U.S. State Department unveils new Bureau of Cyberspace and Digital Policy

The new Bureau could enhance the United States' ability to work effectively with other nations on cybersecurity matters.

Distorted and glitched binary flag of the United States of America
Traffic Analyzer / Getty Images

The U.S. State Department announced that its Bureau of Cyberspace and Digital Policy (CDP) began operations on Monday as part of Secretary Antony Blinken’s modernization agenda. The Department says the CDP will address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.

The Bureau, ultimately to be led by a Senate-confirmed ambassador-at-Large, will, in the interim, be guided by Jennifer Bachus, a career member of the Senior Foreign Service, as principal deputy assistant secretary for the Bureau. The CDP will include three policy units led by acting deputy assistant secretaries, including international cyberspace security, international information and communications policy, and digital freedom.

Bureau of Cyberspace and Digital Policy a “significant accomplishment”

Congressman Jim Langevin (D-RI), chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems (CITI), and co-chair of the Congressional Cybersecurity Caucus, praised the CDP’s creation, which has been months in the making. “I congratulate Secretary Blinken and Deputy Secretary [Wendy] Sherman for this significant accomplishment, and I thank them for working closely with Congress in its efforts,” Langevin said. Langevin also served on the Cyberspace Solarium Commission, which recommended the creation of a similar bureau at the State Department.

But the work of the CDP, expected to have nearly 100 employees, has just begun, Langevin said, pointing to the need for funding for such a substantial operation. “Yet the work does not end here,” he said. “Moving forward, I will be working ardently to ensure that Congress provides the Bureau the resources it needs to fulfill its essential mission.” According to reports, the Biden administration has requested a budget of $37 million for the Bureau.

Achieves many goals of the Cyber Diplomacy Act

Finally, Langevin urged Congress “to pass the Cyber Diplomacy Act to enshrine this new Bureau in statute, ensuring its long-term viability and the preservation of cyber as a key foreign policy priority for the coming decades.” That bill, passed by the House with bipartisan support in February 2021 only to languish ever since, would have created a Bureau of International Cyberspace Policy in the Undersecretary of Political Affairs offices to guide policy across a diverse range of areas touched by cyberspace.

The importance of the Cyber Diplomacy Act is that it would have created a more powerful bureaucratic structure within the State Department to tackle cybersecurity issues, making the ambassador a direct report to the under secretary for political affairs or an official holding a higher position in the Department of State than the under secretary for political affairs. It also would have allowed the new bureau to engage other State Department experts on other matters, including human rights, economic competitiveness, and arms control.

In the dying days of the Trump administration, then-Secretary of State Mike Pompeo sought to rectify Donald Trump’s obliteration of a standalone cybersecurity apparatus at the Department by creating a new Bureau of Cyberspace Security and Emerging Technologies (CSET). At the time, Representative Gregory W. Meeks (D-NY), chairman of the House Committee on Foreign Affairs, blasted Pompeo’s “ill-suited” plan in part because that bureau would “not coordinate responsibility for the security, economic, and human rights aspects of cyber policy, which are all essential to effective diplomatic engagement on these issues.” As it turns out, Pompeo’s creation was never formed following a blistering report by the Government Accountability Office (GAO) for its failure “to use data and evidence to develop its proposal.”

Blinken’s new bureau may achieve most if not all of what the Cyber Diplomacy Act set out to fix. “I think it makes a lot of sense,” Chris Painter, the State Department's first-ever coordinator for cybersecurity, tells CSO. The Bureau is “at a high enough level of the state department so that you can crosscut across the Department and among very different things because these issues are not dealt with in silos. Also, its mandate is broad, which is good. Everything from hard security and international security issues to economic issues to human rights issues. Those things often overlap, and you have to be able to coordinate all of them.”

Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, agrees that the wide range of topics the new bureau will encompass is a promising development. “Cybersecurity is a multifaceted challenge, and this new [bureau] looks like it has been built in a way that will enable the government to address these areas, including things such as digital freedom and traditional technology,” she tells CSO.

A critical role to play if Russia violates the rules of the road

The U.S. created this field of diplomatic expertise back in 2011 under Painter, but Trump’s first secretary of state, Rex Tillerson, “buried it in the bureaucracy,” Painter says. With this new Bureau, the U.S. could reclaim its leadership status and ability to work with other nations that have also elevated cybersecurity in the diplomatic realm, including several European countries, such as Estonia, France, Germany, the UK, the Netherlands as well as Japan, Korea, India, and even China and Russia.

In terms of the current crisis in Ukraine and Russia’s yet-to-fully-materialize malicious cyber activity, Painter thinks the CDP can play an essential role if Russia exercises its capability to wreak digital damage. “We haven't seen as much cyber from Russia as we thought we would, but that doesn't mean we should be complacent. It's certainly possible that Russia will use cyber more to project power or go after countries that sanction them,” Painter says.

What the State Department can do now is help foster international cybersecurity rules of the road. The most important part of that role is its ability to mount “a collective way to ensure accountability for those countries that violate the rules of the road,” says Painter. “And so that's where I think the State Department plays a vital role in working with our allies and partners to do the things we've seen in even the physical world with sanctions and other stuff” such as law enforcement tools.

The timing seems good given the support Ukraine has received globally. “I think given the solidarity that has been shown with Europe and Japan and other parts of the world on Ukraine, that's a good stepping stone to continue to build the cyber alliances,” Painter says.

The bottom line is that cybersecurity will be “an important long-term issue to our national security and economic security and foreign policy,” according to Painter. “We can't afford to go through a cycle as we did four years ago where it caused a lot of our friends to wonder what was going on and our adversaries to become more emboldened. The State Department has made the right move in creating this bureau. It creates the kind of momentum that I think we need to see.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022