Washington, D.C., April 26, 2021 — The recent passage of the “Cyber Diplomacy Act of 2021” by the House of Representatives suggests U.S. lawmakers are eager to expand the U.S.’s toolbox for addressing cyber threats to explicitly include diplomacy, according to a compilation of policy records posted today by the nongovernmental National Security Archive. Introduced on the heels of the SolarWinds breach, the bill would establish a new “Bureau of International Cyberspace Policy.”
As Congress considers the third cyber diplomacy bill since 2017 (H.R. 3776, H.R. 739 and the most recent H.R. 1251), the National Security Archive’s Cyber Vault has collected a series of documents to help illustrate the historical context for this development, specifically the waxing and waning prominence of cyber issues in the diplomatic field.
* * * * *
A Diplomatic Domain?
The Evolution of Diplomacy in Cyberspace
By Cristin J. Monahan
Since the beginning of the 21st century, cyberspace has rapidly evolved into a domain of opportunity and collaboration, as well as a contested space. Such developments have demonstrated the need for strong cyber defense, as well as, many might argue, equally capable cyber offense. However, due to both the multi-stakeholder composition of cyberspace, as well as the global scope of network interconnectivity, the role of cyber diplomacy as a tool to mitigate or avoid conflict cannot be overstated. In light of the recently uncovered SolarWinds and Microsoft Exchange breaches, linked to Russia and China respectively, the importance of cyber diplomacy as a device of deterrence is likely ascending.
When discussing cyber diplomacy, it is important to define it as diplomatic activities directed towards influencing state behaviors and securing national interests in cyberspace, as opposed to cybered diplomacy, or the performance of diplomatic functions through the utilization of cyber tools, for example, email. Like other diplomatic activities, cyber diplomacy can occur through bilateral relationships and agreements between two countries, or in multilateral fora, such as the UN.
The most common issues addressed by cyber diplomatic activities include cybersecurity, cybercrime, confidence-building activities, internet freedom, and internet governance, and the documents below illustrate the evolution of both national and international approaches to address these issues, as well as the organizational structures required to address these concerns effectively. While most of the documents cited demonstrate the cyber-focused activities of the United States government, some documents will speak to the activities of other nations in this domain, many times as either a cooperative partner in the American vision for cyberspace, or as a direct adversary to this view.
The First National Cyber Priorities
By the end of the aughts, nations had begun to recognize cyberspace and its undergirding infrastructure as not only strategic assets, but also a domain of potential influence and conflict. In 2009, the United States, closely followed by the United Kingdom, released its first national cybersecurity strategy document. The Obama Administration’s “Cyberspace Policy Review” (Document 1) notes that while cyberspace offers tremendous opportunities, “the broad reach of a loose and lightly regulated digital infrastructure [poses] great risks [that] threaten nations, private enterprises, and individual rights” (p. 3). The document also affirms the government’s responsibility to “address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution” (p. 3). It is noteworthy that while the “Cyberspace Policy Review” delineates both a Near-Term Action Plan and a Mid-Term Action Plan, neither call for cooperation between the United States and other nations, like-minded or otherwise.
Similarly, the UK’s 2009 “Cyber Security Strategy of the United Kingdom: safety, security, and resilience in cyberspace,” (Document 2) frames a similar assessment of the rewards and risks of the domain, as well as a vision of cyberspace where “citizens, business and government can enjoy the full benefits of a safe, secure and resilient cyberspace: working together, at home and overseas, to understand and address the risks, to reduce the benefits to criminals and terrorists, and to seize opportunities in cyberspace to enhance the UK’s overall security and resilience” (p. 3). The 2009 UK strategy also establishes both the Office of Cyber Security and the Cyber Security Operations Centre to provide strategic oversight and operational support for the UK’s assets in cyberspace.
Source: The Cabinet Office of the United Kingdom, Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space, June 25, 2009.
As a counterpoint to the US and UK strategies above, in 2010 China released its white paper on cyberspace strategy, “The Internet in China” (Document 3). In it, the Information Office of the State Council of the People’s Republic of China frames the Internet as both “a crystallization of human wisdom,” as well as “an indispensable tool in people’s life, work and studying, exerting a profound influence on every aspect of social life.” While the report emphasizes the transformative impact the Internet will have on China’s “reopening,” the writers are also quick to assert Chinese sovereignty within cyberspace:
Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected. Citizens of the People’s Republic of China and foreign citizens, legal persons and other organizations within Chinese territory have the right and freedom to use the Internet; at the same time, they must obey the laws and regulations of China and conscientiously protect Internet security.
While the US and UK strategies noticeably omit discussion of international cooperation in cyberspace, the 2010 Chinese white paper specifically maintains “all countries should, on the basis of equality and mutual benefit, actively conduct exchanges and cooperation in the Internet industry.” The Information Office also calls for “the establishment of an authoritative and just international Internet administration organization under the UN system through democratic procedures on a worldwide scale.” Additionally, the paper emphasizes China’s collaborative efforts with the West and other Asian nations, mostly with regards to cybersecurity practices and transnational “network crimes” that would later be known as cybercrime. In an effort to stymie international cybercrime, China calls on “the law-enforcement agencies of all countries [to] enhance their coordination in preventing and combating network crimes, and establish multilateral or bilateral cooperation mechanisms.”
A Pivot Towards Diplomacy in Cyberspace
In May 2011, the Obama Administration released the “International Strategy for Cyberspace” (Document 4) which André Barrinha and Thomas Renard define as “the first government document worldwide to focus entirely on the international aspects of cyber issues.” In the introduction, President Obama notes that the strategy represents “the first time that our Nation has laid out an approach that unifies our engagement with international partners on the full range of cyber issues ... not only a vision for the future of cyberspace, but an agenda for realizing it” (p. 3). The strategy defines a number of policy priorities, which include cybersecurity, innovation in open markets, internet governance, internet freedom, law enforcement, and preparing the military to address 21st century threats. These priorities are supported by the three-pronged approach of defense, development, and diplomacy.
The stated diplomatic goal of the 2011 cyber strategy document is to “create incentives for, and build consensus around, an international environment in which states—recognizing the intrinsic value of an open, interoperable, secure, and reliable cyberspace—work together and act as responsible stakeholders” (p. 15). This escalation of cyberspace policy from the national to international stage was signaled months earlier, with then-Secretary of State Hillary Clinton’s February 2011 address at The George Washington University, “Internet Rights and Wrongs: Choices & Challenges in a Networked World” (Document 5). Secretary Clinton framed the Internet as being at a critical juncture which called for diplomatic discussion, noting that “to maintain an internet that delivers the greatest possible benefits to the world, we need to have a serious conversation about the principles that will guide us, what rules exist and should not exist and why, what behaviors should be encouraged or discouraged and how.” Clinton asserted that activities in and around cyberspace would be a foreign policy priority for the State Department and subsequently announced the creation of the Office of the Coordinator for Cyber Issues, led by Christopher Painter, the former senior director of cyber security at the National Security Council, and charged with “facilitat[ing] cooperation across the State Department and with other government agencies” on issues relating to cyberspace. Barrinha and Renard emphasize that with this announcement, “Coordinator Christopher Painter became de-facto the world’s first cyber-diplomat.”
Source: GAO Report, Government Accountability Office, Cyber Diplomacy: State Has Not Involved Relevant Federal Agencies in the Development of Its Plan to Establish the Cyberspace Security and Emerging Technologies Bureau, September 22, 2020.
UN Group of Governmental Experts (GGE)
As the United States established its first international cyberspace strategy and newly crowned “cyber diplomats” advocated for their nations’ interests in the digital domain, the UN’s “Group of Governmental Experts” or GGE, coordinated by the UN Office for Disarmament Affairs, worked to develop recommendations for “rules of the road” in cyberspace. In 2011, the UN General Assembly called for the creation of the third GGE, which later submitted its report in June 2013. The findings espoused in report A/68/98 (Document 6) affirm the applicability of international law to cyberspace, confirm the right of states to regulate information and communications technology (ICT) infrastructure within their borders, and address the tension between security and liberty in cyberspace, noting “state efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms” (p. 8). The report of the fourth GGE, A/70/174, (Document 7) released in July 2015, again affirms state sovereignty over ICTs within their territory, while recommending that “States cooperate to prevent harmful ICT practices and should not knowingly allow their territory to be used for internationally wrongful acts using ICT” (p. 2). Furthermore, report A/70/174 asserts that “a State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public”(p. 8). The report also recommends a number of confidence-building measures, including “the development of and support for mechanisms and processes for bilateral, regional, subregional and multilateral consultations, as appropriate, to enhance inter-State confidence-building and to reduce the risk of misperception, escalation and conflict that may stem from ICT incidents” (p. 15).
While the third and fourth iterations of the GGE established it as the primary forum for the international conversation on cybersecurity, as well as international norms in cyberspace, the fifth GGE, which concluded its last round of deliberations in 2017 without producing a consensus outcome report, left the discussion in ambiguous territory. The conclusive point of fracture appeared to be the group’s mandate to study and discuss not if international law applied to cyberspace, but how international legal concepts and principles would be applied to cyberspace. In her June 2017 remarks (Document 8) at the UN, Michele Markoff, U.S. Expert to the GGE and Deputy Coordinator for Cyber Issues, noted that throughout the fifth GGE, the US “sought clear and direct statements on how certain international law applies to States’ use of ICTs, including international humanitarian law, international law governing States’ exercise of their inherent right of self-defense, and the law of State responsibility, including countermeasures.” Markoff further asserted that some participants sought to undo the work of previous GGEs, and that those unwilling to “affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions.” The deputy coordinator also expressed concern with the message communicated through an incomplete report, emphasizing that “a report that discusses the peaceful settlement of disputes and related concepts but omits a discussion of the lawful options States have to respond to malicious cyber activity they face would not only fail to deter States from potentially destabilizing activity, but also fail to send a stabilizing message to the broader community of States that their responses to such malicious cyber activity are constrained by international law.”
Department of State International Cyberspace Policy Strategy
Section 402(b) of the Consolidated Appropriations Act of 2016 required a report on the State Department’s international cyberspace efforts, with a focus on those activities related to norms of state behavior. In response, the Department released the “Department of State International Cyberspace Policy Strategy” (Document 9) in March 2016. The report highlights the ways in which Department activities implemented the 2011 “International Strategy for Cyberspace,” particularly “the applicability of international law; the importance of promoting confidence building measures; and the significant progress the Department has made, working in partnership with other federal departments and agencies, to promote international norms of state behavior in cyberspace, as well as future plans in this area” (Document 9, p.1). It also demonstrates the State Department’s specific activities to address common issues in cyber diplomacy, such as cybercrime, internet governance and internet freedom.
The document is also notable for providing “a review of the alternative concepts with regard to international norms in cyberspace offered by foreign countries that are prominent actors, including China, Russia, Brazil, and India” (p.16). Particular attention is given to the approaches of Russia and China, nations that the State Department assesses are primarily concerned with maintaining their own domestic stability by promoting online speech and content controls, affirming their sovereignty over domestic issues, and delegating both the attribution of cyber attacks, as well as the adjudication of international cyber conflicts to the UN. The State Department notes that while “Russia and China are the most assertive states advancing alternative visions for international stability in cyberspace … the United States has been able to find common ground with Russia and China, as illustrated by the recent consensus reports of the UN GGE and the 2015 commitment at the G20 summit” (p. 18).
Downshifting Diplomacy and the Congressional Response
The early actions of the State Department under the Trump Administration, initially led by Secretary of State Rex Tillerson, signaled a fundamental shift in the way cyberspace was perceived by the new administration. While the cyber realm was increasingly perceived as a domain of conflict, as evidenced by the 2018 Summary: Department of Defense Cyber Strategy, diplomatic activities in cyberspace seemed to be downgraded in importance, in favor of maintaining international digital markets for American products and interests. In an undated letter (CyberScoop reported on the letter on August 29, 2017) to Senator Bob Corker (Document 10), the chairman of the Senate Committee on Foreign Relations, Secretary Tillerson notes that the title and functions of the Coordinator for Cyber Issues (CCI), which “encompass advancing the full range of U.S. interests in cyberspace including security, economic issues, freedom of expression and free flow of information on the internet,” (p. 6) would be realigned from the Office of the Secretary to the Bureau of Economic & Business Affairs.
The Congressional response to the stripping down of the Office of the Coordinator for Cyber Issues was swift, but largely toothless. In September 2017, H.R. 3776 was introduced in the House of Representatives and referred to the Committee on Foreign Affairs. With a short title of the “Cyber Diplomacy Act of 2017,” the originally introduced H.R. 3776 (Document 11a) established an Office for Cyber Issues, the head of which “shall have the rank and status of ambassador and be appointed by the President, by and with the advice and consent of the Senate,” and in addition to leading the State Department’s diplomatic cyberspace efforts, shall “serve as the principal cyber-policy official within the senior management of the Department of State and advisor to the Secretary of State for cyber issues” (p. 10) . H.R. 3776 passed the House, and upon reaching the Senate, was renamed the “Cyber Diplomacy Act of 2018” (Document 11b). After its referral to the Senate Committee on Foreign Relations, the bill was amended to reflect a new name for the proposed office: the Office of Cyberspace and the Digital Economy (p. 33). The decision to rename the office likely represented an acknowledgment of the Trump Administration’s increased emphasis of cyber diplomacy as a lever for favorable economic conditions, evidenced by the CCI’s realignment under the Bureau of Economic & Business Affairs. Despite this amendment, H.R. 3776 ultimately died in the Senate.
At the start of the 116th Congress, H.R. 739, the “Cyber Diplomacy Act of 2019” (Document 12), was introduced in the House. The language and scope of the new bill were very similar to that of the defunct H.R. 3776, with the notable addition of a commentary on the “rule of construction” for the proposed office (renamed “the Office of International Cyberspace Policy” in the 2019 bill). While both bills stated that the proposed office will not be precluded from “being elevated to a Bureau within the Department of State,” or “the head of the Office [precluded] from being elevated to an Assistant Secretary” (Document 11a, p.12; Document 12, p. 17), the 2019 bill emphasized the critical importance of diplomatic efforts in cyberspace by asserting “it is the sense of Congress that the Office of International Cyberspace Policy … should be a Bureau of the Department of State and the head of such Office should report directly to the Secretary of State or Deputy Secretary of State” (p.17). H.R.739 was referred to the House Committee on Foreign Affairs but did not pass the House before the conclusion of the 116th Congress.
The Future of American Cyber Diplomacy
In June 2019, following the introduction of H.R. 739 in the House, the State Department notified Congress of its intent to establish a new bureau to address issues of cyberspace security and the security aspects of emerging technologies, the Bureau of Cyberspace Security and Emerging Technologies (CSET). According to a 2020 GAO report (Document 13), the State Department’s rationale for creating this new bureau was to “(1) align cyberspace security and emerging technologies security issues with its international security efforts, (2) improve coordination with other agencies working on national security issues, and (3) promote long-term technical capacity within the department” (p. 5). The new bureau, which would report to the Under Secretary for Arms Control and International Security, would be led by a Coordinator and an Ambassador-at-Large (p. 5). Additionally, “under State’s proposal, CSET would not focus on the economic and human rights aspects of cyber diplomacy issues” (p. 5). State’s organizational realignment of cyber-focused issues again emphasizes the shift in perception by the Trump Administration in which cyberspace is primarily a weaponized domain in which risks must be assessed and managed through technical capabilities, priorities that are separate and distinct from issues of economic opportunity and human rights protection.
Members of Congress raised concerns about the narrow scope of the proposed bureau, and Rep. Eliot Engel (D-NY-16) and Rep. Michael McCaul (R-TX-10), the chairman and ranking member, respectively, of the Committee on Foreign Affairs, asked the Government Accountability Office to “review State’s efforts to advance U.S. interests in cyberspace, including State’s planning process for establishing a new bureau to lead its international cyber mission” (p. 2). In September 2020, the GAO released its assessment of State’s efforts in a report entitled “Cyber Diplomacy: State Has Not Involved Relevant Federal Agencies in the Development of Its Plan to Establish the Cyberspace Security and Emerging Technologies Bureau” (the aforementioned Document 13). The GAO report notes, “the Department of State (State) leads U.S. government international efforts to advance the full range of U.S. interests in cyberspace, including by coordinating with other federal agencies, such as the Departments of Commerce (Commerce), Defense (DOD), Energy (DOE), Homeland Security (DHS), Justice (DOJ), and the Treasury (Treasury), to improve the cybersecurity of the nation” (p. 1), and as such, GAO’s assessment examines the “extent to which State involved other federal agencies in the development of its plan for establishing CSET” (p. 2). As its title suggests, the report emphasizes that State’s collaborative efforts with other relevant agencies were insufficient, and as such, “State lacks assurance that it will effectively achieve its goals for establishing this bureau, and it increases the risk of negative effects from unnecessary fragmentation, overlap, and duplication of cyber diplomacy efforts” (p. 8).
On January 7, 2021, less than two weeks before the conclusion of the Trump Administration, Secretary of State Pompeo announced approval of the creation of CSET, and “directed the Department to move forward with standing up the bureau.” The announcement (Document 14) was delivered one month after the initial revelations of the multi-agency SolarWinds hack, currently assessed by the intelligence community to be of Russian origin. Perhaps in light of the SolarWinds breach, State framed the development and execution of CSET as critical, “as the challenges to U.S. national security presented by China, Russia, Iran, North Korea, and other cyber and emerging technology competitors and adversaries have only increased since the Department notified Congress in June 2019 of its intent to create CSET.”
On January 28, 2021, a week after the start of the Biden presidency, the GAO released a second report on the development of the proposed CSET bureau, entitled “Cyber Diplomacy: State Should Use Data and Evidence to Justify Its Proposal for a New Bureau of Cyberspace Security and Emerging Technologies” (Document 15). In this second report, the GAO acknowledges that State had not agreed with the conclusions of the initial September 2020 GAO report, “noting that it was unaware that these agencies had consulted with State before reorganizing their own cyberspace security capabilities and organizations” (p. 2). This second report focuses on “the extent to which State used data and evidence to develop and justify its proposal to establish CSET” (p. 2). Using information gathered from interviews with State officials and documentation, the GAO assessed the activities of State which culminated in the June 2019 Congressional Notification proposing the creation of CSET. The GAO compared these activities against “the key practice of using data and evidence in the development of the proposed agency reforms, drawn from our June 2018 report on government reorganization.” (p. 2). Of particular note, the GAO refers to a set of briefing slides and an action memo (currently being sought under FOIA) it received from State in response to a request for the information used to support the decision to create CSET. The report describes the slides as presenting “four options for the organizational placement of the new bureau, with ‘pros’ and ‘cons’ listed for each option” (p. 8).
The report writers chose to focus on the option that most closely aligned with the CSET proposal that Secretary Pompeo ultimately approved. This option placed CSET under the Under Secretary for Arms Control and International Security, and left issues of digital economy within the Bureau of Economic and Business Affairs. The report writers assert that State acknowledged that the proposed separation of cyber and digital policy under different Under Secretaries could pose coordination and policy consolidation challenges, but offered no potential remedy. The report concludes by reaffirming the recommendation “that State should use data and evidence to justify its current proposal, or any new proposal, to establish CSET. [The GAO] continue[s] to believe that, without evidence to support the creation of the new bureau, State lacks needed assurance that the bureau will effectively set priorities and allocate appropriate resources to achieve its intended goals” (p. 8). Finally, the GAO notes that, while Secretary Pompeo had announced approval for CSET, “as of the date of this report, State had not created CSET” (p. 2).
Soon after Secretary Pompeo’s announcement, Senators Angus King (I-ME) and Ben Sasse (R-NE), with Representatives Mike Gallagher (R-WI-8) and Jim Langevin (D-RI-2) released a joint statement criticizing the proposed bureau, asserting “the State Department’s proposed Bureau will reinforce existing silos and hinder the development of a holistic strategy to promote cyberspace stability on the international stage.” On February 23, 2021, Rep. Michael McCaul introduced H.R. 1251, the “Cyber Diplomacy Act of 2021” (Document 16), in the House, initially co-sponsored by five other representatives, including Gallagher and Langevin. The introduced bill was very similar in scope and language to the expired H.R. 739, with the notable elevation of the office in question to the “Bureau of International Cyberspace Policy,” the leader of which would have the rank and status of ambassador and would report to the Under Secretary for Political Affairs, or an official of higher rank (p. 16). Upon introduction in the House, the bill was referred to the House Committee on Foreign Affairs, and after committee consideration and a mark-up session, the committee ordered H.R. 1251 to be reported in the nature of a substitute by voice vote.
At the time of this writing, only the text of the original bill is available for review. However, the Committee’s order suggests that significant changes to the text will be forthcoming. Such alterations may include an acknowledgment of the SolarWinds and Microsoft Exchange breaches or specific requirements for coordination between the new bureau and the nascent Office of the National Cyber Director. The bill eventually passed the House on April 20, 2021 in a vote of 355-69 as part of a broader package of bills.
Given the concerns voiced by Congress through both public statements and proposed legislation, as well as the recommendations of the GAO, it is unclear if the State Department under Secretary Anthony Blinken will continue to pursue the establishment of CSET, or seek to bring all cyber-focused issues, including cybersecurity, economic concerns and human rights protections, under the helm of a single diplomatic office or bureau.
Read the documents