The rise of the internet and cyber technologies constitutes one of the central foreign policy issues of the 21st century.
BY CHRIS PAINTER
The internet and networked technologies have enabled amazing social and economic progress around the world. As new technologies come online and more people are connected around the world, the potential benefits of cyberspace seem boundless.
Yet at the same time, technical threats in cyberspace posed by state and nonstate actors have dramatically increased in both sophistication and number, and the potential and actual impact of those threats has grown exponentially. There are also serious policy threats to the very nature, structure and governance of the internet as we know it, including unprecedented attempts to undermine democratic processes and an increasing drive by repressive regimes to suppress and control online discourse and undermine internet freedom.
Against this sobering backdrop, the need for U.S. diplomacy, working in conjunction with other instruments of national power, is clear. Because cyberspace threats are almost always international, as is the technology itself, an unprecedented level of international coordination, engagement and cooperation is required both to counter threats and to embrace and drive the economic and social opportunities that cyberspace offers. This diplomatic effort must also be cross-cutting because security, economic and human rights issues in cyberspace are often interdependent.
To increase our focus and leadership on international cyber issues, the Office of the Coordinator for Cyber Issues at the State Department was created in 2011, and I was asked to serve as the first coordinator. Located within the Secretary of State’s office, it was the first of its kind anywhere in the world, and it literally created and advanced a whole new area of foreign policy focus that did not exist before. More than 25 countries have since created similar offices in their foreign ministries, and there is an expanding web of engagement on issues including international security, deterrence, combatting cybercrime, cybersecurity, promoting human rights online and internet governance. Moreover, there is an increasing demand by countries to discuss cyber issues as part of high-level ministerial and leader dialogues.
Although much progress was made in the last six years, the state of cyber diplomacy in the State Department is currently in flux. As an apparent part of a larger reorganization, my former office was downgraded in priority and structure, its future in doubt. This move, and the uncertainty it created, sent an unfortunate signal that the United States was abandoning its leadership role in this emerging area, both to the consternation of our partners and the delight of our adversaries.
Fortunately, in an apparent response to congressional legislation that would re-establish and strengthen my former office, the department announced in February its intention to create a new cyber bureau. That is a good step forward and hopefully a revised version of that plan will find favor with the new Secretary of State. But to be effective, such a bureau needs to be adequately resourced and placed in a cross-cutting reporting chain that accounts for all the issues in cyberspace. More than anything else, it needs to be made a clear priority of the department and the Secretary of State, something that was sadly lacking during the tenure of Rex Tillerson.
In the following, I briefly discuss the core components of cyber diplomacy and offer some thoughts on the way forward in this area.
Building Strategic Partnerships and Engaging Multilaterally. Just as in other diplomatic endeavors, cyber diplomacy works by building strategic partnerships with other countries around the world to enhance collective action and cooperation against shared threats, assembling like-minded coalitions on vital policy issues, sharing information and national initiatives and confronting bad actors.
During its first six years in operation, the Office of the Coordinator for Cyber Issues established numerous senior bilateral and multilateral partnerships and launched numerous “whole of government” cyber dialogues with countries around the world. These formal and informal dialogues discussed the full range of cyber issues and have translated into direct cooperation and common approaches in important multilateral venues. As we seek to advance common values, push back against repressive regimes and enhance collective action and deterrence, these partnerships need to be expanded and strengthened.
Nearly every formal and informal multilateral and regional body is now, in some capacity, focusing on cyber issues. These include multiple parts of the United Nations (including the International Telecommunication Union and Office on Drugs and Crime), the Organization for Security and Cooperation in Europe, Asia-Pacific Economic Cooperation, the Association of Southeast Asian Nations, the Organization of American States, the Group of 7 and the G-20. While these venues offer the opportunity for the United States and its partners to advance a common vision of cyberspace and implement important initiatives, they also pose a challenge, as nondemocratic countries try to use those same organizations to advance their own very different views of cyberspace.
So far, working with our partners, the private sector and civil society, we have generally been successful in advancing our agenda of an open and secure cyberspace and thwarting attempts by repressive regimes to impose state control over the internet or undermine security or human rights. Nevertheless, we are at an important moment; the debates and decisions made in these forums over the next several years will have a major impact on all of these issues for years to come.
Enhancing Cooperation, Collective Action, Incident Response and Capacity Building. Diplomacy plays an important role in directly responding to specific cyberthreats and laying the groundwork for better cooperation and action against future threats. For example, using the network of counterparts we built with other countries, the Office of the Coordinator for Cyber Issues used diplomatic demarches to seek the assistance of more than 20 countries when a persistent, Iranian-sponsored botnet targeted U.S. financial institutions. This collective action, where each country used its authorities and tools to help address a shared threat, proved very effective in mitigating the malicious activity.
Longer-term, high-level diplomatic pressure played a key role in addressing widespread trade secret and intellectual property theft by China. We worked with other countries that were victimized while also leading a sustained campaign of direct diplomatic engagement with Beijing. This diplomatic campaign, coupled with potential use of other instruments of national power, led to the negotiation of a landmark agreement with China that made clear that no country should use cyber means to steal the intellectual property of another to benefit its own commercial sector.
The State Department also has a vital role in facilitating law enforcement and technical cooperation. Part of this facilitation is incident-specific, while part involves working with countries to enhance their capabilities and laws so that they can better work to combat international threats.
Capacity building also is important in both enabling better cooperation and persuading other countries that our vision of cyberspace benefits and should be endorsed by them. For this reason, the Office of the Coordinator for Cyber Issues worked to create ambitious, cost-effective, capacity-building initiatives. These initiatives helped developing countries to enhance cybercrime-fighting capacity, create national cyber strategies and create institutional and other mechanisms to protect against cyberthreats. Given the global nature of cyberthreats, helping developing countries protect their own networks also increased the security of our networks. We also worked with countries as they developed their cybersecurity policies to ensure that they properly accounted for human rights and economic access concerns.
Longer-term, high-level diplomatic pressure played a key role in addressing widespread trade secret and intellectual property theft by China.
Advancing Strategic Policy and Building a Consensus for Global Cyber Stability. U.S. cyber diplomacy promotes and protects our core values of openness, internet freedom and multi-stakeholder internet governance—all of which have been threatened over the last several years. The United States is a founding member of the Freedom Online Coalition and has raised internet freedom and internet governance issues in virtually every diplomatic engagement.
Diplomacy must also be used to push back on flawed regulatory regimes or policies that serve to fragment the internet, undermining its social and economic potential. We have used diplomatic channels to challenge forced data localization regimes, ill-conceived cyber regulatory approaches and market access restrictions. Diplomacy also plays a vital role in ensuring the long-term stability of cyberspace itself in the face of increasing threats from nation-states and others, so that everyone can enjoy the benefits of cyberspace and no state has an incentive to engage in disruptive behavior.
As countries around the globe are developing, and in some cases using, offensive and other cyber capabilities, the lack of any clear consensus on acceptable state behavior in cyberspace poses substantial risks. To address this, the United States has led the development and promotion of a strategic framework of cyber stability that includes: (1) global affirmation of the applicability of international law to state activity in cyberspace; (2) the development of voluntary, nonbinding peacetime norms of acceptable state behavior; and (3) the development and use of practical confidence-building measures (CBMs) that serve to reduce the risk of misperception and escalation in cyberspace. The United States has had great success in promoting and achieving acceptance of this framework in forums around the world, including in the United Nations Group of Governmental Experts (UN GGE) on international cyber security (a series of expert forums), the North Atlantic Treaty Organization and the Organization for Security and Cooperation in Europe.
In 2013 several countries, including the United States, China and Russia, reached a landmark consensus that international law, including the U.N. Charter, applies in cyberspace. This means that cyberspace is not a “free fire” zone where no rules apply; rather, it is grounded in the same rules as the physical world. In 2015 the UN GGE recommended non-binding, voluntary norms of responsible state behavior. Under these peacetime norms, no state should attack the critical infrastructure of another state or its computer security incident response teams. States should also cooperate with requests for assistance in certain cyberattacks. The United States and China reached agreement on a theft-of-trade-secret norm that was later adopted by the G-20 and by other country bilateral agreements with China. The United States also made substantial progress within the OSCE in taking forward and implementing cyber CBMs.
While all of this represents significant progress toward achieving global cyber stability, there is much more to be done, and the head winds are stiff. The 2016 UN GGE ended in a stalemate, with some authoritarian regimes aggressively promoting their own vision of cyberspace that restricts openness, while some regimes are resisting necessary efforts to assess exactly how international law applies to cyberspace. There is an urgent need to build a broader consensus among countries on norms of behavior; much work is required to implement such norms; and, in addition, there will be significant effort ahead to further articulate how international law applies to cyberspace.
Deterrence. The United States has made significant progress in building an international consensus on what constitutes responsible state behavior in cyberspace, but that work is largely irrelevant if there are no consequences for those who violate that consensus. We have not done a very good job of deterring malicious actors—particularly nation-state actors. There are many reasons for this, including difficulties with attribution, a limited stock of potential consequences, and difficulties sharing information among partner countries.
Nevertheless, at the heart of deterrence is the threat of a credible and timely response to the transgressor. Failure to act in a credible or timely way signals to the adversary that their actions are acceptable—or at the very least cost-free. For example, the lack a sufficiently strong, timely and continuing response to Russian interference with our electoral process virtually guarantees that Moscow will attempt to interfere again, both in the United States and in other democratic countries. We must do better.
The lack of any clear consensus on acceptable state behavior in cyberspace poses substantial risks.
Diplomacy can and should play a vital role in this effort—it is one of the key tools in the tool kit of response options that also include law enforcement actions, economic sanctions and cyber and kinetic responses. We must continue to employ diplomacy effectively and work to enhance all of our existing response options. We must also work with like-minded partners and other stakeholders to develop creative new tools that can be used swiftly and later reversed to change an adversary’s behavior—expanding the tool set and communicating, as transparently as possible, the likely costs that will be imposed for bad behavior. And we must enhance collective action.
Although the United States reserves the option to act alone if it must, deterrence and legitimacy are better served when several countries band together against a bad actor. There is much diplomatic work to do in forming such an agile coalition of like-minded countries who can call out bad behavior and collectively impose costs on our adversaries. Such a coalition should be flexible and can involve different countries and different actions depending on the actor; but creating it, and solving information sharing and other issues, will require a significant diplomatic effort.
Mainstreaming Cyber Issues in the Department. Cyber issues are inherently cross-cutting, involving nearly every functional directorate and every regional bureau. Because they are relatively new, they still need to be worked into the efforts and priorities of regional bureaus and posts around the world. Accordingly, the Office of the Coordinator for Cyber Issues worked with the under secretary of State for political affairs to have each regional bureau, in consultation with the field, draft detailed cyber engagement strategies, raising the profile of these issues and prioritizing them according to the needs of each region. We also created and trained a cadre of cyber policy officers at posts around the world using the regional strategies as a basis for implementation. For the cyber issues office to thrive, it cannot be seen as a boutique or solely technical matter, but must be thought of instead as a core national security, economic and human rights issue that is part and parcel of the department’s work.
Although much has been achieved over the last few years in cyber diplomacy, there is a long road ahead. The work we do and the choices we make now and over the next few years will determine whether we can all benefit from this amazing technology, or whether growing policy and technical threats will undermine its incredible potential. Achieving the future we want will require continued high-level attention and a significant, sustained effort.
Diplomacy has and must continue to play a pivotal role— shaping the environment, building cooperation and working to build coalitions to respond to shared threats—and we must continue to lead the international community. Much needs to be done to advance stability and norms, bolster deterrence, respond to threats, build partnerships, uphold human rights online and advance fair economic access. Much more needs to be done, as well, to deal with existing and future hybrid threats— including combined cyber-enabled threats that attempt to undermine our democracy.
Achieving progress on these issues requires a recommitment by the State Department that cyber issues are a foreign policy priority for the Secretary of State. Creating a new bureau is a good first step, but that bureau needs to report through a high-level, neutral reporting chain—not one that only has a narrow perspective on the cross-cutting issues involved. Indeed, pigeonholing these issues in one functional chain—as the current department proposal suggests doing through the economic under secretary—would not give full voice to the important national security and human rights aspects of the portfolio. If anything, it would hamper efforts to mainstream these issues across the entire department. A commitment to these issues must also be backed up with adequate funding and resources. For example, capacity building funds have been zeroed out despite the dividends that even small expenditures have paid in bolstering our own security.
Cyber diplomacy is the quintessential 21st-century issue of our foreign policy, encompassing cutting-edge issues of human rights, security and economic policy. The United States virtually created this new field, and an ever-increasing number of countries have followed our lead. We should not stop now; instead we need to redouble our efforts. Too much time has already been lost.