The Right Way to Structure Cyber Diplomacy
The modern State Department was forged in an era of global transformation. In the 1930s, the department had fewer than 2,000 personnel and, as one historian emphasized, it was a “placid” place that was comfortable with “lethargic diplomacy.” World War II revolutionized the department, which readily transformed itself to handle the demands of planning a new international order. Between 1940 and 1945, the department’s domestic staff levels tripled and its budget doubled.
Today, the State Department is once again confronting the challenge of how to organize itself to cope with new international challenges — not those of wartime, but ones created by rapid technological change. There are ongoing conversations about how the department should handle cyberspace policy, as well as concerns about emerging technologies like artificial intelligence, quantum computing, next generation telecommunications, hypersonics, biotechnology, space capabilities, autonomous vehicles, and many others.
As Ferial Ara Saeed recently emphasized, the department is not structured in a way that makes sense for addressing these matters. She is not alone in having this view, and others have also offered ideas for reform. Former Secretary of State Mike Pompeo’s proposal for a Bureau of Cyberspace Security and Emerging Technologies focused too narrowly on security, as Saeed correctly diagnoses. As an alternative, she proposes consolidating all technology policy issues under a new under secretary, who would report to the deputy secretary of state for management and resources.
The State Department should be restructured so that it can conduct effective cyber diplomacy, but establishing one bureau for all things technology-related is not the way to proceed. Conceptually, the core challenges for cyberspace policy are different from those related to emerging technology issues, and creating one all-encompassing bureau would generate multiple practical problems. Instead, the department should establish a Bureau of International Cyberspace Policy, as proposed in the Cyber Diplomacy Act. Consolidating cyberspace policy issues in a single bureau would provide greater coherence to overarching priorities and day-to-day diplomatic activities. Emerging technology issues should remain the responsibility of the appropriate existing bureaus. If they are provided with greater resourcing and if appropriate connective tissue is created, those bureaus will have greater flexibility in crafting individualized strategies for a very diverse array of technologies. At the same time, the department would be able to prioritize and adopt a strategic approach to technology diplomacy.
Cyberspace Matters Are Different from Other Technology Issues
Through our work as staff of the U.S. Cyberspace Solarium Commission, we have observed how cyberspace policy will have impacts on U.S. foreign policy and international relations that differ fundamentally from those produced by other technology issues. That is why cyberspace policy warrants a distinct foreign policy approach.
Unlike other technologies, cyberspace has created a new environment for international interaction. As Chris Demchak describes, cyberspace is a “substrate” that “intrudes into, connects at long range, and induces behaviors that transcend boundaries of land, sea, air, institution, nation, and medium.” Since the early 2000s, as one brief has put it, states have recognized “cyberspace and its undergirding infrastructure as not only strategic assets, but also a domain of potential influence and conflict.” At the same time, a lack of international agreement or clarity on key definitions compounds the difficulties of dealing with cyberspace as a new arena of state-to-state interaction.
A U.N. Group of Governmental Experts produced a consensus report outlining norms of responsible state behavior in cyberspace that was welcomed by the U.N. General Assembly in 2015. However, U.N. members were by no means agreed on how international law applies to cyberspace. Although that issue was addressed more successfully in 2021, diplomats are still negotiating critical questions like what counts as cybercrime, critical infrastructure, espionage, or many of the other foundational concepts in this area. All of these questions, and many others beyond the negotiations of the United Nations, have long-term implications for the future of the internet, as cyberspace policy experts navigate a path between security and surveillance, and between openness and authoritarianism. To be successful in this diplomacy, the State Department should prioritize these issues and provide its diplomats with organizational structures that will support America’s proactive leadership. In short, the State Department should have a dedicated cyberspace policy bureau.
The focus and activities of such a bureau would be functionally very different from what will be involved in addressing other technology issues. A Bureau of International Cyberspace Policy would be responsible for implementing a relatively established policy for cyber diplomacy. The head of the bureau would be working to ensure an open, interoperable, reliable, and secure internet, pushing back on authoritarian leanings in internet governance, and advocating for a multi-stakeholder model for the future of cyberspace. Certain details may change, but the core elements of this policy have been consistent across administrations and Congresses. Accordingly, the real added value of a cyberspace policy bureau is not in defining policy, but rather implementing that policy, which will require extensive engagement with “non-aligned” countries to help sway the balance of opinion toward an open internet, and international capacity-building efforts to help drive progress toward greater global cyber security.
By contrast, the challenge U.S. policymakers confront on emerging technologies is a question of establishing what America’s international policies and diplomatic strategies should be. As the National Security Commission on Artificial Intelligence observed in relation to the State Department, a lack of clear leadership on emerging technology “hinders the Department’s ability to make strategic technology policy decisions” as part of a larger reorientation toward strategic competition.
Policymakers and officials working on emerging technologies will also face the challenge of adapting overarching policies as technologies emerge, develop, and ideally stabilize over time. Emerging technologies do not remain “emerging” indefinitely, and so an organizational structure that allows the development of cohesive strategies around these technologies should have the flexibility to shift between topics. Of course, cyberspace policy and the strategic considerations that guide it will also certainly need to adapt to changes, but its basic focus is likely to remain more stable. Much of America’s work in outlining cyberspace policy has already been done, and thus the missions that remain — for example working with partners and allies on joint attribution of cyber attacks, rallying votes in the United Nations, and managing capacity building projects — are unlikely to change dramatically any time soon.
Undoubtedly, there will be many areas of overlap between the work of those handling emerging technology issues and the responsibilities of a cyberspace policy office. But there will also be overlap between efforts on emerging technologies and matters handled by the Bureau of Economics and Business Affairs, the Bureau of East Asian and Pacific Affairs, the Bureau of International Security and Nonproliferation, and many others. The fact that there is overlap between two organizational constructs should not be taken as a justification to merge them, and while technology obviously plays a central role in both cyberspace policy and emerging technologies policy, the actual work required to address them is very different.
It also makes sense to keep some technology issues in their current bureaucratic homes because of their historical legacy and the subsequent development of specialized expertise within those homes. No one would suggest, for example, that emerging issues in nuclear technology should be pulled out of the Bureau of International Security and Nonproliferation and made the responsibility of a new emerging technology bureau. And some technologies might only have globally significant implications for a relatively short period of time. Advanced robotics, for example, might have a major impact on manufacturing and broader economic areas, which could require the sustained attention of policymakers as they grapple with the initial implications of such technology. But once advanced robotics become a routine part of industrial operations, it would make less sense to have brought the issue under a new bureau when the pre-existing functional and regional bureaus might be best poised to address the relevant challenges.
Making every technology policy the responsibility of one under secretary would not solve the State Department’s current problems. Instead, it would result in unclear prioritization, strained resources, and would leave one leader handling two very different mission sets.
The Importance of Avoiding a Security-Focused Approach to Cyberspace
In creating a Bureau of International Cyberspace Policy, the State Department should also avoid limiting that bureau’s focus solely to security-related matters. That was one of the flaws with the previous administration’s efforts to create the Bureau of Cyberspace Security and Emerging Technologies. While that bureau never materialized, the Government Accountability Office roundly criticized the State Department for failing to provide data or evidence to support its plans and for its lack of consultation with other federal agencies. Rep. Gregory Meeks, the chairman of the House Foreign Affairs Committee, emphasized that the proposed office would not have been in a position to “coordinate responsibility for the security, economic, and human rights aspects of cyber policy.”
Any reorganization of the State Department should ensure that diplomats can take into account all dimensions — political, economic, humanitarian, and security — of cyberspace policy and elevate them within the department. That would allow a new bureau to lead the way in promoting a free and secure internet. Some of the reform proposals that have been put forward reflect this approach. For example, the Cyber Diplomacy Act, which has already passed in the House, would create an ambassador-at-large position, with rank equal to that of an assistant secretary, to lead a new cyber bureau. That person would report to the under secretary for political affairs or an official of higher rank, which leaves open the possibility that the position would report directly to the secretary of state or one of the department’s two deputy secretaries. While some have proposed the deputy secretary for management and resources for this reporting chain, that position has a history of going unfilled, and having a new cyberspace bureau report to it is a recipe for undercutting the fledgling bureau before it can even get off the ground. A better alternative would be to allow the State Department some flexibility in determining a new bureau’s reporting structure, which might include the more natural choice of reporting to the other deputy secretary.
An overly narrow focus on security is not the only trap to avoid in creating a new cyber bureau. Orienting it around the idea of strategic competition with China would also be a problem. No doubt China will remain a key driver of U.S. policy for years to come, but global threats and opportunities may look very different in future decades than they do now. Cyber diplomacy should not be oriented around one adversary specifically and the structure and functioning of a new cyberspace policy bureau should stand the test of time.
The Devil Is in the Details, But a Cyberspace Policy Bureau Is the Best Approach
The unfortunate political reality is that reorganizing the State Department is hard. That alone is not a reason to forgo reform, but it does introduce constraints on what may be feasible. Any new office or bureau will need leaders, but current law strictly limits the rank that they can hold. Creating a new under secretary, or even a new assistant secretary, would require significant changes to the State Department Basic Authorities Act, and there is limited political momentum for that particular undertaking. The law currently authorizes the appointment of 24 assistant secretaries and six under secretaries. Although the Cyberspace Solarium Commission initially recommended creating an assistant secretary position to lead a new cyber bureau — and although it has been clear for two decades that the State Department’s structure should be overhauled — making such drastic changes to the necessary legislation may be a nonstarter on Capitol Hill for the foreseeable future. The Cyber Diplomacy Act provides the best available work-around by placing an ambassador-at-large at the head of the new bureau, ensuring that the position has the stature necessary for effective leadership.
The new bureau would also have to contend with the challenges of prioritization. The Cyber Diplomacy Act lists a wide variety of issues — including internet access, internet freedom, digital economy, cybercrime, deterrence, and international responses to cyber threats — that would become a cyberspace bureau’s responsibilities. Even without giving it emerging technology topics to handle, consolidating just cyberspace policy issues will require careful planning to determine which pieces get pulled from existing bureaus. To allow a new bureau to adequately deal with digital economy matters, for example, policymakers would need to decide which aspects of that issue get moved from the purview of the Bureau of Economic and Business Affairs. The new bureau would have a good case for inheriting responsibility for portfolios like investment in information communications technology infrastructure abroad, particularly as it relates to cyber security capacity building, but there is a strong argument for other pieces like e-commerce to remain in their existing homes. The more bearing a particular team’s work has on preserving an open, interoperable, reliable, and secure internet, the more it should be considered a strong candidate for incorporation into a new bureau.
Moving the responsibility for particular policy matters is not the only tool available, however. The Cyber Diplomacy Act creates an avenue for the new bureau’s personnel to engage other State Department experts to ensure that concerns like human rights, economic competitiveness, and security have an influence on the development of U.S. cyber policy. The proposed Cyberspace Policy Coordinating Committee would ensure that officials at the assistant secretary level or higher from across the department can weigh in on matters of concern for their respective portfolios.
With a new cyberspace policy bureau, a coordinating committee, and enhancements to emerging technology capacity in its existing regional and functional bureaus, the State Department would be structured to handle the digital age effectively.
Natalie Thompson is a Ph.D. student in political science at Yale University. Previously, she was a research analyst for the U.S. Cyberspace Solarium Commission and a research assistant and James C. Gaither junior fellow at the Carnegie Endowment for International Peace, working with the Technology and International Affairs Program on projects related to disinformation and cyber security. She tweets at @natalierthom.
Laura Bate is a senior director with the U.S. Cyberspace Solarium Commission and a 2021 Next Generation National Security Fellow with the Center for a New American Security. Previously, she was a policy analyst with New America’s Cybersecurity Initiative and remains an International Security Program Fellow. She tweets at @Laura_K_Bate.