The main loss from the departure of Chris Painter, America’s top cyber diplomat, will not be the loss of one of the top U.S. civil servants in the field, with 26 years in government. Nor will the biggest hit be to U.S. airlines, whose business models have increasingly been depending on the hundreds of thousands of miles he flew, pursuing America’s interests. The makers of Diet Coke will certainly feel the pain, now that Ministries of Foreign Affairs around the world no longer have to stock up on cases of the stuff for Painter’s unending thirst for the fizz. But they’ll survive.
No, those that will suffer most are likely to be American citizens, and indeed netizens in whatever country they live, who depend on an open, free, and secure internet. Painter has been a tireless advocate for these goals—American goals—around the world, and the best days of American cyber diplomacy may be behind us.
The United States was the first country to set up a dedicated office to handle cyber-related issues, such as pressuring nations to have open internet borders or agreeing to norms on cyber conflict. These issues date back to 1998, when the Russians introduced a cyber disarmament resolution at the United Nations. At the time, the issues were handled within the bureaus at the State Department, either the Intelligence and Research (INR) bureau or the Political-Military (PM) Affairs bureau.
In 2009, President Barack Obama’s Cyberspace Policy Review made the recommendation to consolidate and elevate the role, given the importance of cyber issues and ever-escalating cyber conflict. That report noted the U.S. should:
“Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.”
In 2011, Painter became the first Coordinator for Cyber Issues, reporting directly to the Secretary and with a wide-ranging set of responsibilities, according to the State website:
- Coordinating the Department's global diplomatic engagement on cyber issues
- Serving as the Department's liaison to the White House and federal departments and agencies on these issues
- Advising the Secretary and Deputy Secretaries on cyber issues and engagements
- Acting as liaison to public and private sector entities on cyber issues
- Coordinating the work of regional and functional bureaus within the Department engaged in these areas
Success of U.S. Cyber Diplomacy
A few of the major successes of Painter and his team have been building relationships, norms, and most critically, real impact on the networks.
The State Department has been critical in developing bilateral relationships with key U.S. friends and allies, such as Great Britain and Japan, but also in working with developing economies so they understand the value of an open, free, and secure internet. Time spent with nations like India and Indonesia will continue to pay dividends. Most recently, Painter just finished the U.S.-Kenya Cyber and Digital Economy Dialogue to better tie the United States to one of the most digitally savvy nations in the world.
Also, State has not ignored multilateral groups, like the Five Eyes, a group of English-speaking allies, as well as the Organization of American States, ASEAN, OSCE and others. All are now including cyber-related topics in their discussions.
Most cybersecurity professionals have been extremely concerned about the ever-escalating conflicts in cyberspace, from Shamoon to Havex to NotPetya, and more espionage campaigns than can be counted. Led by the tireless U.S. negotiator Michele Markoff – who had been almost the lone cyber diplomat on these issues for years, back to the original Russian proposals – State has been pushing other nations for new norms for cyber conflict and achieving far more than most analysts imagined possible.
Markoff led the U.S. through five rounds of the UN Group of Governmental Experts, back to 2005, and achieved unlikely agreement in several of those rounds, bringing Russia, China, the U.S. and other nations to the first understandings of unacceptable norms in online conflict.
In fact, U.S. diplomacy was key to 2015 being the “year of the cyber norm.” In January of that year, there were few accepted cyber norms. But in May, after then Secretary of State John Kerry laid out several proposed U.S. norms in Seoul, things moved quickly. The UN GGE picked up many of the same principles laid out by Kerry and Chinese Presidents Xi Jinping and Obama agreed to one of Kerry’s most important norms, that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property … with the intent of providing competitive advantages to companies or commercial sectors.” This norm and others were affirmed by all the leaders of the G-20 at their summit in November in Ankara. Within just one year, U.S. diplomacy transformed the diplomatic landscape.
The third success of American cyber diplomacy was that it mattered to actually reduce online attacks. Attacks are still worse every year, but certainly not as bad as they would have been if State had not been so active.
Some of the reductions in cyber attacks came through diplomacy and related sanctions. President Xi probably would not have agreed to restrictions on commercial espionage for profit if the White House and State Department had not been pushing hard for so many years – or threatening sanctions if the activities did not stop. This happened under the Obama Administration, but even the Trump Administration believes they appear to be successful, with Tom Bossert, the Homeland Security Advisory, recently saying he believes the Chinese leadership “have the commitment” and “the resolve to meet that commitment,” towards reducing this kind of espionage.
Other reductions in cyber attacks have surely come from the modest capacity development efforts the U.S. has made to improve the cyber defenders in developing nations, so they can stop outbound attacks. As Painter says, “It’ll protect your country but it’ll also protect our country.” The U.S. has also championed agreements such as the Budapest Convention to improve coordination and response to fight cybercrime, which has now been ratified by over 50 countries.
Fragility of U.S. Cyber Diplomacy
America is particularly vulnerable right now to losing this momentum and surrendering global leadership to China and Russia. It is entirely possible in ten years, the internet will no longer look and feel American – lightly monitored, with no central control, and few borders. It is far more likely to have an autocratic feel.
U.S. diplomacy is vulnerable first because there are few other U.S. cyber officials in place. Only the White House is well-staffed, with Tom Bossert – who has a good handle on cyber issues from his previous stint in the White House and as a colleague of mine as a senior fellow at the Atlantic Council – and Rob Joyce, the cyber coordinator bringing decades of NSA experience in offensive and defensive operations, including international coordination.
However, the Cabinet departments are incredibly understaffed, with no nominations for the Deputy Under Secretary for cyber and communication issues at the Department of Homeland Security, nor any of the assistant or deputy assistant secretaries. There are several extremely qualified candidates in the wings – all with oodles of international experience – but even after they are announced, approvals could take months. The Department of Commerce is still working with an acting assistant and deputy assistant secretary for its internet group. Even the Department of Defense is understaffed, with no nominations yet for the main cyber job, a deputy assistant secretary for cyber policy.
Worse, the lack of nominations could be matched by an outflow of talented civil servants. At Defense, Kate Charlet, the well-regarded acting deputy assistant secretary, just resigned this week to join a DC think tank. At State, let’s hope Michele Markoff, Painter’s deputy, continues to stay, as she has been an incredibly successful negotiator on cyber issues for two decades. If she follows Painter out the door, it might take State years to rebuild.
The Future of U.S. Cyber Diplomacy
The Trump Administration does not need to look far to know what should happen next. The most comprehensive recent report of recommendations was clear that the position should be further escalated with an expanded team: “The Cyber Coordinator should be made an ambassador-at-large, and State should create a new bureau for cyber and information issues.”
The job may even be further expanded, possibly combined with the role of Coordinator for International Communications and Information Policy, a role once held by Ambassador Danny Sepulveda. This would expand the portfolio of the team not just for “cyber” norms and conflict, but also a wider range of topics such as telecommunications and internet governance. Other nations, such as France, have combined this role, so it is worth consideration by the Trump Administration.
The reasoning behind these recommendations is clear. The federal government budgeted nearly $20 billion for cybersecurity in 2016, with $7 billion of that just for the Pentagon. For this fiscal year, the cyber warriors at U.S. Cyber Command are seeking an increase of 16 percent to complete the build-out of their 6,200 person Cyber Mission Force.
The U.S. cyber diplomats working with Painter achieve far more with far fewer resources. Indeed, their operating budget is probably not much more than what the Air Force is seeking for research and development for offensive cyber weapons, $25 million. An investment of $1 million to reduce attacks coming from sub-Saharan Africa is a major investment for State; in the Defense Department that much would be spent on contractors for a study to decide what to do.
Moreover, when Painter became the Cyber Coordinator, he was the first in the world. Now over 20 countries have created similar positions, in part because of U.S. leadership. Most of these positions are full ambassadors, a title never awarded to Painter, and one that brings additional sway in the world of diplomacy.
Yet given the budget cuts at State, the expectation is growing that the position might not be elevated and might go away entirely or again be folded back into one of the bureaus. To say this surrenders U.S. leadership is true but misses the point. The diplomats at State are value for money, an investment that is paid off in reduced attacks on the United States.
When Secretary of Defense James Mattis was still a general, he testified to Congress that from his view, running America’s wars from Central Command, “If you don’t fund the State Department fully, then I need to buy more ammunition ultimately. So I think it’s a cost benefit ratio. The more that we put into the State Department’s diplomacy, hopefully the less we have to put into a military budget…”
The same is every bit as true for America’s cyber conflicts. If the State Department cyber efforts are not elevated, if they are indeed cut, then the Department of Defense will have to hire more cyber warriors.