Secretary of State Rex Tillerson announced his plans for another restructuring within the State Department’s cybersecurity offices, but lawmakers, including the Republican chairmen of the House Foreign Affairs and Homeland Security committees, are pushing back and moving forward with a bill they say would better position an embattled cyber role within the department’s hierarchy.
In a letter sent Tuesday to House Foreign Affairs Committee Chairman Ed Royce (R-Calif.), Tillerson announced his decision to merge the department’s Office of the Coordinator for Cyber Issues and the Bureau of Economic Affairs’ Office of International Communications and Information Policy.
The head of the new office, the Bureau of Cyberspace and the Digital Economy, will be elevated to an assistant secretary position that requires Senate confirmation. The new assistant secretary will report to the under secretary for economic growth, energy and the environment.
“The combination of these offices in a new Bureau of Cyberspace and the Digital Economy will align existing resources under a single Department of State official to formulate and coordinate a strategic approach necessary to address current and emerging cyber security and digital economic challenge,” Tillerson wrote in his letter.
Royce received the letter during a committee hearing on the Cyber Diplomacy Act, which if passed would have the coordinator for cyber issues report instead to the under secretary for political affairs, or an “official holding a higher position in the Department of State.”
Despite Tillerson’s announcement, Royce said he would like to move forward with the Cyber Diplomacy Act.
“I think this is a positive step, but we’re going to continue to work with the department and continue to work with our colleagues over on the Senate side to pass the legislation we’ve passed out of this committee to ensure that this assistant secretary and bureau is empowered to engage on the full range of cyber issues dealing with security and human rights and the economy,” Royce said.
The bill passed the House last September. If the Cyber Diplomacy Act passes the Senate and reaches President Donald Trump’s desk, the president could find himself deciding between Tillerson’s and Congress’ vision for the State Department cybersecurity workforce.
Tillerson’s announcement Tuesday marks only his latest reshuffling of the State Department’s cyber offices. Last August, Tillerson notified Congress he would eliminate the cyber coordinator position and fold that office’s responsibilities into the Bureau of Economic and Business Affairs.
The cyber coordinator, a position created under the Obama administration, was tasked with working with other countries on cyber issues, and served as the State Department’s cyber liaison to the White House and federal agencies. Chris Painter served as cyber coordinator since the role was created in 2011, but stepped down last July amid Tillerson’s restructuring.
Testifying before the House Foreign Affair Committee Tuesday, Painter also questioned Tillerson’s decision to alter the chain of command for cybersecurity issues.
“I think, frankly, there was maybe a lack of understanding of the importance of this issue,” he said.
When asked by lawmakers about the mission continuity of his old office, now that it’s been absorbed by the Bureau of Economic and Business Affairs, Painter said he viewed the reshuffling as a downgrade.
“We had a lot of momentum going, and for a six-month period or longer, that this was communicated that this was not a high priority has an effect, both with our adversaries and with our friends. I don’t understand why we did that,” Painter said. “When we have a strategy to make it even higher up, great, but why interrupt that in the interim?”
House Homeland Security Chairman Michael McCaul (R-Texas) also expressed reservations about this previous cyber reorganization by Tillerson, and like Royce, signaled his support for the Cyber Diplomacy Act over Tillerson’s new reshuffling.
“They said it was an interim step, but in my judgment, as I try to create a cyber agency within DHS, it almost appeared as if it was not a priority, if you’re merging it with another office like that. I would like to see a cyber office that makes it a priority,” McCaul said.
The new DHS cyber agency McCaul is working to create is the Cybersecurity and Infrastructure Protection Agency, which would replace the agency’s National Protection and Programs Directorate (NPPD). The new cyber office would report directly to DHS Secretary Kirstjen Nielsen.
In addition to Royce’s and McCaul’s support for the bill, Painter said he also supports the Cyber Diplomacy Act over Tillerson’s new reorganization plans.
“The way its reporting structure is through the economic under secretary, which given the breadth of these issues and the security issues, doesn’t make a lot of sense,” Painter said. “I think the bill’s statement that it should be through the political under secretary or higher makes a lot more sense as a cross-cutting issue. But I think that bill, frankly, helped motivate some of these changes and that’s good. We need to keep the pressure on.”
When asked by lawmakers about the state of the United States’ deterrence against cyber attacks, Painter said diplomacy serves as an important tool in the federal government’s toolkit.
Last week, White House Cybersecurity Coordinator Rob Joyce said diplomatic leverages can help in the “naming and shaming” of state and nonstate actors who are determined to be the cause of cyber attacks. But Painter said diplomacy can also mean working with other nations who have also experienced data breaches to take action against a common threat.
However, that solution, he said, appears unlikely to solve some problems, like the massive data breach of the Office of Personnel Management, where hackers stole sensitive personal information on more than 20 million current and former federal employees.
“I think one of the problems there is espionage,” Painter said. “Every country in the world does intelligence gathering. If that is classic espionage, if that’s what that was, that’s harder to deter, quite frankly, because you’re not going to have an agreement not to actually do intelligence gathering with other countries. But at the same time, that doesn’t forgive the fact that we need to harden our targets as much as possible. And when that happens, we don’t have to like it either. We can do things in response to it.”