2020 was a year of reckonings whose implications continue to unfold and spark calls for urgent remedial action. Cyber domain was no exception. The SolarWinds hack has prompted serious soul-searching about how it happened, and more importantly, what to do about it. Clearly there is a need to look inward and know far more about our IT supply chains, since we are only as strong as our weakest link. At the same time however, there is an equally pressing need to look outward and engage in the art of cyber diplomacy.
No country can go it alone successfully because cyber challenges transcend borders and so do the solutions. SolarWinds is a case in point. The perpetrator engaged in behavior that was reckless as to consequences. The modus operandi resulted in a breach of vast scope and scale, with effects and implications felt far beyond the principal targets of highest value for espionage and potential future exploitation. In this regard, the incident is destabilizing and demonstrates wanton disregard for the broader ecosystem.
A system without any guardrails is in no one’s interests. For this reason, the United States should reinvent and redouble its efforts to engage with allies and like-minded partners in order to shape more proactively and constructively our shared cyber future. Effectively executing such a push on cyber diplomacy as cyber issues take on ever-greater importance in international affairs will, however, require us first to better organize for success at home. In part this means elevating and marshaling cyber issues within a single focal point at the Department of State that is properly empowered and resourced to tackle them.
The idea is not new. In fact, the Cybersecurity Solarium Commission (on which one of us served) made precisely this recommendation in its March 2020 Report to Congress. The idea, emphasized and updated in a recent white paper, is to create a cyber ambassador with the rank and status of Assistant Secretary of State to lead a new Bureau of Cyberspace Policy and Emerging Technologies that is “designed and equipped to lead in forming an international coalition” to set expectations for behavior in cyberspace. The ambassador would also advocate for broader goals, including the digital economy, capacity building, combating cybercrime, and human rights as they relate to cyber policy. Working in tandem with partners on these issues can yield substantial benefits, such as helping to dissuade irresponsible cyber behavior and penalizing it when it does occur.
Collective action can make a difference. This is why joint attribution has become increasingly common after a cyber incident. The next step would be joint response. Acting in concert amounts to a force multiplier, resulting in the imposition of greater consequences and more substantial accountability upon actors that violate the fundamentals of a rules-based system. In working with allies, we are not ceding our ability to act in the country’s best interests, as we will always reserve the right and responsibility to do so. Pushing back jointly, however, can have greater impact than acting alone — whether in response to China and its campaign for global 5G dominance, or to Russia or others in manifold other contexts.
At the global level, raising many voices instead of just one does, however, require a lead in-country — especially in a nation-state such as ours with a complex governance structure involving multiple competing and overlapping centers of power and influence. Lawmakers have actually taken steps in this direction, such as by introducing the Cyber Diplomacy Act of 2019 (a version of which passed the House in 2018 but did not receive a vote in the full Senate). Among other things, the act sought to create the position of U.S. Ambassador for Cyberspace.
By comparison, Australia appointed its inaugural Ambassador for Cyber Affairs in January 2017, and Estonia created a Department for Cyber Diplomacy headed by an Ambassador at Large for Cyber Security in September 2019. These are just two examples, but other countries from Japan to France have similarly prioritized this portfolio. It is well past due for the U.S. Government to update its own architecture to similarly reflect and effectively enable the critical mission of cyber diplomacy.
Just last month, outgoing Secretary of State Pompeo approved the creation of a new Bureau of Cybersecurity and Emerging Technologies within the Department of State. Unfortunately, this was too little too late. What is needed moving forward is a higher-level initiative that supports the exercise of a crucial component of non-military power in a strategic and coherently integrated way. Encouragingly, reports indicate that such a measure is underway, and that Rep. McCaul will work to reintroduce the Cyber Diplomacy Act, which would address these very issues and concerns.
Playing catchup is not ideal, but it is not too late to up our game and accord technology its proper due in the realm of geopolitics. Doing so will enable the United States to lead in this area in concert with our allies. This is no time to be on the sidelines of cyber diplomacy.
Frank J. Cilluffo is Director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. He also serves as a U.S. Cyberspace Solarium Commissioner.
Sharon L. Cardash is the McCrary Institute’s Deputy Director for Policy.