Four Opportunities for State’s New Cyber Bureau

In 2017, the Trump administration eliminated the position of cybersecurity coordinator at the White House and closed the cyber coordinator office at the State Department. As one of us previously wrote, this was a decision that undoubtedly harmed the United States’ ability to preserve a global and open internet and promote democratic norms around technology writ large. But now, the State Department is reportedly standing up a new cybersecurity bureau. The exact details and timeline are still unclear, but a spokesperson has at least clarified it will be run by “an ambassador-at-large for cyberspace security and emerging technologies.” Leaders of the House Foreign Affairs Committee have also introduced a Cyber Diplomacy Act that would create a cyber diplomacy office at State, slightly modifying a bill from last year.

The State Department already does great things on cybersecurity. Robert Strayer, the lead for cyber policy at State, spent most of his October and November on the road at places like the International Telecommunications Union (ITU)’s Plenipotentiary, putting out fires and averting potential crises. The Department’s group punches well above their weight in the capacity-building conversation at the Global Forum on Cyber Expertise and elsewhere. In the past, the Department has been instrumental in the processes around the UN Group of Governmental Experts, where global cyber norms are discussed.

Nonetheless, more resources for the Department would be a good thing. In addition to continuing their steady state, they’ll be in a position to boost their efforts in other, important areas. Here are four opportunities we see for the new bureau moving forward.

1) Clarify our messaging around a global and open internet, and around uses of technology in society writ large.

We’ve written in the past about the inherent contradictions of the foreign policy around the free, open, interoperable, secure, and resilient internet. One of the first opportunities for the new bureau is to clarify the U.S.’ foreign policy messaging around cyber issues. Though apparently superficial, getting messaging right—and consistent with our own actions—is crucial.

The United States and allies like the United Kingdom, Australia, Canada, and many in the EU have aligned themselves relatively clearly with the ideals of a global and open internet. A global and open internet is consistent with our liberal-democratic values.

China, Russia, Iran, Turkey, the UAE, and others have, on the other hand, aligned themselves with a sovereign and controlled model for their portion of the internet. China in particular has championed government control of internet gateways, content censorship, and largely uninhibited state influence over other architectural elements of the internet in its borders. This design for the internet is more aligned with the needs of governance structures where power is tightly held and concentrated.

Yet many countries around the world have not yet gravitated towards one or the other of these models. In this global battle for cyberspace itself, we have identified a group of countries whose approach to internet governance deserves further attention. The direction of these countries over the next few years will be a good indicator for how this competition for cyberspace is unfolding.

State’s new cyber bureau has an opportunity to directly engage with these countries. An internet that is global and open is a major economic booster, interconnecting industries around the world. On the other hand, internet blackouts hurt a nation’s economy, and setting tight rules around internet content, which social media services are allowed, and how much internet bandwidth costs depending on the site all hamper the level to which citizens can engage with the global economy, and the level to which multinational corporations can engage with a country. State should emphasize this fact. But before the U.S. is ready to lead on this front, the new bureau will be in a position to lead on clarifying our and our allies’ messaging and present viable, secure alternative models to heavy state control a la Russia and China.

2) Bring sense to the conversation around international cyber conventions.

Although Microsoft’s Digital Geneva Convention (DGC) campaign and the accompanying Paris Call have been making waves recently, the idea of a global cyber convention isn’t novel. The idea picked up steam following a speech from Brad Smith, the President of Microsoft, at RSA. And it doesn’t look like an issue that’s going away anytime soon.

Increasingly, commentators are writing about the potential merits of a convention, probably at the United Nations, and high-level officials are doing the same through comment. Part of the popular refrain is that cyberspace is bereft of laws to govern its use, and proponents of the new DGC and associated proposals argue that global cyberspace is currently unstable and a global convention would help to curb malicious cyber offensive behavior that contributes to this instability. But for all those that lament the “lack of rules” in offensive cyber, there are still incentives to exercise restraint, and governments from the U.S. to China have already agreed that international law applies to cyberspace.

The risks associated with a new convention are numerous and merit greater exploration. As governments have already agreed that international law already applies to cyberspace, any new convention would need to be crafted carefully so as to not undermine extant law.

In addition, a second big risk is political. Chinese and Russian diplomats have long promoted the narrative that the internet is insecure and leads to security issues, and so governments needs to tightly control it. For the better part of a decade, proposals for a new cybersecurity convention have been associated with the Russian and Chinese proposals for an international code of conduct—a thinly veiled attempt to provide international top cover for rampant censorship and repression online. Any global convention on cyberspace or cybersecurity would need to meticulously narrow the definition of cybersecurity to fit with the Western definition but exclude the Chinese and Russian conceptualization. If the convention is meant to be global, that definition would then have to be agreeable to the governments in Moscow and Beijing.

The response to the DGC proposal shows that Microsoft has clearly struck a chord. Countries are keen to engage on the issue of cyber stability. There is now enthusiasm to do something in the space, and the new bureau has an opportunity to channel that enthusiasm in a way that gives us the outcomes we want.

3) Communicate the stakes (and special interests at play) at standards bodies.

For a long time, technical standards bodies have claimed to be apolitical spaces where scientists come together to solve technical challenges. Today, they risk becoming an arena for political competition between internet powers, but the U.S. should do everything in its power to both communicate the political nature of standards decisions and reverse the trend of bodies’ politicization. Some of our main competitors are clearly approaching these standards processes more strategically. The U.S. government needs to do so as well, and the new bureau at State would be well placed to contribute to an interagency process to align our participation with our goals. The Department of Commerce is, of course, an important player in this space, and any activity from the new bureau should complement ongoing work. But for a country that has long emphasized the value of relative openness, global connectivity, security, and interoperability on the global internet, it’s imperative the United States bolster its engagement in these international forums.

Countries around the world with very different views of how the internet should be architected and run are becoming increasingly involved at standards bodies. China has been particularly active in this space, generally boosting its influence while also pushing standards that favor its vision of a tightly controlled internet at places like the International Telecommunications Union (ITU), 3GPP, and the Internet Engineering Task Force (IETF). While these developments are not necessarily negative—and it’s unclear whether Chinese influence in standards bodies will make for better or worse standards—they are worth the attention of the new bureau.

At the ITU, for instance, where 5G and AI standards are hotly debated, a Huawei executive chairs the study group tasked with developing 5G standards. At 3GPP, which has released the first set of 5G standards, an executive from the state-owned China Mobile Communications Corporation serves as vice-chairman of the group developing 5G standards, though the likes of Nokia and Ericsson also have employees in chair positions. At the IETF, where standards on a slew of internet-related technologies—but particularly those relevant to the protocol portion of the internet—are developed, China has gone from a near non-participant in the late 2000s to the second largest country of origin for requests for comments and drafts (the mechanisms through which standards processes are started at the IETF) over the last year.

The most recent Worldwide Threat Assessment notes that our global competitors have clearly realized the strategic importance of global technology standards. The new cyber bureau at the State Department could be in a position to help lead the U.S. government’s response to the growing challenge.

4) Build cybersecurity capacity.

The last few years have seen an awakening, of sorts, pertaining to the need to build better cybersecurity capacity around the world. Cyber threat actors sit at home and conduct crimes thousands of miles away with relative ease. In parts of the world, governments are incapable of dealing with threats emanating from within their borders. The State Department already has a team doing a lot of work on cybersecurity capacity-building, like the Digital Connectivity & Cybersecurity Partnership, but a new bureau will be in a position to do far more to support that activity.

In addition, a new bureau could be in an outstanding position to catalyze action from potential partners. For example, not enough is being done by the development community—whether public actors like the World Bank and USAID or private investors in emerging markets—to ensure that, as countries in the global south digitize their economies, governance, and societies, they do so in a way that ensures resilience and sustainability. State could also multiply its efforts by leading engagement with other federal agencies. The Department of Homeland Security has long led on building computer security emergency response capacity around the world; Commerce’s National Institute of Standards and Technology (NIST) and National Initiative for Cybersecurity Education (NICE) both possess unique expertise that could be leveraged internationally to build partner capacity.

The U.S. could be a leader in catalyzing and organizing action from these communities, and a new bureau would be well-placed to head that effort.