Last week, we learned that the State Department’s cyber coordinator, Christopher Painter, is leaving that position. His departure is a loss to effective digital policy. It was followed by the news that the State Department is considering eliminating the position. This would be a mistake.
Now should be the time to enhance the position, not get rid of it. One of the good things in the Trump administration’s May 11 executive order on cybersecurity is a directive to federal agencies to develop a strategy for international engagement on cybersecurity. The order directed several agencies to submit reports to the president on their international cybersecurity priorities. By the terms of the order, these were due June 25, and a final international strategy is due from the State Department on September 23.
This is an important task. The Obama administration’s 2011 International Strategy for Cyberspace articulated “a set of principles to support [cyber policy] aims spanning the economy, security, and human rights” to frame the work of U.S. agencies. With the volume of data around the globe doubling every two years and with U.S. trading partners and strategic rivals increasingly focused on digital strategies and growing threats of cyberattacks, that international strategy is thoroughly ripe to be revisited. A new international strategy can chart ways the United States can lead in setting norms and best practices for resiliency and behavior in cyberspace.
This task is made-to-order for the Office of the Coordinator for Cyber Issues. In a Brookings paper last fall, “Digital policymaking lessons from the Obama administration”, I wrote about the “internet-cyber gap” – a divide between those whose policy focus is “the economic and human potential” enabled by information and communications technology and those who focus on “the darker sides of ICT—threats, exploits, bad actors, and applications for warfare.” The central argument of the paper was that, policymaking in the digital arena needs to be integrated because the effects of policies are interconnected. As amply demonstrated by the fallout from the Snowden revelations, national security policies cannot operate in isolation from considerations such as trade, innovation, and technology policy. In turn, the increasing impact of security threats on our financial system, our elections, and everyday business amply demonstrate the converse.
Under Painter’s leadership, the cyber office organized a series of dialogues with likeminded countries and played a key role in bridging the internet-cyber gap across the federal government and with other countries. For example, a US-Germany Cyber Dialogue was helpful in keeping Germany from reacting to reports of the tapping of Angela Merkel’s cell phone and Snowden leaks in ways that could have helped to Balkanize the internet and instrumental in getting to an agreement by China not to engage in industrial espionage. In addition, before joining State, Painter worked in the White House on the International Strategy for Cyberspace, so he brought to the position a broad understanding of interconnected issues and respect for various agencies’ equities and expertise.
Without a cyber coordinator, the State Department is poorly structured for its international cybersecurity and digital diplomacy mission. The center of gravity in that agency lies in the Political Affairs Bureau, which houses the regional assistant secretaries and country desks that operate the State’s diplomatic channels. Even as the State Department has expanded its role in “economic diplomacy” and trained a cadre of “digital economy officers,” political and security issues occupy much of the bandwidth in these channels.
The “E” Bureau – Economic Growth, Energy, and the Environment – has an important role in international cyber affairs, including housing the U.S. ambassador for international communications and information policy and the delegation to the undersecretary to coordinate international diplomacy concerning U.S. Intelligence collection under the authority of Presidential Policy Directive 28. The undersecretary also performs the role of ombudsperson under the US-EU Privacy Shield Framework that provides EU citizens with a form of redress for intelligence collection that is unlawful. The “E” Bureau is often outside the flow of information and decisionmaking on security issues and has an uphill task to move its issues up in agency priorities.
Having a cyber coordinator establishes a position that reports directly to the Secretary of State who has visibility into both the security and the economic sides of the house. Moreover, the cyber coordinator is able to sidestep protocol complications with foreign counterparts do not have portfolios equivalent to that of the E undersecretary or E bureau officials. These institutional challenges are handicaps even when there are confirmed political appointees in these positions, and even more so when there is no indication as to when key State Department appointments will be filled.
Council on Foreign Relations cybersecurity fellow David Fidler looks at the downgrading of the cyber coordinator’s role as an example of “the Trump administration’s marginalization of cyber issues in foreign policy.” He may be right, but I am not ready to throws up my hands.
This is an important time to get international cybersecurity policy right. Among other things, the European Commission is engaged in its own cybersecurity policy review, expected to come out in the fall and to include new legislation. There are strong indications that it may propose setting standards for the internet of things or other developing technologies and lead to increased regulatory fragmentation when there is a pressing need for coordination to protect shared networks against shared threats. Other governments may adopt similar approaches. Meanwhile, Russian use of cyberspace as a weapon in U.S. elections and other moves from espionage into sabotage have raised the stakes of addressing state behavior in virtual space. Without a cyber coordinator and many other key positions to help, though, the administration is handicapped in preparing an effective international cybersecurity strategy.