On April 4, 2022, Secretary of State Antony Blinken released a statement announcing the creation of a “new” federal bureau — the Bureau of Cyberspace and Digital Policy (CDP). Even though the organization is the first of its kind in the U.S. on this scale, the concept isn’t new. During the Trump administration, Secretary of State Rex Tillerson shrank the cyber department, despite a diplomatic and constituent push for a larger government cyber presence. The following secretary of state, Mike Pompeo, tried to reinvigorate the cyber program to no avail.
According to CNN, Blinken said of the bureau, “As what’s happening in Ukraine and Russia illustrates, we’re in a contest over the rules, infrastructure and standards that will define our digital future.”
In this new digital era, understanding cyberspace and increasing cybersecurity is more important than ever. The Bureau of Cyberspace and Digital Policy is an attempt to do both of those things, in a world where threat actors have the power to damage critical infrastructure and cripple nations from anywhere in the world.
The Bureau of Cyberspace breakdown
The CDP bureau is a byproduct of the Cyber Diplomacy Act of 2021. The bureau is broken into three policy groups: Cyberspace Security, led by Michele Markoff; International Information and Communications Policy, led by Stephen Anderson; and Digital Freedom, led by Blake Peterson. Jennifer Bachus is the acting head of the bureau and will be the Principal Deputy Assistant Secretary once a permanent head is found.
Bachus told CNN that, “I will work hard to make sure the bureau is appropriately structured and staffed for its mission: to elevate cyber and digital diplomacy globally, and to prioritize this work here in Washington and at our embassies and consulates.”
What the experts say
Industrial Cybersecurity Pulse recently interviewed industry expert and Cynalytica CEO Richard Robinson to gain insights into the efficacy and intention behind the Bureau of Cyberspace and Digital Policy.
ICSP: Do you think foreign entities, specifically those who look negatively upon the U.S., will take this as a threat or an elevated effort to control cyberspace?
Robinson: Absolutely, and I believe that there is a strong component of public trust [that] has been eroded in any government or entity looking to take more control over cyberspace or cyber events. We have a history of it here in the United States, right or wrong, where there’s just way too much evidence of folks not necessarily acting responsibly. Because it’s so highly polarized, other countries and nations will use this as a rallying cry to escalate their cyber efforts.
ICSP: How much will this help companies given the broadness of the new initiative? And how effective are these sorts of government efforts given that most major companies and critical infrastructure pieces are privately owned?
Robinson: I’ve looked through the legislation in the press releases and even the proposed budget for CDP and [tried] to cobble the pieces of other components that might feed into that budget, and looking at that, there’s a lack of transparency in the public — clear available information [so] you know what they’re actually going to do. From that, I would say that there’s probably very little benefit for most of all companies — maybe for a select few that they focus on particular policy issues.
When you look at the proposed 2023 budget, it’s for $37 million. But if you look through the budget, you can’t tell if that includes the existing CDP budget in the 2023 budget. They’re asking for a plus up in that existing CDP budget, and then I noticed in some of the language that there was some connection between CDP and the global engagement center budget request of $30 million. So is this team going to have $37 or $75 million? I’m not sure in the grand scheme of things, because it’s still a small piece of their budget, that it’s going to be terribly effective overall.
ICSP: Do you think the Russia-Ukraine crisis has brought a heightened awareness of cybersecurity to the U.S. government that wasn’t there before? When the crisis is over, will concerns of cybersecurity pitter away in the eyes of the government, especially with a change of leadership in the next two to six years?
Robinson: It’s yes and no. Yes, in the fact that we’re seeing more and hearing more about these events. There’s a lot more political hand-waving going on. We hear and see it and versions of things in the press about this, which is more often than not either inaccurate, misunderstood or misrepresented. I think from everything that’s going on, it makes for great political and marketing fodder, which is unfortunate. If you look historically, there’s a bastion of government audits and reports going back over decades that have basically spelled this out. They forecasted in intimate detail what the U.S. government and even industry has for current and future cyber challenges across all the government agencies, and critical infrastructure is one of those things. This isn’t coming to the government as a surprise that we have these issues. It’s just really there’s been a lack of follow through.
I will say the awareness has always been there. I just don’t think that it’s really had much of an impact from the DoD (Department of Defense) perspective. I do believe that especially on the critical infrastructure in the OT (operational technology) space, which is one of the areas that we’re really concerned in, I see them recognizing and trying to get it into alignment. But when you look at the timetable for which they want to do these things and recognizing that it’s still government, the adversaries are moving much faster than we are from a recognition and budgeting standpoint and getting things in place.
On the no side, we’re hearing and reading and seeing more comments — especially some from some of the political folks — around the lack of Russia’s either use or capability around cyber as part of the Ukraine-Russian [crisis], and I think that is a really foolish assumption to make. If you take a step back and you look at it in the context of the kind of warfare and how cyber warfare will play out over time, assuming that the first thing that the Russians were going to do was exhaust all of their cyber tools, I think is misinformed at a minimum. I think it’s biased to assume that it isn’t important and they’re not going to use it. We’ve seen historically a very competent and sophisticated adversary, and so to underestimate that because they haven’t done it, that they’re incapable or not going to do it, I think — going back to the question, has it raised the bar of attention — I think then from that perspective it’s a no.
ICSP: Do you see any potential caveats in this new initiative? Is there any area of cybersecurity that should receive more of an emphasis in the Bureau of Cyberspace?
Robinson: This comes from the state department. I wholeheartedly respect what the state department does. I understand why there’s not a lot of public information, so it makes it really hard to be objective in making any type of assessment or deduction of this. As far as areas I have a vested interest in, just in what we do, protection of critical infrastructure, which is entirely a different bag of worms from what it looks like. CDP may or may not be focusing on the U.S. and even more so globally. We all rely on critical infrastructure for services, health and safety that were developed and put in place well before the Internet came along, and now you know those things weren’t dealt with. The protections that you would want today [aren’t there], and we continue to connect these things at a rapid rate to routable networks, and they’re not very well protected. Before, I would say it’s a dirty little secret, but it’s not a secret anymore. So being able to focus on that soft spot to protect critical infrastructure isn’t anything that I’m seeing in the press release about this bureau.
ICSP: What impact will this initiative have on critical infrastructure?
Robinson: Without transparency [from the government], I would say almost zero. [That] sounds really critical and negative, but it’s really hard to delineate what are the goals, what are the missions, what is that actually applying to critical infrastructure. Critical infrastructure is a really broad term. … We’ve got critical infrastructure around IT (information technology) infrastructure. We’ve got critical infrastructure around OT, and from an OT view, if we’re talking about CDP, I don’t see anything specifically there that indicates that it will have any impact on the security of critical infrastructure.