The Making of a Cyber Diplomat

| Michael Sulmeyer and Gabriella Roncone
Michael Sulmeyer
Director, Belfer Center's Cyber Security Project, Harvard University
Gabriella Roncone
Research Assistant, Belfer Center's Cyber Security Project, Harvard University

By now, you’ve probably heard the news that the U.S. State Department is losing its top diplomat on issues relating to cybersecurity, Chris Painter. In addition, the rumors are that those associated with Painter’s Office of the Cyber Coordinator will be reassigned to the Bureau of Economic and Business Affairs. We hoped to get an idea about what’s next for cyber issues at the State Department from Painter himself, as he was supposed to testify on July 26 before the House Foreign Affairs Committee. However, that hearing was postponed.  Here, we offer our own thoughts about the future of cyber diplomacy and how the Trump Administration can move forward.

Cyber diplomacy thus far has been a careful balance of promoting both the U.S.’s interests and values in cyberspace. Obvious as it may sound, we think that the next step for the Trump Administration should be to consider and then explain the interests and values it wants to pursue. Although anything is possible, they may well come out similar to past Republican and Democrat administrations. But now is the time to turn ambiguity into clarity and to ensure we continue to channel our considerable diplomatic heft towards the pursuit of core interests and values.

Balancing Our Interests and Values

One of the great characteristics about American foreign policy is that historically, it represents not just our national interests, but our values as a nation too. U.S. decisions about how to engage with the world almost never are about furthering one or the other. The State Department plays a critical role in not only contributing to the design of American foreign policy that balances interests and values, but also how to explain that balance to the world. Chris Painter and his Office of the Cyber Coordinator was charged with this mission for technology and cyber issues for much of the last eight years.

Striking the balance between values and interests is not easy. Secretary of State Rex Tillerson talked about both in remarks to State Department employees on May 3rd. In his speech, he cautioned against placing too much emphasis on values. Senator John McCain (R-AZ)  rebuffed Tillerson a few days later in a New York Times op-ed, declaring that foreign policy becomes “simply transactional” when values become heavily subordinated to interests.  Even at this level of abstraction, getting the language right is tough – and we haven’t even started looking at real policy.

It’s easy to say that foreign policy, when it comes to cybersecurity, should reflect U.S. interests and values. Of course, there will always be tradeoffs. But the international climate today on a wide-range of topics related to data, technology, and cybersecurity needs the U.S. to hold the line for values. Values, like freedom of expression and association, are under assault online, and much of the world is looking to U.S. leadership for guidance. When countries try to block the use of virtual private networks (VPNs), proxies, and Tor to access outside internet content, as the Russian Duma just did, they are trying to stifle what their citizens can learn and how they can express themselves.

We decided to take a look back at the last two presidential administrations to see what interests and values they articulated when it came to cyberspace and cybersecurity.  The George W. Bush administration said relatively little. But a closer look at the 2003 National Strategy to Secure Cyberspace shows the administration speaking to both interests and values, albeit not equally. The interests outlined are not surprising; they include preventing cyber attacks against America’s critical infrastructures, reducing national vulnerabilities to cyberattacks, and minimizing damage and recovery time from cyber attacks that do occur. Values were also sprinkled throughout the strategy document, noting that civil liberties and privacy values needed to be protected. It also gave early voice to a phrase we would come to hear much more of in the subsequent 14 years: that cybersecurity and personal privacy need not be opposing goals. Towards the end of the Bush Administration, the president signed National Security Presidential Directive 54 (NSPD-54), which reiterated and expanded upon the interests articulated in the 2003 Strategy.

When the Obama Administration took office, it commissioned a rapid 60-day Cyberspace Policy Review. It emphasized pursuing American interests in cyberspace along with American values: “The United States faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights.” In that, it was fairly consistent with the Bush Administration’s approach.

But the Obama Administration’s commitment to American values online took a big step forward in January 2010 when then-Secretary of State Hillary Clinton delivered a critical speech on Internet freedom. She noted that in a previous exchange, Obama had “defended the right of people to freely access information, and said that the more freely information flows, the stronger societies become.” Secretary Clinton also warned that the same tools that bring prosperity and innovation can also be “exploited to undermine human progress and political rights.”  In one sentence, she made clear for the first time America’s commitment to its values abroad: “We stand for a single internet where all of humanity has equal access to knowledge and ideas.” She went on to describe how freedom of expression applies in a digitally-connected world, and channeling her inner Winston Churchill, warned of a new “information curtain” descending across those parts of the world that aimed to stifle speech online. While not everyone subscribed to the tenants of this speech, it marked the starkest expression from a U.S. policymaker about how American policy would reflect our values, not just our interests, on the internet.

Subsequent Obama Administration policy reflected the values espoused in this speech – especially in the 2011 International Strategy for Cyberspace). But Obama had to pull off his toughest balancing act after the Edward Snowden disclosures [the former NSA contractor who leaked classified information in 2013]. In his January 2014 speech in the aftermath of these disclosures, he carefully threaded the needle to impress upon the American people how important civil liberties remained to his administration. He made sure to assert, though, that very real dangers persisted that warranted continued aggressive surveillance abroad. Going forward, “we have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals and our Constitution require,” Obama stressed. “We need to do so not only because it is right, but because the challenges posed by threats like terrorism and proliferation and cyber-attacks are not going away any time soon.”

Rules of the Road

If previous administrations have sought to pursue both interests and values in cyber-related diplomacy, how have they gone about doing it? One of the most consistent expressions of those priorities has been the U.S. commitment to pursue peacetime norms of state behavior in cyberspace. Indeed, it is now almost cliche for leaders to call for such international norms or “rules of the road” to guide state behavior in cyberspace. Note that these norms are means, not ends – leaders believe that they will, if successful, reduce the risk of conflict in cyberspace.

Reducing that risk is important, especially to U.S. policymakers, because the United States has so much to lose if a conflict in cyberspace occurs. In part, this is because the internet was born here, and our companies and our infrastructure were first to connect to it. While there should be no doubt that United States has impressive capabilities to impose costs in cyberspace, it is vulnerable to attack when others use those same capabilities against us.

Former Secretary of State John Kerry articulated these norms in a 2015 speech in South Korea. He proposed that states should:

  • not conduct cyber activity that could damage another state’s critical infrastructure, not interfere with cyber emergency response teams,
  • not conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain,
  • mitigate any malicious activity coming from its soil in a transparent way, and
  • help each other when hurt by cyber attacks.

Current events suggest that this attempt at establishing norms may not have been universally adopted.  A cyber attack that turned the lights off in Ukraine may be the starkest example. But states not always acting in accord with these principles does not mean that the principles are unwise or that they are not worth promulgating and even proselytizing. Eventually, acting contrary to them might become the subject of international condemnation and delegitimization. And other than money spent on diplomatic travel, pursuing consensus around these norms costs the U.S. relatively little. So there are reasons why the norms agenda needs to be on the table for the State Department going forward.

It is also important to look critically when a state changes its behavior in ways that may, at first blush, appear to be in accordance with one of these norms. Doing so allows an understanding of deeper dynamics that may be at work. Some in the Obama Administration credited their norms agenda for China’s surprise commitment to refrain from stealing U.S. intellectual property for private, commercial gain. One private-sector research firm even released a report with some evidence indicating that Chinese hacking had indeed tapered off. Yet, we would be wise to remember that the United States had previously sanctioned five PLA officers for their hacking – a move that the Chinese vehemently objected to – and had threatened more punishment if their behavior did not change. China has also been undergoing an internal reorganization of its military to consolidate its cyberspace operators under one new organization. In this process of centralization, it is possible that leaders in Beijing reigned in some hacking as they came to understand a more complete picture of how hacking from China had been occurring.

What’s Next?

This is the right opportunity for the Trump Administration to take a step back and examine what it believes the U.S. core interests are today, and how these interests align or conflict with the “permanent values” Secretary Tillerson described in his May 3rd remarks. How does the Administration’s rhetoric of ‘America First’ fit with ongoing efforts to promote international stability? Do they conflict? Do they reinforce each other? Whatever is decided, the Trump Administration needs to determine how best to articulate publicly its conclusions.

The Trump administration has several choices about how to use its diplomatic tools to best effect cyber policy issues:

  • Should it affirm the Obama Administration’s norms, or propose others?
  • Should it include manipulating elections as a practice to be scorned?
  • How transparent should it be about calling-out states that act contrary to these principles?
  • How should the U.S. respond when others abuse technology and the internet to restrict the rights of their citizens and undermine human rights?
  • Should it pursue these or other initiatives in regional forums or focus more on bilateral arrangements, as Homeland Security Advisor Tom Bossert proposed in June?

These are only a small set of issues concerning international security about which the State Department needs to lead, with many others pertaining to economics, trade, and international governance.

Once the administration has a sense of the interests and values involving cyberspace that it wants to pursue, it should then consult close allies and partners abroad. It is beyond trite to say that we can’t go at this alone. Working with our friends abroad, early and often, to craft a new diplomatic approach is a necessary component to success. But if we merely present them with a fait accompli, we will have missed an important opportunity to reinforce these partnerships that have been years in the making.

Once the substance has been decided, messaging is important. The Secretary of State should plan a speech to articulate the administration’s vision. The American people need to hear it, as do our allies and partners abroad. But our adversaries need to hear it as well – and then they need to see concrete action to back up our commitments. Today’s discourse is too focused on means and methods by which the United States should or shouldn’t act.  While important, an updated explanation of U.S. interests and values in cyberspace is the best place to start, and where the Trump Administration needs to move next as it considers its diplomatic priorities.

CLICK TO ADD YOUR POINT OF VIEW

The Author is Michael Sulmeyer

Michael Sulmeyer is the Belfer Center's Cyber Security Project Director at the Harvard Kennedy School. He is also a Contributing Editor for Lawfare. Before Harvard, he served as the Director for Plans and Operations for Cyber Policy in the Office of the Secretary of Defense. There, he worked closely with the Joint Staff and Cyber Command on a variety of efforts to counter malicious cyber activity against U.S. and DoD interests. For this work, he received the Secretary Medal for Exceptional... Read More

The Coauthor is Gabriella Roncone

Gabriella Roncone a research assistant at the Harvard Belfer Center’s Cyber Security Project. Previously, she was a fellow at the Office of the Secretary of Defense (OSD) Cost Assessment and Program Evaluation (CAPE). She currently studies Political Science and Computer Science at Tufts University, focusing on the intersection of cybersecurity and national security. Follow her on Twitter at @gabby_roncone.

Learn more about The Cipher Brief's Network here.