Cyber Diplomacy Act aims to elevate America’s global cybersecurity standing

On February 23, 2021, a bipartisan group of leading Congress members introduced the Cyber Diplomacy Act of 2021. Jim Langevin (D-RI), Chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems, and Republican Michael McCaul (R-TX), the Republican lead on the House Foreign Affairs Committee, are top sponsors of the legislation.

The bill, which revives legislation introduced during the last two Congresses, establishes an Office of International Cyberspace Policy within the State Department. It also aims to promote American international leadership on cybersecurity, a primary goal of the Cyberspace Solarium Commission, which Langevin co-chairs.

The bill creates a Bureau of International Cyberspace Policy in the Undersecretary of Political Affairs offices where it will guide policy across a diverse range of areas touched by cyberspace. “I have full confidence that this organizational change is going to best position the United States to reclaim its role as a global leader inside the diplomacy realm, which is very particularly urgent given the ever-changing array of threats that we face,” Langevin tells CSO. “[The bill] basically positions the State Department to be much better equipped to advocate on the international stage for cyber diplomacy-related issues. It hopefully undoes the damage that was done during the time of the previous administration,” he says.

Cybersecurity languished during Trump administration

Langevin says that up until Trump took office, both Democrats and Republicans made steady strides forward on cybersecurity. “It was under the Trump administration that, really, we started taking the first major step backward.”

“What happened when the Trump administration came in is [Trump’s first Secretary of State Rex] Tillerson, who I don’t think understood these issues, kind of downgraded and muddied the Department’s cybersecurity structure and starved it of resources over four years,” Christopher Painter, the State Department’s first-ever coordinator for cybersecurity under Barack Obama, tells CSO. “It was certainly not a priority for Donald Trump, who really didn’t care about these issues. Or he kind of coded them all as ‘Russia,’ in which he really didn’t care about these issues.”

Pompeo’s parting bid to create cyberspace office was doomed

In an unexpected move, Tillerson’s successor, Mike Pompeo, created a new Bureau of Cyberspace Security and Emerging Technologies (CSET) at the State Department almost as he was walking out the door in early January. The ordinarily staid Government Accountability Office (GAO) strongly criticized this move as rash and unreasoned in a report it released in late January. The State Department, the GAO wrote, has “not demonstrated that it used data and evidence to support its proposal, particularly for the bureau’s focus and organizational placement.”

Langevin says that Pompeo’s eleventh-hour effort to create CSET deprioritized international cyber policy by establishing it within arms control. “Basically, the Cyber Diplomacy Act brings that back into focus.”

Cybersecurity needs cross-cutting authority

“The diplomacy aspect of these issues is an important tool in our toolbox as we approach not only combating threats in cyberspace but also as we try to shape a more positive environment,” Painter says. “I do think the legislation does several good things. One, it does say, look, this is an important office that has to exist.”

“The other is to say this really needs cross-cutting authority because all these things are interdependent. When Russians are trying to talk about state control of the, quote-unquote, internet governance issues, they’re doing that because it has an impact on human rights online because they’re trying to control content online. When I went over to the State Department from the White House to found [the first cybersecurity office], one of the problems is that three different parts of the State Department would talk about the same event with different perspectives, and that doesn’t help us.”

“The sooner that the State Department can start taking a leadership role, the better,” Langevin says. “It’s definitely a ‘clean-up on aisle nine’ on our international front. The Russians ate our lunch.”

SolarWinds requires US to enforce norms

The Senate Intelligence Committee held a high-profile hearing on Tuesday to examine the devastating SolarWinds hack. During the hearing, the panel of witnesses, including the CEOs of Microsoft, FireEye, SolarWinds, and CrowdStrike, stressed that better international cyber norms are needed.

“We want first to start picking up the pieces and then enforcing norms. We already have a lot of them,” Langevin says. “We want to start the process of rewriting the cybercrime treaty, even though we already have one, which is the Budapest Convention. Russia, they don’t like it. They want to rewrite it on their own.”

“It’s not that there are not norms,” Painter says. “There have been a number of norms agreed to even by China and Russia. It’s just, how do you enforce those norms? The hard question here is, is this sophisticated espionage, which it appears to be, or is this something more? Every country does espionage. You’re never, ever, ever going to get an agreement that espionage is off the table. It’s not going to happen.”

Time is of the essence when it comes to dealing diplomatically with a devastating event like the SolarWinds breach. “The problem with a treaty, even if that’s a desirable end-state in ten or fifteen years, you’d have to get everybody to agree, including Russia and China, in a UN context,” Painter says.

Response to SolarWinds attackers is a priority

During the SolarWinds hearing, the witnesses and Senate panel members also raised the importance of responding to the attackers with punitive actions. “This is also an area where we want to hold bad actors accountable,” Langevin says. “We want to close the gap between the violation of international norms and response.”

Painter underscores the value of holding the attackers responsible. “An even more important thing is, how can we hold countries accountable? How can we prevent them from doing this? How can we protect ourselves?” he says. “If there are no consequences, but people violate those norms or international laws, then those are just words on paper. In fact, you just embolden those people to do it again.”

Finally, a strengthened US diplomatic stance might help solve the delays in officially identifying the international culprits. Although most experts believe Russia is behind the SolarWinds hack, the US has still not formally attributed it to any particular country. “We also have to get out of the mindset that we’re just going to always be using cyber forensics [for attribution],” Langevin says. “We need to use all sorts of intelligence, all assets of national power, working with our allies, to achieve, swifter attribution.”