Cyber Diplomacy Act gives cyber the importance it needs at the State Department

A bill from a strong bipartisan group of House members may reinstate and elevate a version of the cyber coordinator position eliminated as part of Secretary of State Rex Tillerson’s controversial “redesign” in July. The bill recognizes the degree to which protecting security in cyberspace and promoting digital communications as a vital economic, social, and political bridge have become critical to the mission of the U.S. government.

The bill is the Cyber Diplomacy Act of 2017, sponsored by the chair and ranking member of the House Foreign Affairs Committee (Republican Ed Royce of California and Democrat Elliot Engel of New York, respectively), House Homeland Security Committee Chairman Mike McCaul (R-Texas), and several senior members on both sides of the aisle in these two committees. The bill was introduced Sept. 14 and reported out of the Foreign Affairs Committee by voice vote Nov. 15.

The bill would create an “Office of Cyber Issues” within the Department of State. This effectively reinstates the office formerly headed by Christopher Painter and disbanded in July. It creates a Senate-confirmed position with ambassadorial rank to head the office. The office would be placed under the undersecretary for political affairs, though it can report to “an official holding a higher position.” The bill would permit elevating the office to a bureau in its own right headed by an assistant secretary.

The Office of Cyber Issues would be charged with leading “the Department of State’s diplomatic cyberspace efforts generally” across a spectrum of cybersecurity and cyberspace issues as well as digital economy and internet issues. The office also would advise the Secretary of State and senior officials on these issues. The bill includes a broad endorsement of continuity in U.S. policies in these areas, reciting a number of key developments in international policy beginning with the 2011 International Strategy for Cyberspace  and reflecting these with a declaration that

“the policy of the United States to work internationally with allies and other partners to promote an open, interoperable, reliable, unfettered, and secure internet government by the multistakeholder model which promotes human rights, democracy, and rule of law, including freedom of expression, innovation, communication, and economic prosperity, while respecting privacy and guarding against deception, frauds, and theft.”

As I wrote at the time, the elimination of the cyber coordinator position had the effect of downgrading cyber issues at the State Department just as these issues are constantly increasing in importance and the department is called on to play an important role. The advancement of the Cyber Diplomacy Act of 2017 comes just as the State Department is in the final stages of White House and interagency clearance of the strategy for international engagement on cybersecurity called for in the May 11 executive order.

The July reorganization had the useful goal of reducing the number of direct reports to the Secretary of State and special envoys that reflect yesterday’s issues. But cyberspace is today’s issue and belongs on the secretary’s agenda. Indeed, the May executive order makes cabinet secretaries accountable for managing cybersecurity within their agencies. This is appropriate to the mission-critical nature of the risk and a trend in the private sector bring oversight of cybersecurity into the boardroom and c-suites. (This approach also should apply to policy oversight in departments with key cyber roles like State, Defense, and Commerce.)

One drawback to the bill is subordinating the Office of Cyber Issues to an undersecretary. Protocol matters in diplomacy, and this has the effect of reducing the diplomatic status of the position when the U.S. needs to be be able to elevate cyber issues with diplomatic partners. A number of countries now have officials with cyber portfolios at a ministerial level. As a direct report to the secretary of state, Painter was able to be an interlocutor for the U.S. at a high level.

For a Brookings paper a little over a year ago on the challenges of balancing economic and political policies with national security in the digital arena, I considered whether the cyber coordinator should be reassigned to the “E bureau” (Economic Affairs, Energy and Environment), as proposed in legislation introduced in 2016, in order to give greater weight to the economic and political side of the balance. Ultimately, I concluded the position should not be moved because of its secretarial reporting relationship, the visibility and weight on the security side that the E bureau lacks, and the ability to coordinate across the State Department’s bureaus and functions.

By contrast, placement within the Political Affairs bureau adds to challenges of coordination. Under the July redesign, the functions and staff of the cyber coordinator have been reassigned to deputy assistant for international communications and information policy (with “cyber” added to this title), which is within the E bureau. This position also carries ambassadorial rank and has an important role in diplomacy within international organizations — especially those involved in internet governance. The Office of Cyber Issues would need to coordinate closely with this office, as took place when the office of cyber coordinator was was in the office of the secretary.

If the bill passes in its present form, a secretary of state could avoid these drawbacks by making the head of the office a direct report. Since it seems doubtful that Tillerson would undo what his office did so recently, bill sponsors should consider strengthening the provision enabling reporting to higher officials.

The Cyber Diplomacy Act of 2017 reflects that cybersecurity policy has been a subject of rare bipartisan agreement. The bill incorporates a recommendation from the December 2016 report of the Commission on Enhancing National Cybersecurity that the president appoint an “Ambassador for Cybersecurity.” That report also made international engagement one of its broad imperatives, and urged more alignment of federal cybersecurity management with the National Institute of Standards & Technology Cybersecurity Framework. In reinforcing commitment to the NIST framework and putting international cybersecurity engagement on the administration agenda, the Trump administration’s May executive order took the same course. In turn, descriptions of the forthcoming international engagement strategy sound like they will reaffirm existing policies in terms similar to those in the cybersecurity commission report and in the draft bill.

The U.S. government will be in a better position to carry out that strategy with a fully empowered Office of Cyber Issues able to represent the full range of issues involved.