At the RSA cybersecurity conference, the Secretary of State announced the release of the Department’s new International Cyberspace & Digital Policy Strategy whose four goals are to advance economic prosperity; enhance security and address cybercrime; promote human rights, democracy, and the rule of law; and other transnational challenges.  As customary when releasing such strategies, the Secretary advocated the need to collaborate with likeminded international partners to help shape the future governance of the Internet, and the responsible use of digital technologies.  Common themes found in various other strategies included building a more inclusive and secure digital ecosystem, more international stakeholder coordination, advancing cyber norms; and combatting cybercrime.  The strategy pulls no punches with respect to U.S. adversaries China, Iran, North Korea, and Russia’s abuse of technology via pervasive hacking, d espionage campaigns, and intrusions into critical infrastructures.  The Department of Homeland Security is expected to release its own international cybersecurity strategy, expected to work in tandem with State’s.  The intent is clear:  the United States is reaffirming its principles with respect to how cyberspace should be maintained by global stakeholders, and identifying those governments it believes poses a threat to that vision.

Notably, the release of the Strategy comes on the heels of Part II of the National Cybersecurity Implementation Plan, which puts more directives under the pillars with an emphasis on defending critical infrastructure and bolstering collaboration with foreign partners.  Per the Office of the National Cyber Director (ONCD), 33 of 36 initiatives under the first implementation plan have been completed, and the final three are currently being addressed.  An additional 33 are expected to be completed over the next two years.  Among the new initiatives is the promotion of “cybersecurity-focused share services” across the government and “shared cyber supply chain risk management tools.”  Such progress has led the ONCD to conclude that the United States is achieving its cybersecurity goals and greatly improved its posture over the past year.  This certainly sounds promising, having accomplished many objectives in a relevantly short amount of time.  It would be interesting to see if an organization like the Cyberspace Solarium Commission or some other entity would provide a more in-depth report comparing the United States’ posture before the Implementation Plans and after with metrics to show the rate of maturation, which can be tied directly to improved conditions.

It would be myopic to think that the release of both documents was a mere coincidence and not a purposeful orchestration on the part of Washington to assert itself as the global cyber leader.  China is certainly a principal audience for these documents, as Washington and Beijing spar with one another in the press about the other’s cyber transgressions.  Cyber diplomacy is the name of the game, and after a period where United Nations efforts to build cyber norms have languished, Washington is clearly taking the opportunity to re-engage the international community, particularly in the wake of China’s exposure of alleged U.S. cyber malfeasance.  The competition for global acceptance is great, and while each government has its supporters, there are enough countries currently on the fence with respect to backing either side.  

Therefore, the United States is seeking to demonstrate that it is a reliable partner that will aid its friends, hoping that its international strategy will win over the undecided, especially the developing world.  That’s why the document stresses principles like human rights and economic security as key principles underpinning the United States’ vision of cyberspace security, which calls for eschewing Chinese technology that Beijing has so freely given to developing countries to build their own digital infrastructures.  It is little surprise that part of the State Department’s strategy includes a Cyberspace and Digital Connectivity fund designed to help allied nations enhance their cybersecurity, an evolution from one-time grants that had been given to Albania and Costa Rica when they were victimized by crippling cyber attacks.

But trying to re-establish ties with foreign counterparts under the umbrella of collaborative “digital solidarity” that is prosperous, inclusive, and secure is but one prong of a two-pronged mission.  Threats to critical infrastructure and elections are common warnings when it comes to describing the actions of states like China and Russia in cyberspace. Under Biden, the United States has embraced a collaborative approach to things it does in the world, especially when it comes to geopolitical issues and conflicts.  There’s little question that Washington sees the need to build coalitions under a common rubric before it goes forward.  Thus far, several countries have entered nonbinding cybersecurity agreements though it appears these have been more for optics than practical cybersecurity.  It will be interesting to see how the State Department tries to solidify more concrete commitments and treaties with international stakeholders.  Any formal treaty could take several years of negotiation, even among states that agree in principle.  

Even a topic like data privacy, mentioned only briefly in the State Department’s strategy and not mentioned at all in Part II of the Implementation Plan could be a sticking point in getting states to agree.  While the State Department strategy acknowledges the need to guarantee that the cross-border data flows are protected, it did little to mention how that data should be handled, stored, and the accountability of that data.  For legislation like Europe’s General Data Protection Regulation, more concrete commitments would likely have to be worked through and agreed upon.  Further complicating matters is the United States entering a new presidential season.  Any efforts currently being done may be stopped should a new president assume office.  So, it is highly unlikely that much headway in the way of formalized or binding agreements would be made before the election.

Recently, the United States revealed that it had confronted China regarding its cyber espionage activity dubbed VOLT TYPHOON in which it had detected China allegedly trying to infiltrate U.S. critical infrastructure for the purposes of disruption in the event of war or conflict between the two states.  The meeting did little to change Beijing’s posture who responded that it was a U.S. ploy to secure more funding.  Beijing’s reaction to direct confrontation by senior government officials will be telling.  Washington has made it known to both Beijing and the global community that China is engaged in this activity targeting civilian infrastructures, which has largely been deemed a “no-no” for state-directed cyber disruption.  Of course, that variable changes in the event of a conflict or war, and there has been no publicly released evidence that VOLT TYPHOON has caused any purposeful disruption.  Nevertheless, based on recent history, Beijing will likely take to its media to counter this issue, citing U.S. incursions into its own infrastructures by alleged U.S. cyber operators, trying to create a stalemate on the issue.

One of the interesting points raised by the ONCD when discussing Part II of the Implementation Plan was how it advocated the United States employing “all instruments of national power” to go after hackers that threaten national security and/or the safety of the public.  This sentiment was echoed by former NSA chief as well.  This signals the United States’ intent to become more active in cyberspace, relying on the full extent of its cyber capabilities to thwart attackers to include pre-emptive hunt-forward operations.  Without question, the United States has embraced more offensive actions in cyberspace, successfully thwarting or at least mitigating potential adversary attacks.  The United States typically ranks among the best if not the best state actor with respect to its cyber power, and with the recent VOLT TYPHOON disruption, Beijing has seen firsthand the extent of some of U.S. capabilities.  But the fact that it remains undeterred suggests that Beijing is not all that worried that any of its infractions will come to a cyber head and has other diplomatic and economic cards to play to keep Washington threatening but not acting in a more aggressive manner against Beijing in cyberspace.  This keeps the stalemate in place, leaving both governments to forge alliances and partnerships with others.

The extent of how successful the State Department’s international engagement to fence China’s activities will have to extend beyond the usual suspects – the Five Eyes and sympathetic Western-leaning governments.  Latin America and Africa are two regions where the State Department may want to consider increasing its focus as both developing areas offer geographical and resource advantages to both Washington and Beijing.  To be effective, formal agreements and treaties will be necessary to hold partners accountable and keep them committed.  That will be a tougher row to hoe and require additional economic and diplomatic considerations beyond cyber.  Further complicating matters is that a new president may not pursue the same track, thereby potentially derailing any gains in favor of his or her own policies.  Nevertheless, the die has been cast, and it’s Beijing’s turn to move.