US to Create Diplomatic Bureau to Lead Cybersecurity Policy

The Biden administration plans to revitalize the State Department and make cybersecurity a core priority with the addition of 500 new civil service positions, a 50% increase in its information technology budget, and the creation of the Bureau of Cyberspace and Digital Policy, officials have announced.

These changes at the State Department, first announced by Secretary Antony Blinken as part of the agency's modernization initiative, will focus the government's foreign service on creating the international agreements necessary to punish cyberattackers who are often sheltered by non-allied governments, such as China, Russia, Iran, and North Korea. The bureau will be led by an ambassador-at-large, while a separate special envoy for critical and emerging technology will be named as well.

The goal is to ensure technology works to promote democratic values, fight back against disinformation, and prevent the misuse of surveillance and cyberattacks, Blinken stated in a speech at the Foreign Service Institute on Oct. 27.

"On cyberspace and emerging technologies, we have a major stake in shaping the digital revolution that's happening around us and making sure that it serves our people, protects our interests, boosts our competitiveness, and upholds our values," he said. "We want to prevent cyber attacks that put our people, our networks, companies, and critical infrastructure at risk. We want the internet to remain a transformative force for learning, for connection, for economic growth, not a tool of repression."

The move follows major attacks that have targeted US companies and government agencies. Breaches of remote network management firms SolarWinds and Kaseya allowed state-linked actors to steal data and infect systems with ransomware. Cybercriminals shielded by countries such as Russia have targeted companies and local government agencies with ransomware, including an attack on Colonial Pipeline that caused fuel shortages in the southeastern United States.

However, focusing only on daily threats and large breaches will not deliver a safer online ecosystem, and the US and other nations must work together, argued Chris Inglis, the United States' first national cyber director, in a Wall Street Journal opinion piece, published today.

"National cyber policy must be driven not only by the crimes and disruptions it seeks to prevent, but by the goals it seeks to achieve," he stated. "Our shared digital ecosystem brings with it shared threats leaving us no choice but to cultivate a shared defense. If we focus on a shared vision of our digital future, we can seize the initiative from malign cyber actors."

The creation of the new bureau is part of the Biden administration's focus on emerging technologies and threats, which includes not just cybersecurity, but also climate change and critical infrastructure threats. The effort to reform government agencies to better shape international behavior through diplomacy is one of the key pillars identified by the Cyberspace Solarium Commission, whose March 2020 report has largely become a playbook for this and the previous administrations.

This report called for an assistant secretary of state to head a new Bureau of Cyberspace Security and Emerging Technologies to lead the government's diplomatic efforts, strengthen international norms in cyberspace, and reinforce nonmilitary tools for deterrence.

The Cyber Diplomacy Act of 2021 (HR 1251), which would establish the authorities of this new office, already passed the House in April with six Democrats and four Republicans co-sponsoring the legislation. However, other versions of the bill, such as HR 3776, were previously introduced during the Trump administration. The Senate referred the latest bill to the Committee on Foreign Relations.

The fact that the office will be created through legislation bodes well for the longevity of the position and hopes that it will be adequately financed, says Scott R. Anderson, a fellow in governance studies at The Brookings Institution.

"It settles the issue," he says. "Up until now, cyber has been bounced around, assigned as the responsibility of a bunch of different positions. Putting it in legislation really ups the cost of any future changes beyond what Congress has laid out."

In addition, creating a high-level position dedicated to cyber, and designating the leader as an ambassador, will raise its profile in the international community. 

"The Ambassador is expected to go out on the road and, with at least one special envoy focused on specific issues, underscore that this is really intended to be a hub for global engagement around these issues," Anderson says.

The Biden administration is currently working with lawmakers to prioritize passage of the bill, said Maine Senator Angus King, co-chairman of the Cyberspace Solarium Commission, in a statement sent to Dark Reading.

"We are in complete alignment with the Biden administration's approach, which is exactly the kind of move we need to better coordinate cyber diplomacy and set international norms around cybersecurity," he said. "In particular, we were pleased to hear that the new bureau will be responsible for overseeing international cybersecurity, digital policy, and digital freedom while matters of critical and emerging technology will be handled by a separate special envoy."