Yesterday, the House Foreign Affairs Committee voted on numerous bills by voice vote. The Cyber Diplomacy Act (CDA) was included in this legislative push. First introduced in September, the Cyber Diplomacy Act has bipartisan support with nine Democrat and six Republican cosponsors. The CDA covers a broad range of issues which together provide the foundation for the U.S. to “work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure” in support of U.S. national security and economic interests.
The CDA is a response to the growing reach, objectives, and impact of cyber attacks on the U.S. economic and national security and the absence of a broader strategy to counter and deter these attacks. The CDA calls out six threats: Russia, China, Iran, North Korea, terrorists, and criminals. In the last few months alone, Russia, Iran, and North Korean-linked attackers were found within U.S. critical infrastructure, and China has been linked to infiltration against global tech giants, largely in the U.S. WannaCry, NotPetya, and BadRabbit ransomware attacks hit the public and private sector globally, with new variants of destructive malware on the rise as well.
To counter these threats, the CDA (if passed) would require a “strategy relating to United States international policy with regard to cyberspace”. The strategy would be required to address norms, deterrence and related policy tools, and the applicability of current international law to cyberspace.
The CDA builds upon growing demand for a strategy to curtail cyber attacks against the U.S. As an initial step, President Trump signed a cybersecurity executive order in May. It required a report within 90 days on the “Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats” as well as an additional report documenting an “engagement strategy for international cooperation in cybersecurity.” In the absence of these reports, many in Congress have been vocal, calling for a U.S. strategy for cybersecurity. Earlier this year, Sen Angus King (I-ME) noted, “The country has no strategy or doctrine around cyber attacks...If our adversaries don't know we have it, it can't act as a deterrent.” During the Senate Armed Services Committee, Sen John McCain (R-AZ) similarly noted, “This committee has not been shy about expressing its displeasure over the lack of policy and strategy for deterring, defending against and responding to cyberattacks.” Just last month, King simply stated the U.S. needs to determine “if x, then y.”
How would the CDA address this current gap in strategic cyber policy? First, the CDA makes two major organizational changes at the Department of State: the creation of the Office of Cyber Issues and the establishment of an Ambassador for Cybersecurity. Both of these organizational changes offset current reorganization plans, including the vacacny left by the resignation of the Department of State’s top cyber diplomat, Chris Painter, and elevate the importance of cyber diplomacy. The Ambassador for Cybersecurity would “lead all U.S. engagement on issues pertaining to cybersecurity strategies, standards, and practices.” Co-sponsor of the CDA, Rep. Ed Royce (R-CA), stated, “The US is increasingly under attack by foreign actors, and these actors are online. Now, more than ever, we need a high-ranking cyber diplomat to prioritize these efforts and work with foreign governments.”
Next, the CDA takes broad steps at pursuing global international cooperation. In conjunction with the technology companies, security researchers and other relevant stakeholders, the CDA would establish U.S. policy to evaluate and implement global norms - those rules of the road guiding the appropriate behavior in cyberspace. In addition, the CDA would require evaluation of the applicability of the Law of Armed Conflict to cyberspace, and prohibit attacks such as those aimed at critical infrastructure or commercial espionage for corporate gains. Interestingly, the CDA does not reference 'cyber war' explicitly. It does reference proportionate countermeasures by victims of cyber attacks, and the necessity for greater deterrence frameworks. It also would require a review of policy tools available to the President to deter and limit escalation, including an assessment of the efficacy of these tools to date. Importantly, the CDA also mandates adherence to extant international cyber agreements, including nine existing bilateral agreements.
Finally, the CDA begins to broaden the realm of cybersecurity beyond attacks, and focuses on the internet’s contribution to democracy, freedom of speech, and access to information. This is important, as many of the key threats listed in the CDA already view the internet as a means for information control albeit through cyber attacks and/or disinformation. Recognizing this, the CDA links policy to protecting human rights, and assessing foreign countries by the extent to which they “filter, censor, or otherwise block or remove nonviolent expression" which interestingly is broad enough to include techniques such as astroturfing. Moreover, the CDA calls for an evaluation of alternative concepts to norms offered by foreign countries. Together, these aspects of the policy are a negation of the push by China, Russia, and many other countries for the notion of cyber sovereignty - governmental control of information within their borders. These concepts run counter to the multi-stakeholder model put forth by the U.S. and the U.N. If passed, the inclusion of these fundamental rights within the CDA would be a strong signal of U.S. commitment to a free and secure internet and democratic freedoms.
The CDA still has many hurdles to overcome before potentially becoming a law. However, at a time when the ACDC Act legalizing hacking back seems the most prominent cyber policy proposal, this week’s passage of the CDA by the House Foreign Affairs Committee is welcome progress. The CDA would not address every concern regarding the modernization of U.S. cyber policy and responses, but it would make significant progress toward asserting the U.S. as a key leader in shaping global norms toward democratic freedoms and appropriate behavior in cyberspace. Absent such steps, the global leadership vacuum will be filled by Russia, China, and other authoritarian regimes in ways that run counter to internet freedoms and global stability.