What Does Restructuring State’s Cyber Program Mean for the U.S.’ Cyber Plan?

Recently, the United States’ Department of State restructured its Bureau of Cyberspace and Digital Policy (CDP), letting go of some senior officials and restructuring what has been left into two separate entities. While the CDP will ostensibly remain, it would be greatly reduced in size, and focused on larger global issues such as technical standards and Internet governance. What’s more is that the CDP will be relocated to the Under Secretary for Economic Growth rather than being its own entity, a move that many believe is a demotion in prestige and importance. The CDP surrendered two subcomponents – the International Cyberspace Security division (whose major responsibility was to coordinate U.S. responses to cyberattacks and promote cyber norms of behavior) to a new Bureau of Emerging Threats, and the Strategy, Programs, and Communications office which was split to into two parts; one that would remain in the reduced CDP and the other being moved to the Under Secretary for Economic Growth, Energy, and the Environment.

This major restructuring has received its share of criticism, with some believing that such a move not only neuters the Department of State’s cyber mission, but also reduces U.S. influence on the world stage, hampering U.S. ability to collaborate with partners on key issues like governance and technology advancements like artificial intelligence, and even alluding that this will likely hinder future efforts to create international efforts to address cyber activities of shared adversaries like China, Iran, and Russia. The argument is that the three-year-old CDP was instrumental in pulling together cyber-related mission areas into a single entity, a consolidation that Congress believed was effective, though what criteria contributed to this determination is not clear. Indeed, some cyber experts like Chris Painter, the former Department of State lead on these issues has called the move “short sighted” and “illogical.” The rationale is simple: in the critics opinions, the CDP streamlined the complicated process of international engagement and reduced bureaucratic turf wars.

Some complain that this move reflects a reduced importance on the part of the Administration, which on the surface, seems a reasonable interpretation of events. It had taken the United States several years to consolidate the various mission areas of cyberspace and the traditional role of the Department of State into a cohesive unit. And the fact that the CDP was only stood up in 2022, it may not have had a fair chance to see how it would work, despite the rush to call its efforts a success by Congress. It likely needed at least another couple of years to realize its operational capability, particularly with respect to international treaties and other measurable milestones like international technical standards setting that could demonstrate its proof of concept. Clearly, how the entity had been carved up and the placement of its parts reasonably raises eyebrows as to the motives of such a move, and if the new homes to which they report to make sense. After all, it would be easy enough to eliminate them if they had no intrinsic value, something the Administration is not shy to do, rather than relegate them to bureaucratic purgatory.

So, the question remains – what prompted such a major reorganization in the first place?

One possible explanation for this is not that cyber is not an important issue for the current administration, but that it wants to address it in a different manner than what has been done for years. There is sense in not repeating the same game plan over and over again, for if such tactics worked, there would be quantifiable successes, especially when it comes to international agreement on issues. The United Nation’s (UN) Group of Government experts or its counterpart, the Open-Ended Working Group would have made more advancements toward establishing nation state cyber norms of behavior than what has been done now. An international cybercrime treaty would have been in place years ago instead of now being debated and discussed in the UN. And if the position is that such things take time, as with most diplomatic efforts, that may very well be the point – it is difficult to maintain that the often-slow process of diplomacy is the right fit for addressing the speed with which technology evolves, incidents happen, and the digital realm is weaponized and abused.

But to say that the current president is not taking cybersecurity seriously because of these actions seems misplaced, especially given his previous accomplishments. During his first Administration Trump placed an emphasis on cybersecurity with Executive Order 13800 which promoted familiar themes of modernizing infrastructure, public-private sector coordination/collaboration, and increasing international cooperation with global partners. It also created CISA to advance safeguarding government agencies’ and enhance critical infrastructure protection under the purview of a single entity. The president also acknowledged the importance of artificial intelligence with the Executive Order Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government.

Perhaps most notably, the president has also fully supported and advanced defend-forward operations, taking the fight to adversaries in cyberspace rather than rely on reacting to incidents and attacks, which appears to be a key instrument in his cybersecurity strategy. From the standpoint of statecraft, while such actions can be punitive as well as a form or preemptive deterrence, they can also give way to more diplomatic channels providing a show of capability to bring adversaries to the table to discuss altering future cyber behavior. In this way, defend-forward attacks would give way to more diplomatic outreach, rather than trying to exhaust diplomacy before executing a cyber response action. Much like dropping bombs on Iran’s nuclear enrichment sites to bring Tehran to nuclear discussions, a significant, stealthy, and strategically limited defend-forward attack could be used to bring about change in a state’s cyber behavior or at least a willingness to enter discussions regarding it. While there is no indication that this is indeed the president’s plan, it is worth consideration.

The current reallocation of cyber resources also raises the question if the administration is looking to change up how it addresses the myriads of challenges posed in cyberspace, and whether or not trying to address all of them at once or at least simultaneously is the best strategy to affect meaningful changes. There are many areas to consider: crime, espionage, disruptive attacks, supply chain security, data manipulation, propaganda, critical infrastructure protection, technology standards, governance, etc., not to mention the emerging technologies that impact all of them. Prioritizing such efforts would be difficult as they all are interconnected in some fashion. Artificial intelligence implementation has only accelerated these challenges requiring an agility that surpasses a traditional diplomatic pace. Quarterly or semi-annual meetings just won’t cut it.

The jury is out on whether this plan will work or even be effective. However, the new administration’s early focus on streamlining federal cybersecurity policies, shifting responsibility to state and local governments, and prioritizing efficiency could lead to a more agile and targeted approach. By concentrating on key areas like critical infrastructure resilience and leveraging private-sector innovation, this strategy may prove more effective in the long run against evolving cyber threats. The emphasis on a risk-informed approach, rather than a broad, all-hazards one, and the push for greater collaboration with industry and sub-national entities, signals a potentially more dynamic and less bureaucratic framework for securing the nation’s digital landscape.