Can State’s New Cyber Bureau Hack It?
The U.S. State Department is working to stand up a new cybersecurity bureau, but it's hobbled by debates with lawmakers on its purpose and mandate.
The U.S. State Department is expected to stand up a new cybersecurity bureau this year as the government grapples with expanding foreign cybersecurity threats, according to current and former officials familiar with the plans. But the scope of that body’s work remains unclear amid squabbles with Capitol Hill over its responsibilities.
At a time when the United States and its adversaries are making major investments in offensive hacking capabilities, current and former officials say the bureau would fill a gap in the U.S. government’s diplomatic abilities.
The roll-out plan for the bureau is still forthcoming, according to a State Department spokesperson. The spokesperson confirmed the new bureau will be run by an ambassador-at-large for cyberspace security and emerging technologies.
Without a full-fledged unit inside the State Department devoted to the subject, current and former officials fear that Washington is neglecting a key issue that is expected to play a major role in international relations.
“It is the area where our adversaries are not only choosing to confront the United States the most, but also drawing the most blood,” said Jason Healey, a former White House official on cybersecurity under President George W. Bush now at Columbia University’s School of International and Public Affairs.
President Donald Trump’s administration has taken a hard line on cybersecurity issues, issuing indictments and imposing sanctions on hackers alleged to be working on behalf of the Chinese government and loosening Barack Obama-era rules on carrying out offensive cyberattacks.
The White House has accused Beijing of stepping up its campaign of stealing American intellectual property in a bid to boost domestic firms, an issue that U.S. negotiators are attempting to address as part of talks aimed at ending a tit-for-tat trade war between the two countries.
Amid this growing confrontation over issues in cyberspace, American diplomats working on cybersecurity have been hamstrung by a lack of authority and resources at a time when U.S. adversaries are stepping up their efforts in this space. China and Russia are increasingly using their diplomatic clout to dictate the direction of internet governance bodies, and critics of the Trump administration argue that it has been lagging in its diplomatic approach on the issue.
As the administration has downplayed the importance of multilateral bodies, China, for example, has tried to use its growing clout in United Nations bodies to advance its vision of a more highly regulated internet, as Foreign Policy reported in 2017. Beijing views the open internet as a security threat and has tasked its diplomats with advancing efforts to regulate online speech.
Former Secretary of State Rex Tillerson rolled out plans to downgrade the department’s existing office that coordinated cybersecurity issues in 2017 (and the coordinator for cyber issues left the department), in a move cybersecurity experts and former officials decried as short-sighted. In apparent response to the criticism, Tillerson reversed course shortly before his firing last March, telling lawmakers a year ago that he had plans to create a new bureau on cybersecurity.
His successor, Mike Pompeo, signed a memo last summer that would have re-established the bureau under the undersecretary of state for arms control and international security, according to current and former officials. But since then, the officials say, the issue has been beset by delays as top diplomats and lawmakers debate where in the department to place the bureau and what exactly the bureau’s mandate should entail. The ongoing government shutdown, now nearing its fourth week, could further delay the rollout.
One State Department official said the bureau is still expected to be overseen by the undersecretary for arms control and international security, to emphasize its focus on national security issues. But others, including lawmakers, have pushed for the bureau to report to the undersecretary of political affairs, the department’s third-ranking official, and focus more on political priorities relating to cybersecurity.
In January 2017, the House of Representatives passed legislation that would have established the Office of Cyber Issues in the State Department, located that office under the undersecretary for political affairs, and consolidated all of the department’s work on cybercrime, internet freedom, deterrence, and cyberdiplomacy.
But that legislation stalled in the Senate, and Pompeo now appears to be moving toward establishing the bureau under the jurisdiction of his department’s arms control experts.
What appears as an internecine bureaucratic fight is in reality a conflict over the bureau’s priorities and whether the coming cybersecurity body will address more than just the hard security issues in cyberspace, such as the launching of offensive cyberattacks.
The State Department spokesperson said “the new bureau will be the lead for developing and implementing policies and conducting outreach designed to enhance the security of international cyber-enabled infrastructure.”
While the development of frameworks governing the use of offensive cyberattacks represents a key diplomatic issue, economic and human rights questions are also important. Policies governing the use of encryption have implications for online global commerce, which is made possible by the use of widespread encryption. The internet human rights agenda is another fraught area, as authoritarian states seek to clamp down on the open web as a tool of dissent and civic organizing.
The State Department spokesperson said there is a “strong rationale” for placing the bureau under the under secretary for arms control and international security, to “effectively deter and neuter threats to cyberspace…in conjunction with tactics leveraged by the Department of Defense and intelligence community.”
Regardless of where the bureau is placed, it is expected to also be tasked with building up the cybersecurity capacity of developing countries’ governments to improve internet security worldwide, according to one official.
Placing the bureau under the department’s arms control wing would place an emphasis on these hard security questions in cyberspace and possibly cause the department to neglect the economic and human rights dimensions of cyberdiplomacy, said Chris Painter, the State Department’s former cyber coordinator.
The State Department spokesperson pushed back on this criticism, saying: “The new bureau’s coverage of cybersecurity issues will be comprehensive to include coordinating department and administrative positions on cyber security matters that involve human rights and economic issues.”
Still, Painter welcomed the move to re-establish a division within the department devoted to cybersecurity issues.
The bureau is expected to employ roughly 80 people, the current and former officials say. About half will be current State Department employees recruited from other bureaus. The other half will be new hires.
The department’s bureau of economic and business affairs will still manage issues related to the economic and commercial side of cybersecurity. Robert Strayer, a former Republican Senate aide, manages those efforts as a deputy assistant secretary.
Officials said he is on the shortlist to run the new bureau.
Update, Jan. 23, 2019: This article was updated to include comments from a State Department spokesperson on the new cyber bureau, including details on the head of the new bureau’s title, where the bureau will be placed within the department, and its emphasis on human rights and economic issues.
Correction, Jan. 23, 2019: This article originally misstated that the office of the coordinator for cyber issues was closed. Former Secretary of State Rex Tillerson planned to close the office, and while the coordinator left his position and experts widely agree the office was downgraded, it did not close.
Robbie Gramer is a staff writer at Foreign Policy. @RobbieGramer