The U.S. State Department is expected to stand up a new cybersecurity bureau this year as the government grapples with expanding foreign cybersecurity threats, according to current and former officials familiar with the plans. But the scope of that body’s work remains unclear amid squabbles with Capitol Hill over its responsibilities.
At a time when the United States and its adversaries are making major investments in offensive hacking capabilities, current and former officials say the bureau would fill a gap in the U.S. government’s diplomatic abilities.
Deputy Secretary of State John Sullivan is expected to announce the creation of the new bureau in a speech on the Trump administration’s cybersecurity strategy this spring, according to one official. The official added that plans are underway for the bureau to be run by a new assistant secretary of state but cautioned that nothing has been finalized.
Without a unit inside the State Department devoted to the subject, current and former officials fear that Washington is neglecting a key issue that is expected to play a major role in international relations.
“It is the area where our adversaries are not only choosing to confront the United States the most, but also drawing the most blood,” said Jason Healey, a former White House official on cybersecurity under President George W. Bush now at Columbia University’s School of International and Public Affairs.
The State Department did not respond to request for comment for this story. The department’s press office sent an email saying communications with media are limited due to the ongoing government shutdown.
President Donald Trump’s administration has taken a hard line on cybersecurity issues, issuing indictments and imposing sanctions on hackers alleged to be working on behalf of the Chinese government and loosening Barack Obama-era rules on carrying out offensive cyberattacks.
The White House has accused Beijing of stepping up its campaign of stealing American intellectual property in a bid to boost domestic firms, an issue that U.S. negotiators are attempting to address as part of talks aimed at ending a tit-for-tat trade war between the two countries.
Amid this growing confrontation over issues in cyberspace, American diplomats working on cybersecurity have been hamstrung by a lack of authority and resources at a time when U.S. adversaries are stepping up their efforts in this space. China and Russia are increasingly using their diplomatic clout to dictate the direction of internet governance bodies, and critics of the Trump administration argue that it has been lagging in its diplomatic approach on the issue.
As the administration has downplayed the importance of multilateral bodies, China, for example, has tried to use its growing clout in United Nations bodies to advance its vision of a more highly regulated internet, as Foreign Policy reported in 2017. Beijing views the open internet as a security threat and has tasked its diplomats with advancing efforts to regulate online speech.
The State Department used to have an office that coordinated cybersecurity issues, but former Secretary of State Rex Tillerson shuttered it in 2017, in a move cybersecurity experts and former officials decried as short-sighted. In apparent response to the criticism, Tillerson reversed course shortly before his firing last March, telling lawmakers a year ago that he had plans to create a new bureau on cybersecurity.
His successor, Mike Pompeo, signed a memo last summer that would have re-established the bureau under the undersecretary of state for arms control and international security, according to current and former officials. But since then, the officials say, the issue has been beset by delays as top diplomats and lawmakers debate where in the department to place the bureau and what exactly the bureau’s mandate should entail. The ongoing government shutdown, now nearing its fourth week, could further delay the rollout.
One State Department official said the bureau is still expected to be overseen by the undersecretary for arms control and international security, to emphasize its focus on national security issues. But others, including lawmakers, have pushed for the bureau to report to the undersecretary of political affairs, the department’s third-ranking official, and focus more on political priorities relating to cybersecurity.
In January 2017, the House of Representatives passed legislation that would have established the Office of Cyber Issues in the State Department, located that office under the undersecretary for political affairs, and consolidated all of the department’s work on cybercrime, internet freedom, deterrence, and cyberdiplomacy.
But that legislation stalled in the Senate, and Pompeo now appears to be moving toward establishing the bureau under the jurisdiction of his department’s arms control experts.
What appears as an internecine bureaucratic fight is in reality a conflict over the bureau’s priorities and whether the coming cybersecurity body will address more than just the hard security issues in cyberspace, such as the launching of offensive cyberattacks.
While the development of frameworks governing the use of offensive cyberattacks represents a key diplomatic issue, economic and human rights questions are also important. Policies governing the use of encryption have implications for online global commerce, which is made possible by the use of widespread encryption. The internet human rights agenda is another fraught area, as authoritarian states seek to clamp down on the open web as a tool of dissent and civic organizing.
Regardless of where the bureau is placed, it is expected to also be tasked with building up the cybersecurity capacity of developing countries’ governments to improve internet security worldwide, according to one official.
Placing the bureau under the department’s arms control wing would place an emphasis on these hard security questions in cyberspace and possibly cause the department to neglect the economic and human rights dimensions of cyberdiplomacy, said Chris Painter, the State Department’s former cyber coordinator.
Still, Painter welcomed the move to re-establish a division within the department devoted to cybersecurity issues.
The bureau is expected to employ roughly 80 people, the current and former officials say. About half will be current State Department employees recruited from other bureaus. The other half will be new hires.
Until then, the vestiges of the cybersecurity coordinator office that Tillerson disbanded have been folded into the department’s Bureau of Economic and Business Affairs. Robert Strayer, a former Republican Senate aide, manages those efforts as a deputy assistant secretary.
Officials said he is on the shortlist to run the new bureau.