A new cybersecurity-centric bureau housed within the State Department tasked with leading the nation’s cyberspace diplomatic efforts has drawn fresh critics who say it was poorly planned and could make matters worse, a new report said.
The Bureau of Cyberspace Security and Emerging Technologies’ (CSET) was established in January 2021 in the waning days of the Trump administration, three years after former Secretary of State Rex Tillerson shuttered the Office of Cyber Coordinator and shifted some of its duties to the Bureau of Economic Affairs. At the time, bipartisan critics of the maneuver charged that it injured the country’s ability to engage on cyber-related issues. There is still no government agency that reigns supreme over U.S. cybersecurity policies.
They had a point. The State Department had previously told Congress that CSET would improve coordination between other agencies working on security issues. But that’s not what’s happened, according to a new Government Accountability Office report concluding that the State Department “did not demonstrate that it used data and evidence” in setting up the bureau.
In an earlier report, GAO said that the State Department should have consulted other agencies at the planning stage. “While State is not legally obligated to involve other agencies in the development of its plans for the new bureau, our prior work on government reforms and reorganizations has shown that it is important for agencies to directly and continuously involve key stakeholders, including agencies supporting similar goals, to develop proposed reforms, such as State’s plan for establishing CSET,” the GAO report said.
The Cyberspace Solarium Commission and the proposed Cyber Diplomacy Act both call for cyber initiatives to rank at a higher level than a bureau within the State Department. The bill would establish an advisory office to the State Department on cyberspace issues, including international cybersecurity, internet access and freedom and international cyber threats. While the 2019 version of the measure has not been signed into law, House Foreign Affairs Committee ranking member Michael McCaul (R-TX) told The Hill that he will work with new committee Chairman Gregory Meeks (D-NY) to re-introduce it, The Hill reported.
Now, in the aftermath of the massive Russian-backed SolarWinds cyber attack on at least 10 government agencies, stronger criticism of CSET’s directive has surfaced from Christopher Painter, the former head of the cyber coordinator’s office and Congressional lawmakers over its genesis. “We have really starved this area of cyber diplomacy, and we should be leading on this ... and this ties our hands a bit,” Painter told The Hill. “It’s bizarre, ludicrous, and you have to wonder why they did it then,” he said. “They did notify us about this back in 2019 ... but the fact is that the State Department didn’t really have any good dialogue with hill on how to address their concerns, they seemed to be in limbo and then suddenly they sprung this on us. There are interdependencies, areas that are cross-cutting in this ... if you don’t have one place where those come together and can be reconciled so the U.S. government can speak effectively with one voice, that is problematic, and that is memorializing stovepipes,” he said.
Earlier criticism of the bureau was voiced by Eliot Engel (D-NY), former House Foreign Affairs Committee chairman, who said its mission and scope were too restricted. “While Congress has pursued comprehensive, bipartisan legislation, the State Department has plowed ahead in its plan to create a bureau with a much narrower mission focused only on cybersecurity,” he said. “This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber issues needs to elevate engagement on economic interests and internet freedoms together with security.”
Despite CSET's setup, the committee’s leaders have not given up on the Cyber Diplomacy Act. “As the most recent Russian hack has shown, the State Department and our national security are in the bullseye,” McCaul reportedly said. For his part, Meeks has criticized the State Department for a “poorly considered and ineffective plan just days before (former Secretary of State) Pompeo leaves office." (per The Hill)
Still, there is some confidence that the State Department will be able to sift through disapproval surrounding the bureau. In referencing threats by cyber adversaries China, Iran and Russia, Painter said prioritizing cybersecurity in foreign relations is of utmost importance. “We are facing a more dangerous time now than we were facing when my office was created,” he told The Hill. “The threats were big then, but they are even greater now.”