The uphill battle to relaunch State Department’s cybersecurity policy office
Be it through legislation or some internal decree, restoring the State Department’s cybersecurity policy office to a prominent place in the agency can’t come soon enough for advocates of U.S. digital diplomacy.
Analysts and former government officials say U.S. leadership in shaping international behavior in cyberspace has stalled at a time when nation-state hacking groups are flexing their muscles.
“I worry about a gap that leaves allies wondering and adversaries savoring the chance to take advantage of the perceived lack of U.S. leadership,” Christopher Painter, State’s former cybersecurity coordinator, told CyberScoop. “When you have diminished resources [and] when you have uncertainty, inevitably that causes some loss of momentum.”
In the eight months since former Secretary of State Rex Tillerson said he would downgrade the department’s cybersecurity office, the United States has blamed North Korea for the destructive WannaCry ransomware attack, indicted Iranian hackers for terabytes worth of intellectual property theft, and sanctioned Russian oligarchs for alleged malicious cyber activity.
There were diplomatic considerations to each of those actions. During that time, however, the State Department has lacked a top-level official empowered to tackle multi-faceted cybersecurity issues in the way Painter was.
During Painter’s tenure, the State Department stepped up its cybersecurity diplomacy through a flurry of activity– from bilateral dialogues with countries like Germany and Japan, to multilateral work in Asia, to “capacity-building” measures to help countries fight cybercrime.
That work continues through officials like Deputy Assistant Secretary Robert Strayer, and Painter said his former colleagues at the department are “doing everything they can” to keep momentum going on those issues. That task is nevertheless more difficult without a senior official who has the close ear of the Secretary of State.
In August, Tillerson said he was abolishing the cybersecurity coordinator position and placing its supporting staff under the department’s economic bureau. In February, in an about-face of sorts, Tillerson proposed setting up a Bureau for Cyberspace and the Digital Economy headed by a Senate-confirmed assistant secretary. That new office would still reside under the department’s economic bureau, something critics say doesn’t account for the cross-sector nature of cybersecurity.
Lawmakers and former U.S. officials say the uncertainty surrounding State’s cyber portfolio sends the wrong message to the world about U.S. willingness to shape international behavior in cyberspace.
“The United States is not working closely enough with likeminded governments to deter adversaries from stealing secrets or undermining an open and interoperable internet,” Rep. Eliot Engel, D-N.Y., said in February.
Engel is co-sponsor of a House bill governing State Department policy that would establish an Office of Cyberspace and the Digital Economy with a similar mandate to Painter’s old office. The head of the new office would be a Senate-confirmed ambassador who reports to the undersecretary of State for political affairs or an even higher-ranking official.
Hacking Still Pays
A top agenda item for a reinvigorated approach to cyber diplomacy from the State Department could be building support for applying international law in cyberspace. When Painter was cybersecurity coordinator, the State Department pushed for such a norms agreement through the United Nations Group of Governmental Experts (GGE). But those talks collapsed last June amid reported acrimony between the United States, Russia, and others over the right to self-defense in cyberspace.
Analysts say some sort of dialogue should be revived to set parameters for nation-state hacking.
“We need to figure out ways of engaging with the Russians and Chinese on these discussions or at least signaling what the U.S. priorities are,” Adam Segal, director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program, told CyberScoop.
A barrier to any agreement on cyber norms is that most countries want to be able to conduct cyberattacks whenever it is in their interest, Michael Sulmeyer, a former top cybersecurity official in the Office of the Secretary of Defense, told CyberScoop. “For better or worse, I think most countries still believe that hacking still pays.”
“The language around norms has become so loose that I think other governments have started to cloak what are their interests as norms,” Sulmeyer added.
Sulmeyer and Segal said the Trump administration might be more amenable to working bilaterally or with a small group of allies in cyberspace than through a broad coalition of countries. The U.S. and U.K. governments teamed up last month to blame Russia-backed hackers for a coordinated campaign against internet traffic routers. A next step to that sort of attribution might be to work with allies to publicly articulate acceptable behavior in cyberspace, according to Segal.
It’s an open question as to what particular course a new State cybersecurity office would chart. One factor will be prioritization of the issue in the Trump administration as whole. The White House itself is in need of a new cybersecurity coordinator with Rob Joyce soon stepping down.
In a statement to CyberScoop, a State Department spokesperson said: “The department continues to engage with allies and other counterparts on difficult cyber issues both bilaterally and in regional and international organizations, including implementing strategic cyber capacity building programs.”
If the State cyber office mandated in the House bill gets established, the House Foreign Affairs Committee will be keen to see if the office sets a new strategy for international engagement in light of the collapse of the UN GGE talks, a committee aide told CyberScoop.
The success of any new office will depend on the level of support new Secretary of State Mike Pompeo gives it, Painter said. Pompeo’s prior experience as CIA director and a congressman on the House Intelligence Committee indicate he will prioritize cybersecurity more than Tillerson did, according to Painter.
In an April confirmation hearing, Pompeo pledged to commit robust resources to cybersecurity at State while saying he hadn’t yet given much consideration to who might fill State’s top cybersecurity position.
“I can only say that every element of government has a piece of its cyber duty,” Pompeo told lawmakers. “It’s one of the challenges, is that it’s so deeply divided that we don’t have a central place to do cyber work.”
“At the CIA, we spent a great deal of resources” he continued. “I hope we’ve delivered value on our cyber efforts. I would hope to do the same thing at the State Department.”