A proposed U.S. State Department cyber bureau seeks to train diplomats in cybersecurity techniques needed to confront escalating attacks by hackers, many believed to be state-sponsored.
In late October, the department announced it would seek congressional approval for a new diplomatic bureau dedicated to cybersecurity and emerging technology.
State Department spokesperson Ned Price said the mission of the new Bureau of Cyberspace and Digital Policy, and its ambassador-at-large, would focus on cyber rules, as well as negotiations and deterrence. A separate special envoy for critical and emerging technology would oversee technology diplomacy with U.S. allies, partners and others.
While cybersecurity diplomacy may not seem immediately relevant to engineers and technology companies, the concept is very relevant to victims of ransomware attacks, data breaches or other cyberattacks, especially those aimed at critical infrastructure.
Ransomware in particular is a growing global threat. A July study by IDC found that over one-third of organizations suffered a ransomware attack or breach in the previous year that prevented access to data or systems. The global incident rate was several times higher than the incident rate for U.S. companies.
While the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the Department of Homeland Security, coordinates efforts across federal departments, CISA tends to focus primarily on domestic cyber-defense, noted Duncan Greatwood, CEO of Xage Security.
By contrast, the proposed State Department bureau is oriented internationally. “There’s some coordination among close allies of the U.S., which is helpful defensively, and in terms of sharing knowledge of threats, but less helpful in dealing with nations where those threats originate,” said Greatwood, a former Apple executive.
The new bureau would also address the reality that international boundaries and the rule of law are not respected by cybercriminals, noted Bonnie Glick, director of Purdue University’s Center for Tech Diplomacy.
“Part of the role the State Department plays is promoting U.S. policies abroad, including democratic values and the rule of law,” Glick said. “The latter is very real and very much needed.”
“Whether [cybercriminals] are state-sponsored as in Iran, or pseudo-state sponsored, or rogue criminals, they all have eyes on the U.S., its companies and individuals” she added. “They’re wreaking havoc on international systems and don’t play by anyone’s rules.”
The State Department serves as “the steward of all of our country’s diplomatic and international affairs,” therefore it makes sense for the agency to fill that role, according to Glick.
Collective action by western allies has already helped blunt at least one group of cybercriminals. In October, a multi-country operation forced ransomware gang REvil offline. The hacking group is responsible for both the Colonial Pipeline hack and the attack on meatpacker JBS.
In the days before that coordinated action, a U.S.-led summit of more than two dozen nations agreed to work collectively to thwart the growing threat of ransomware attacks. Russia, the source of the REvil hacking group, as well as the Nobelium hackers behind the SolarWinds attacks, was not invited to the first round of discussions, the White House announced.
Given the lack of agreement on how nations and their citizens should behave in cyberspace, Xage said the new bureau can help fill the gap. For example, the agency could establish “guardrails” akin to those already in place for international human rights and the use of chemical weapons.
“There are always one or two nations that won’t care, but most will attempt to stay within the guardrails, even if they are regimes of concern in other respects,” said Greatwood. The guardrails could therefore limit damage caused by aggressors.
Setting limits for international cyberspace behavior won’t be easy. “Just as you can’t get nations to agree on the highest standards for human rights, you can’t get everyone to agree on the highest standards for cybersecurity behavior,” added Greatwood. “But a diplomatic effort could at least set a baseline to limit the worst cases.”
The proposed bureau could also help coordinate effective government responses to the growing volume of attacks. That would be especially useful when dealing with nations that “allow private sector hackers to flourish within their territories as long as they only attack people outside those territories,” said Greatwood.
“No one knows what the limits are [since] responses to attacks are all over the map, and the attitude is often that breaches will be made and hackers are going to hack, so we can’t stop bad behavior.”
Unethical hackers operate in “a market economy of bad actors,” Greatwood added. They can be slowed by either raising the costs of an attack, or reducing the benefits. That approach has already been attempted in the current push for zero-trust architectures, making systems more difficult to penetrate and hacks easier to contain.
Said Greatwood: “This new bureau’s diplomatic efforts can follow the same logic: raise the cost of hacks and lower the benefits, reducing the risks of unaccountable geopolitical hacker blackmail.”
The State Department initiative is also part of a larger effort to “build our capacity and expertise in the areas that will be critical to our national security in the years ahead,” Secretary of State Antony Blinken noted in a speech to the Foreign Policy Institute on Oct. 28. “We want to prevent cyber-attacks that put our people, our networks, companies and critical infrastructure at risk. We want the internet to remain a transformative force for learning, for connection, for economic growth, not a tool of repression.”
Technology and statecraft
First proposed by the Obama administration and backed by the Trump administration, a new bureau focused on cybersecurity and technology “gives you not just this one ambassador at large, but an entire bureaucracy that’s structured around that person,” Glick stressed. “There’s no existing cohort in the State Department trained in cybersecurity or emerging technology in a practical sense. If we can get a cohort of foreign service officers trained in [cybersecurity and emerging] technologies at all levels, it allows us to better represent our country, since such a huge proportion of our economy now depends on technology.”
Purdue’s Center for Tech Diplomacy brings engineering expertise to U.S. foreign policy. The focus is “techno-statecraft,” or what Glick calls “a brand-new category in diplomacy, a focus on technology and all the national security and foreign policy components that get attached to it.
“At a time when techno-statecraft is mastered by our adversaries, we need a diplomatic corps equipped to do the same,” she added. “This bureau will attract a workforce that wants to gain these skills.”