As the 117th Congress barrels toward the conclusion of its first session, American cyberspace is increasingly imperiled by two distinct but interconnected threats: the increasing frequency of ransomware attacks and other cyber events that threaten resources critical to everyday American life, and the glacial pace of the Senate's consideration of the Cyber Diplomacy Act of 2021.
The legislation in question would enact key recommendations from the Cyberspace Solarium Commission — the bipartisan, intergovernmental body tasked with developing strategic approaches to defending against cyberattacks — by establishing a permanent diplomatic foundation to shape and influence international behavior in cyberspace. And yet, we continue to wait.
The Colonial Pipeline attack demonstrated the vulnerability of American critical infrastructure, and how a blitz from even non-state actors with (allegedly) purely financial motivations could bring an entire region to a crawl. While the US government was able to recover some of the ransom funds paid to DarkSide — the likely Russia-based cybercriminal group — the salvage operation was too little, too late. The US was striking from its back foot and without the backing of international cybersecurity norms. Subsequent attacks on JBS and Kaseya, the work of the Russian REvil syndicate, have further exposed the soft underbelly of American critical infrastructure to our adversaries.
Given the attacks' probable origin on Russian soil, President Biden has asserted that Moscow has "some responsibility to deal with this." However, the Kremlin's response was decidedly unperturbed and dismissive, and why shouldn't it be? The attacks were (probably) not directed by the Russian government, but the US's Russian-originated ransomware woes still bring a smile to President Vladimir Putin's face.
While international law may dictate a duty to address cyber criminality within Russian borders, there is little benefit for Moscow to do so, and few drawbacks for Russia to allow such activity to continue. As the Solarium Commission has noted, incentives for good conduct and deterrents for bad behavior in cyberspace are impossible to effectively establish and enforce without international collaboration and commitment.
As these cyber events have made headlines over the past several months, the Cyber Diplomacy Act has mostly languished in Congress. As a result, the existence and alignment of the Office of the Coordinator for Cyber Issues is still subject to the desires of the Secretary of State, a reality that has resulted in the office's devaluation in recent years. The Cyber Diplomacy Act of 2021 (HR 1251) is the third iteration of a cyber diplomacy bill since 2017, and the third attempt to create a permanent cyber diplomacy office through congressional mandate, as recommended by the Cyberspace Solarium Commission.
As constructed, the proposed legislation would establish the Bureau of International Cyberspace Policy, the head of which would have the rank of ambassador. While an imperfect proposal, the Cyber Diplomacy Act, passed with bipartisan support, would communicate American resolve in establishing and enforcing "rules of the road" in cyberspace, one of President Biden's top priorities.
Recently, the State Department announced the creation of the Bureau of Cyberspace and Digital Policy, which would be led by a Senate-approved ambassador-at-large and report to Deputy Secretary Wendy Sherman for at least the next year. In addition, a Special Envoy for critical and emerging technology would also be named, tasked with addressing issues around technologies such as artificial intelligence and quantum computing. Let's be clear: while this announcement is a step in the right direction, without a Congressional mandate, this bureau has no guaranteed permanence (or even guaranteed funding). If past is prologue, without the roots planted by the Cyber Diplomacy Act, this bureau could easily succumb to the winds of political expediency.
Beyond political priorities, we need a strategic foundation for international cooperation to be able to more effectively respond to malicious cyber activity perpetrated against US domestic industry and deincentivize bad actors from future efforts. Furthermore, the US must better employ diplomatic mechanisms to combat the authoritarian vision for the Internet (endorsed by China and Russia), and promote an open, interoperable, and secure Internet on the international stage.
In the words of the Cyberspace Solarium Commission, "like-minded partners and allies who support a rules-based international order in cyberspace expand the capacity for enforcing such rules while reducing the expense to any one government of holding bad actors accountable for violating them." Allies and partners who subscribe to the vision of a rules-based order in cyberspace could be confident in American resolve in this arena, the perceived importance of which would not be subject to the whims of the Secretary of State or presidential administration.
Is cyber diplomacy the ultimate answer to American ransomware woes? Unlikely. But it's an important step in building a foundation for layered deterrence in cyberspace, and imposing concrete costs for cyber perpetrators and the nations who enable them, thus better protecting American private industry and infrastructure, and turning a Putinesque smile into a frown.