By Kathryn Fitrell
As more of life’s everyday transactions move online, securing cyberspace has grown into a U.S. national security priority. For the past decade, the Department of State’s Office of the Coordinator for Cyber Issues (S/CCI) has led U.S. cyber diplomacy efforts.
While the Bureaus of Information Resource Management (IRM) and Diplomatic Security (DS) protect Department computer systems from malicious cyber activity, S/CCI manages international diplomacy in multilateral and bilateral forums. These forums build effective alliances to respond to shared threats in cyberspace, advocate for multi-stakeholder Internet governance, and preserve the open Internet against control by repressive states. Created in 2011, S/CCI also coordinates diplomatic communications and advises on the foreign policy implications of a range of U.S. government actions involving cyberspace, including cyber incident response and cyber operations.
“We have profoundly shaped the international security landscape on cyber policy to reduce the risk of conflict between states and promote a cyberspace that is open, interoperable, secure, and reliable,” said S/CCI’s Acting Coordinator Michele Markoff.
The United States, led by S/CCI, has shaped the United Nations (U.N.) negotiations around a framework for responsible state behavior in cyberspace. The framework affirms the applicability of international law, defines voluntary, nonbinding norms of responsible state behavior in peacetime, and calls for the development and implementation of practical confidence-building measures to reduce the risk of conflict stemming from cyber incidents.
The U.N. General Assembly has repeatedly affirmed this framework, articulated in three successive reports by U.N. Groups of Governmental Experts (GGE) in 2010, 2013, and 2015.
“The United States has done more than any other country to advance international security in cyberspace,” said Markoff, who has served as the U.S. expert on each of the GGEs.
Former Deputy Secretary of State John Sullivan called the framework “the signature accomplishment of cyber diplomacy in the last decade.”
2021 will be a pivotal year for countries to further advance the framework as two U.N. processes are set to conclude this year: a GGE on “Advancing Responsible State Behavior in Cyberspace” and an “Open-Ended Working Group on Developments in the Field of Information and Communications Technologies in the Context of International Security.” S/CCI is working hard to advocate for progress and, if possible, consensus through the U.N. processes. This work carries on despite efforts by the Russian Federation and the People’s Republic of China (PRC) to block consensus and advance digital authoritarianism.
S/CCI engagement extends beyond the U.N., leading more than a dozen bilateral and sub-regional cyber policy dialogues. S/CCI also collaborates with regional security organizations on cyber confidence-building measures to implement practical mechanisms to reduce conflict, including in the Organization for Security and Co-operation in Europe, the Organization of American States, and the Association of Southeast Asian Nations Regional Forum.
Despite the progress that cyber diplomats have made, not all states play nice. States have used cyber tools to target critical infrastructure, attempt to interfere in elections, surveil and harass opposition figures, and steal trade secrets for commercial gain. During the COVID-19 pandemic, malicious cyber activity against the healthcare sector has increased, impairing the ability of hospitals and healthcare systems to deliver critical services and threatening the integrity and confidentiality of vaccine research. In April 2020, former Secretary of State Mike Pompeo was quick to warn adversaries against such activity when the Czech Republic announced threats of cyber attacks against its healthcare system. A month later, the United States condemned attempts by PRC-affiliated actors to steal American COVID-19 research.
To maintain stability in cyberspace, the Department led an interagency working group to establish a whole-of-government playbook calling out and, where necessary, imposing consequences on states that act contrary to the U.N.-endorsed framework. Thus far, consequences have included coordinated public attributions, targeted economic sanctions, criminal indictments, and the exposure of adversary cyber capabilities to degrade their effectiveness.
“We’ve had significant results and gotten better, stronger, and faster with public attributions,” said Markoff. “Public exposure changes an adversary’s calculus on whether the costs of malicious cyber activity are worth the reward.”
Future cyber attacks that impact U.S. national security could be met with additional consequences at the president’s discretion.
S/CCI has developed a steadily expanding coalition of like-minded countries to call out states for malicious cyber activity. During a 2019 ministerial meeting at the U.N., 28 states pledged to “work together on a voluntary basis to hold states accountable when they act contrary to” the framework for responsible state behavior in cyberspace. Last February, 19 states and the European Union joined the United States in publicly attributing and condemning a cyber attack by Russian military intelligence against the country of Georgia, one of several public attributions conducted last year.
The transnational nature of cyberspace demands international cooperation. S/CCI works closely with the U.S. interagency, like-minded foreign governments, regional and global organizations, and federally funded research and development centers to develop and implement cyber capacity building programs that assist partner nations in addressing threats of mutual interest.
Since 2014, S/CCI has directed $9.2 million of economic support funds to enhance partner nations’ cyber defense and policymaking capacities. This assistance has been instrumental in expanding U.S. partners’ understanding of cybersecurity best practices and the framework for responsible state behavior in cyberspace; consequently, many of these nations have engaged more productively in international cyber negotiations, including at the U.N.
Seamless coordination within the Department is essential to make progress on cyber issues. S/CCI relies on the more than 150 cyber policy officers at U.S. diplomatic missions worldwide and on cyber officers in each regional bureau to help engage with foreign governments and other partners. The office has hosted global training and partnered with regional bureaus for in-country workshops. Building on the success of a joint October 2019 workshop, S/CCI is working with the Foreign Service Institute to expand cyber diplomacy training, so U.S. diplomats will be better equipped to advocate for and implement U.S. cyber policy.
“This is clearly a discipline in which the Department should and does have a leading role,” said Markoff. “For foreign policy practitioners, cyber represents a chance to shape the cutting edge of U.S. policy.”
Kathryn Fitrell is a senior policy advisor in the Office of the Coordinator for Cyber Issues.