The Trump administration seems to want it both ways on cybersecurity policy. On one hand, the White House has ordered the State Department to study and report on the United States’s “international engagement strategy” for cyber issues, signalling it takes the issue seriously. Yet Secretary of State Rex Tillerson’s ongoing State Department reorganization hobbles U.S. cyber diplomacy by downgrading the central coordination office for international outreach on cyber issues. State’s report may prove a harbinger in how the administration will resolve the tension of wanting to demonstrate international leadership on cyber diplomacy while simultaneously upending the State Department.
The Trump administration’s cybersecurity executive order (EO) got good reviews after its debut on May 11 but its promise remains unfulfilled. Among other directives to an array of federal agencies, the order directed the secretary of state to report on the department’s international cybersecurity priorities. The EO requires that State issue a formal report on attribution and cyber threat information sharing within 45 days (making the deadline June 25, 2017). The order further directed State to provide a report to the president detailing an engagement strategy for international cooperation in cybersecurity, to be submitted 90 days after the first report. The 90-day deadline ran out on September 24.
Nobody seems able to say whether the State Department has complied by producing the report.
At least one component of State Department reorganization may hinder its ability to meet these deadlines: the closure of the cyber diplomacy office. Christopher Painter, the coordinator for cyber issues, left the State Department at the end of July, and the administration has not moved to replace him. In an August 30 letter to the Chairman of the Senate Foreign Relations Committee, Tillerson identified the cyber coordinator as one of 35 special envoys whose positions would be downgraded as part of a move to “eliminate redundancies.” The cyber coordinator would presumably have played a lead role in preparing the EO reports. Tillerson proposes to fold the cyber coordinator portfolio and the 23 staff members of the coordinator’s office into the Bureau of Economic and Business Affairs (EB).
In July, Cameron Kerry wrote that the move to EB would hamper the office’s efforts to coordinate diplomacy on cyber security by limiting government experts to talking only with their foreign counterparts who work on economic affairs. In September, Deputy Secretary of State John Sullivan testified before the Senate Foreign Relations Committee that downgrading the cyber coordinator was only the “first step” in the State Department’s new approach to cybersecurity and that senior officials planned to elevate the issue to a “high-level” in the department.
For its part, Congress seems to doubt that State will prioritize the issue. In August, democrats on the Foreign Affairs committee filed an amendment to a State Department appropriations bill that would prevent any funds from being used to close the cyber coordinator’s office or merge it with any other bureau. And, a coalition of Congress members focused on cybersecurity introduced a bill in August called the “Cyber Diplomacy Act” that would create an Office for Cyber Issues and an ambassador to head U.S. diplomatic efforts on cyber-related topics. The legislation would also require the Secretary of State to create a strategy for U.S. engagement in cyberspace. But even if these bills were to pass, the State Department may not even be appropriately staffed to meet its obligations under the executive order—let alone to promote U.S. diplomatic efforts on cyber issues more broadly.
There is ample evidence diplomacy matters on these issues. For example, over the summer, the U.N.’s Governmental Group of Experts deadlocked on whether international law applies in cyberspace, stopping progress on creating international norms about self-defense and proportionality in cyber operations. An enfeebled, directionless State Department will not be able to wrestle with Russia and China at the U.N. or even to articulate a strategy to lead our allies.
Congress is beginning to take up the matter. On August 30, Senators Ron Johnson and Claire McCaskill, the chairman and ranking member of the Senate committee that oversees cybersecurity and federal IT, sent a request to Tillerson for the two EO reports. According to committee staff, the chairman has not released any public information about whether State has responded.