US State Department opens cybersecurity policy bureau

The US State Department this week launched an agency responsible for developing online defense and privacy-protection policies and direction as the Biden administration seeks to integrate cybersecurity into America's foreign relations.  

"The last few years have made evident how vital cybersecurity and digital policy are to America's national security," said Secretary of State Antony Blinken during a ribbon-cutting ceremony for the new Bureau of Cyberspace and Digital Policy (CDP). "We're in a contest over the rules, infrastructure, and standards that will define our digital future." 

The CDP includes three policy units that will focus on international cyberspace security policy, international communications and information policy, and digital freedom, which the State Department says includes protecting privacy and information on the internet. The bureau, which will be overseen by a Senate-confirmed cyber ambassador, opened its doors at a time when physical warfare threatens to bleed over into cyberwarfare.

"In light of the Russian invasion of Ukraine and a virtually endless cycle of threat campaigns and vulnerability disclosures, the timing of this announcement couldn't be any better," said Teddra Burgess, SVP for public sector at endpoint security firm Tanium, in an email to The Register.

Still, the agency faces challenges from inside the US and externally as it works to accomplish its expansive mission.

Global cybersecurity policy attempts

The primary CDP unit will focus on negotiating global cybersecurity policy, engaging with partners on threat management and operations, and capacity building.

"Particularly in working with nation states that are developing, capacity building needs to be their own law enforcement organizations being trained on how to conduct cyber forensics and capacity building as it relates to securing critical infrastructures in those countries that touch the rest of the world like finance and telecommunications," said Tom Kellermann, VMware's head of cybersecurity strategy. 

Kellermann is also a global fellow for cyber policy at the Wilson Center and a professor of international affairs at American University. He called the new bureau "a historic step forward to create a collective defense of international cyberspace and to disrupt the activities of international cybercrime cartels."

And he told The Register that building a collective defense against nation-states including Russia, China, North Korea, and Iran, and disrupting the criminal activities of cyber-cartels will be a top task for the CDP.

"There are four rogue nation states in this world that treat their cyber-criminal communities as national assets, have created protection rackets around those communities, and who use those communities to directly offset economic sanctions from the West," Kellermann said.

"The only way you're going to put pressure on that is to galvanize the remainder of the world to go after the tendrils of those cybercrime cartels if and when they exist within their sovereign boundaries," he added.

• Google: Russian credential thieves target NATO, Eastern European military
• Expect 'long tail of cyber retaliation' from Russia for sanctions, says ExtraHop CEO
• UK Cyber Security Centre advises review of risk posed by Russian tech
• UK spy boss warns China hopes Russia will help it take over tech standards

At launch, the new cybersecurity agency has a staff of more than 60 people, mostly from the former Office of the Coordinator for Cyber Issues (S/CCI) and the Bureau of Economic and Business Affairs' International Communications and Information Policy (EB/CIP) offices. 

The State Department also plans to create more than 30 new full-time positions for the bureau this year, and it requested funding to support additional positions in the FY 2023 budget, a spokesperson said.

Why Senate confirmation matters

One of its first hurdles will be the Senate confirmation of what the State Department calls an "ambassador-at-large" to lead the agency. Right now, Jennifer Bachus, a career foreign service diplomat, is serving as the principal deputy assistant security for the CDP and will lead the bureau until the Senate confirms an ambassador.

While Senate approval is never a slam dunk, recent cybersecurity appointees and regulations have enjoyed bipartisan support — likely boosted, in part, by recent cyberthreats from Russia. 

"It's a bipartisan agreement that cyber is the Achilles heel of the American economy and American national security," Kellermann said. "Yes, some people will grandstand given it's an election year, but beyond that, it's critically important to have this person be appointed and blessed by the Senate, much like Chris Inglis was as the first-ever director of national cybersecurity."

Putting the new agency's ambassador under the Senate's purview gives the title more authority, said Cisco's Senior Director for technology policy Eric Wenger, who leads the networking giant's  global government affairs work. 

Senate confirmation "will then endow that person with authority that they can speak at a very high level on behalf of the US government and sit across the table from counterparts of theirs that will have similar titles and authorities," Wenger told The Register. 

"This is an important role for the State Department to be playing," he continued. "It's an important signal to our strategic partners who are allies, and even to our adversaries that we take these issues very seriously."

Will Congress step up?

Still, there's no guarantee the cybersecurity bureau won't be dismantled by future administrations. 

Wenger said he's had conversations with other nations' officials who created similar roles within their governments based on the US example. But that was before the Trump administration axed a similar cybersecurity bureau with a high-ranking cyber diplomat. 

"Not having a counterpart in the United States actually puts us at a disadvantage," Wenger said. "It's a little like having one walkie talkie: you have to have somebody you can talk to on the other end that is of a similar level of authority and expertise."

This speaks to the importance of Congressional leadership in establishing a more permanent cybersecurity bureau under the State Department, Wenger added. 

"It would be a useful step for Congress to codify these things so that they're not subject to the changes in one administration to the next," he said. "Putting this into a statutory frame gives it a degree of permanence."

And according to James Hayes, VP of global government affairs at cyber-risk exposure firm Tenable, the new bureau should quickly work to establish a public-private partnership arrangement. 

"A private sector advisory committee can help the new organization identify near-term economic opportunities and security best practices globally," Hayes said. "Cybersecurity requires an all-of-nation investment and that means public-private cooperation." ®