International-Shminternational: Why Keeping the Cybersecurity Coordinator’s Office at the U.S. Department of State is Important

By Phil Reitinger

A little over six years ago, the United States Department of State led the world in creating the first foreign affairs cybersecurity policy office.  The Cybersecurity Coordinator, and his or her office, would report directly to the Secretary.  Groundbreaking at the time, there are now over twenty such offices in foreign ministries worldwide.  On July 18, we learned that Christopher Painter, the first Cybersecurity Coordinator, was leaving his office, and it appears there is an effort to bury this activity deep within a component of the State Department.  That does not make sense.

Six years ago, cybersecurity risk was endemic among less strongly-secured systems.  Now it is epidemic.  Regardless of the attribution of any particular attack, it is clear that state-sponsored actors are taking an ever more active role online.  Deterrence is not yet broadly effective at preventing attacks, but diplomacy can be.  Even where there is no state actor, such as private cybercrime, diplomacy plays a significant role: international consensus that there must be “no safe havens” for cybercrime, first advanced in the Group of Eight during the late 1990s, has become more critical to enable effective legal response.  Building international consensus is a core mission of the Department of State.

It is hard to find any part of cybersecurity that does not both affect and be influenced by international law and policy.

Some have argued that keeping the Office of the Cybersecurity Coordinator only makes sense if the Trump Administration “makes cyber diplomacy a foreign policy priority,” which is “not the case.”  I understand the point but disagree.  Leaping from Administration distaste for certain elements of cyber diplomacy (e.g., reported Russia interference in elections) to concluding that the office responsible for that should be effectively dismantled is an intellectual pirouette.  The question is not whether the Administration agrees or disagrees with past cyber diplomatic policies, but whether international issues regarding cybersecurity and privacy are growing – they unquestionably are – and whether that requires effective representation of the United States and its policies.  Even if those policies were that less attention should be devoted in international circles to cyber policy, making that case internationally itself requires effective representation in a world in which efforts such as the European Commission’s General Data Protection Regulation and the Network Information Security Directive are advancing.

Moreover, I’m not at all convinced that the Administration’s view is that less attention should be paid to international cyber policy.  I’d bet that the Administration is of the view that U.S. cyber policy should focus on protecting the U.S. and advancing its economic interests, and that international cyber policy should pay more deference to state sovereignty even in a world where the Internet challenges sovereignty.  I’d suggest a different policy, but no matter, whatever the policy is it must be advanced in multiple fora or decisions will be made without U.S. influence.

In short, if the Administration doesn’t like the prior Administration’s international cyber policy, the current Administration should change that policy.  The Trump Administration should dismantle the program responsible for advancing international cyber policies only if it thinks the issue is of falling importance or that U.S. interests won’t be harmed by ignoring the issue.  I can’t imagine that either is the case.

Last, this isn’t about deck chairs.  If the State Department wants to reduce the number of direct reports to the Secretary, I understand that even though a recent report from CSIS  recommended that the office should be made a bureau and the Coordinator elevated into an ambassador-at-large.  But if the Office of the Cybersecurity Coordinator is to be relocated, careful attention must be paid as to where it should be placed to be effective.  If the Cybersecurity Coordinator (or whatever the position is called) reports to a person who reports to a person who reports to a person who reports to a person who reports the Secretary, I am concerned that she or he may have insufficient influence to negotiate with international “counterparts.”

A final note – I’d give this same advice to any country, not just the U.S.  If you want to advance your national interests in cyberspace, you need resources and relationships.  Full stop.

The United States cannot operate as if cyberspace were its exclusive domain.  Nor is patrolling “the border” as easy in cyberspace as it is in the physical world, even given the great challenges present there.  Internet communications not only tie us together as a global community, they expose our critical infrastructure and the foundations of our economy to people and systems outside the United States. Responding to cybersecurity risk inherently requires international action, action supported by the Office of the Cybersecurity Coordinator.

The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.