Threat-Intelligence Sharing Framework

Mansfeld-Südharz, Germany - November 22, 2025

Building a federation pipe that moves indicators faster than attackers while keeping personal data on home soil

The paradox is raw and stubborn: an IP address that saves a factory in Bitterfeld can betray a citizen in Bratislava if it is stored longer than law allows. Solving that contradiction became the design brief for the Cyber Resilience Alliance Threat-Intelligence Sharing Framework, a set of protocols, contracts and code that turns the county into a federated sensor grid without turning Europe into a surveillance continent. The specification is short enough to fit on thirty pages, but every clause is hardened by two years of pre-negotiation with data-protection authorities in three member states and by a running pilot that has already exchanged 1.4 million indicators of compromise while recording zero personal-data breaches. The result is not another shiny portal promising “community” but a mechanical contract that even the most cautious county CIO can sign without hiring outside counsel, because the liability paths have been pre-cleared and the cryptography is mandatory, not optional.

The architecture begins with separation of value from identity. Raw network logs arrive at the local node—say, a 200-employee packaging plant—as pcap fragments that still contain internal MAC addresses, user-agent strings and the occasional plaintext URL containing order numbers. Those fragments are hashed with a keyed-blake3 function that uses a daily secret generated inside the county’s hardware security module; the key never leaves the HSM and is erased after twenty-four hours. What emerges is a 256-bit pseudonymous token that can still be correlated inside the plant for incident investigation but is meaningless to any other participant. Only after that one-way transformation is applied does the pipeline extract the observable: file hashes, destination IPs, TLS certificate serial numbers, SMTP banner strings. The observable is then wrapped in a STIX 2.1 bundle that carries a data-classification label generated by an onboard policy-as-code evaluator. If the label is GREEN (no personal data detectable) the bundle is pushed to the federation message bus within 200 milliseconds; if the label is AMBER (possible personal data) the bundle is queued for human release by the plant’s data-protection officer who has a four-hour SLA before automatic expiry. RED bundles are never transmitted; they stay local and are deleted after thirty days. The three-colour schema is published as a recommendation of the Landesbeauftragte für Datenschutz Sachsen-Anhalt, so adoption is legally shielded as “state of the art” rather than experimental.

Transmission itself is double-wrapped. The inner envelope is a JSON Web Token signed with the sender’s hardware-backed ECDSA P-384 key; the outer envelope is a Noise Protocol XX handshake that provides forward secrecy and mutual attestation between nodes. The combination means that even if a future quantum computer later cracks the outer layer, the inner signature remains valid and non-repudiable, while the forward secrecy guarantees that past traffic cannot be retroactively decrypted if one node is compromised. All keys are rotated every eight hours through a hash-chain that is anchored in the county’s RPKI certificate, creating a temporal firewall that matches the legal retention floor of six hours and the ceiling of twenty-four. The pipeline runs over a dedicated VLAN inside the municipal fibre network, but the cryptography is path-agnostic; a node that temporarily falls back to a commercial ISP still cannot leak plaintext. The first external audit by TÜV Saar found zero critical findings and only two moderate observations, both related to documentation wording rather than cryptographic design.

Federation governance is where law meets code. Every participant signs a two-page Data-Sharing Agreement that incorporates the EU Cybersecurity Act, the NIS2 directive and the GDPR’s Article 6(1)(f) balancing test. The agreement is machine-readable: clauses are expressed as JSON-LD objects that can be evaluated by the same policy-as-code engine that classifies bundles. If a new member wants to share IoCs but withhold file hashes from certain sectors, the reservation is written as a Rego snippet and uploaded to the shared policy repository; within five minutes all upstream nodes automatically enforce the restriction without manual ticket handling. The legal text and the code artifact share the same Git commit hash, creating an evidentiary trail that auditors adore and lawyers can actually read. Breach remedies are equally automated: if a node violates retention time, the smart-contract layer suspends its signing certificate and broadcasts a CRL update to the federation within ninety seconds, effectively quarantining the offender without human drama. The first real-world invocation happened in August when a test site in Graz accidentally retained a hash for 26 hours; the system self-quarantined, the Graz administrators received a push-notification explanation, and normal traffic resumed 14 minutes after the offending bundle was purged. No lawyers were consulted, no press releases were drafted, yet the compliance event was logged immutably for the annual DPIA report.

"Share the threat, not the identity—if the packet can’t be hashed, it doesn’t leave the county."

To avoid the “federation of one” problem, the framework mandates reciprocal value. Every node must contribute a minimum of 500 qualified IoCs per month or provide an equivalent service—sandbox time, threat-hunt hours, or curriculum material—for the common pool. Contribution volume is public; quality is scored by a reputation engine that weighs age, rarity, and confirmation speed. A node that only consumes high-fidelity IoCs without feeding fresh telemetry sees its reputation decay until its query rate is throttled, a gentle economic nudge that prevents free-riding without excluding smaller municipalities that may lack sensors but can still supply curated incident notes. The reputation score is also used when allocating grant money: counties above the 75th percentile receive accelerated reimbursement from the EU Cyber-Shield fund, turning good federation citizenship into hard currency. Since the scoring algorithm is published under an open-source licence, participants can audit the maths rather than speculate about favouritism, a transparency feature that has already convinced six additional counties to join the pilot instead of building isolated SOCs.

The final safeguard is temporal hygiene. All shared IoCs carry a sliding expiry bit that ranges from six hours for raw IPs to ninety days for hash values of rare binaries. Once the expiry bit fires, the observable is overwritten with a random nonce and the original bytes are irretrievably lost, not even a backup remains. The mechanism is enforced by the same HSM that handles key rotation, so no administrator can extend retention by tweaking a database field. The policy sounds draconian until one remembers that the goal is not archival intelligence but real-time defence: if an indicator is still relevant after expiry, it will reappear naturally in fresh traffic and can be re-shared under a new pseudonymous token. This philosophy aligns with the GDPR’s storage-limitation principle and has the pleasant side effect of keeping the federation database lean enough to fit on a single NVMe server, cutting hosting costs by 80 % compared to traditional SIEM warehouses. Lean storage also means lean legal risk: when a data-subject requests erasure under Article 17, the framework can certify that no personal data ever left the originating node and that any residual observable has already been cryptographically shredded. The first such request arrived last month from a Bratislava IP-owner; compliance was achieved in 38 minutes without touching a backup tape, a response time that even the most privacy-sceptic auditor found acceptable.

What emerges from these layers is not a starry-eyed community of trust but a mechanical conveyor that moves threat knowledge faster than adversaries can pivot while leaving personal data exactly where the law wants it: at home, hashed, time-locked and lawyer-proof. The conveyor is now ingesting 19 000 events per hour across twelve nodes, yet the privacy ombudsman of Saxony-Anhalt has received zero complaints and the European Data Protection Board has listed the framework as a reference implementation in its forthcoming guidance on NIS2 data sharing. That silence is the sound compliance makes when cryptography and contract law are engineered to sing the same note.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.