Written by Andy Taylor
This week the State Department formally notified Congress of its long overdue plan to establish a new Bureau for Cyberspace Security and Emerging Technologies. This news, which was expected for almost a year, should in theory be welcomed by lawmakers.
In 2018, the Republican-controlled House grew so frustrated with former Secretary Rex Tillerson’s plan to abolish the State Department’s cybersecurity coordinator – the country’s top cyber diplomat – that it passed legislation to not just reconstitute the position but actually elevate its stature and responsibilities. This rare rebuke of the administration by the president’s own party could have been rectified by Tillerson’s successor, Mike Pompeo. Instead, the department’s latest plan may be worse than Tillerson’s.
There are two fundamental and related problems with the department’s proposed cyber bureau. First, the bureau’s focus is far too narrow. By limiting the scope of the bureau’s purview to security – and excluding the digital economy, internet freedom, and other U.S. cyber priorities – the head of the new bureau will have limited responsibilities. Currently, the department’s cyber and digital economy functions fall under the same office. However, the department intends to separate the functions across two bureaus. This separation will inevitably lead to bureaucratic turf battles over issues that do not fall neatly into the security or economic categories. Take the case of Chinese telecommunications giant Huawei, which America’s diplomats are actively pressing our allies to exclude from their 5G networks. Is this a security or commercial issue? The answer is both.
Second, the new bureau will report through a security-focused chain of command with a nebulous mandate to cover “new technologies.” Last September, the U.S. Chamber of Commerce and other business organizations wrote a letter to Senate leadership urging the bureau to report to the undersecretary for political affairs rather than the undersecretary for arms control and international security affairs. The business community is rightly worried that the culture and record of the department’s “T family” (the collection of bureaus that report to the undersecretary for arms control and international security) could take a regulatory approach toward new technologies in the name of security. For example, the T family was behind a botched negotiation in 2013 to update the Wassenaar Arrangement, a multilateral export control regime of which the U.S. is a member. A letter led by the bipartisan co-chairs of the House Cybersecurity Caucus raised concerns that the department agreed to a definition of intrusion software under the arrangement that was broad to the point that it included a number of products regularly used for cybersecurity research and defense, thereby impeding rather than improving the nation’s cybersecurity.
Balkanizing interrelated cyber functions across the department’s already vast bureaucracy and elevating only the security functions through an ill-equipped chain of command will diminish the effectiveness of U.S. cyber diplomacy. Fortunately, the department does not have to reinvent the wheel to find a more effective model. The coordinator for cyber issues is currently housed within the Office of the Secretary, giving the position prominence and making it well-placed to ensure cross-department coordination (hence the title). This neutral reporting chain ensures the coordinator does not give too much attention to cybersecurity over other cyber priorities, such as internet access and cybercrime. This structure also optimizes the coordinator’s ability to reach across the department to both provide assistance and seek input without running into bureaucratic barriers. An alternative approach, proposed by the leaders of the House Foreign Affairs Committee, calls for a bureau to report to the undersecretary for political affairs – another neutral position – or higher, including the secretary or deputy Secretary. The benefit of this approach is that it would give the bureau direct access to key decision makers on the State Department’s seventh floor and send strong signal that its leaders recognize and value cyber diplomacy.
The future of war, politics, and the global economy will be dominated by cyberspace and technology. China is aggressively pushing its authoritarian vision of “cyber sovereignty” that directly threatens the open, interoperable cyberspace the U.S. has long championed. Russia, meanwhile, recently adopted a new sovereign internet law to literally disconnect itself from the worldwide web. America must continue to lead the international effort to shape the rules of the road in cyberspace.
People and policy structures matter to America’s ability to confront these challenges strategically and persuasively, and the department’s current approach falls short. Congress should push for a better arrangement that both elevates the department’s important cyber mission and advances the full range of America’s interests in cyberspace.
Andy Taylor worked in the U.S. House of Representatives from 2010-2019, most recently as the chief economic advisor on the House Foreign Affairs Committee Republican Staff, where he covered international cyber and technology policy.