Both countries have been ahead of Algeria in operationalizing cross-sector threat intelligence sharing, despite having smaller digital economies.

Singapore’s Cyber Security Agency (CSA) provides another model of public-private collaboration: real-time threat sharing with the private sector through its SG Cyber Safe programme, channeling academic research from the National University of Singapore’s Crystal Centre into operational capability. The structural logic — government coordinates, private sector contributes, academia enriches — is directly applicable to Algeria’s context, where ASSI, CERIST, and ESI already occupy analogous roles.

For Algeria, the path forward would combine policy frameworks with practical deployment: CERIST-hosted sector-specific sharing communities for banking, energy, and telecom; a MISP instance for automated indicator sharing; and formal agreements that protect contributing organizations from liability while mandating participation for entities designated as critical infrastructure under the National Cybersecurity Strategy.

For a broader perspective on how Algeria’s largest companies are structuring their engagement with the innovation ecosystem, see Corporate Open Innovation in Algeria.

Sources & Further Reading

• Algeria Adopts 2025-2029 National Cybersecurity Strategy — We Are Tech Africa
• Algeria Orders Cybersecurity Units in Public Sector Amid Surge in Cyberattacks — Ecofin Agency
• Algeria Strengthens Cybersecurity Framework to Protect National Infrastructure — TechAfrica News
• DZ-CERT — Algeria Computer Emergency Response Team — CERIST
• Cybersecurity and Governance — The State of Software Engineering in Algeria
• MISP — Open Source Threat Intelligence Platform
• FS-ISAC — Financial Services Information Sharing and Analysis Center
• ENISA — European Union Agency for Cybersecurity
• CISA Automated Indicator Sharing (AIS)