New State Department cyber bureau stirs opposition
A newly established State Department bureau focused on cybersecurity and emerging technologies could give the Biden administration a launch pad for strengthening ties with allies after a massive Russian hack on the federal government.
Yet the office is also facing pushback from both sides of the aisle amid concerns that it was rushed into creation by the Trump administration, and that it may make matters worse at an agency that has been without a dedicated cyber office for almost four years.
“We have really starved this area of cyber diplomacy, and we should be leading on this … and this ties our hands a bit,” Christopher Painter, the former State Department cyber coordinator under both the Obama and Trump administrations, told The Hill on Friday.
Painter formerly headed the Office of the Cyber Coordinator, which was merged with another office in 2017 by former Secretary of State Rex Tillerson, prompting bipartisan outrage over concerns that the U.S. had severely limited its ability to engage on cyber-related issues.
As a result, the Bureau of Cyberspace Security and Emerging Technology (CSET) was stood up by former Secretary of State Mike Pompeo in the final days of the Trump administration in an effort to fill the void.
Painter, along with lawmakers and other federal officials, have raised concerns that CSET will not enhance the nation’s cybersecurity efforts, and that its establishment was rushed through.
“It’s bizarre, ludicrous, and you have to wonder why they did it then,” Painter said. “They did notify us about this back in 2019 … but the fact is that the State Department didn’t really have any good dialogue with the Hill on how to address their concerns, they seemed to be in limbo and then suddenly they sprung this on us.”
“There are interdependencies, areas that are cross-cutting in this … if you don’t have one place where those come together and can be reconciled so the U.S. government can speak effectively with one voice, that is problematic, and that is memorializing stovepipes,” Painter added.
Painter is not the only official to raise concerns about CSET. The Government Accountability Office (GAO), a federal watchdog agency, has put out two reports on the bureau, with the latest released Thursday finding that the State Department “did not demonstrate that it used data and evidence” in setting up CSET.
“Without developing evidence to support its proposal for the new bureau, State lacks needed assurance that the proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals,” GAO wrote in the report.
A firm footing for cybersecurity has become even more critical over the past two months. The federal government is struggling to get its arms around the consequences of the recently discovered Russian hacking of IT group SolarWinds, an incident that allowed hackers to access the networks of most federal agencies, including the State Department, for at least a year.
The incident has international repercussions, with more than 18,000 SolarWinds customers around the world potentially affected, and was one of the topics discussed by President Biden during his first conversation in office with Russian President Vladimir Putin.
Newly confirmed Secretary of State Antony Blinken reiterated the administration’s focus on the issue, telling reporters last week that the agency was “looking very urgently” at the “implications” of the SolarWinds breach.
But if the State Department hopes to respond to the hack and address other cyber goals, the new bureau faces little support on Capitol Hill, where opposition to CSET is an area of rare and almost universal bipartisan agreement.
While lawmakers acknowledge the importance of the State Department having a cyber arm, concerns mostly center around the decision by the State Department to set up the bureau despite passage in the House of legislation intended to set up an Office of International Cyber Policy at the State Department with a leader who would report directly to the secretary.
The Cyber Diplomacy Act, passed by the House in 2018, was co-sponsored by the then-bipartisan leaders of the House Foreign Affairs Committee. The legislation was reintroduced in 2019, but also failed to be signed into law.
Despite the setup of the new bureau, the committee’s leaders have not given up on the legislation, with House Foreign Affairs Committee ranking member Michael McCaul (R-Texas) telling The Hill on Friday that he intended to work with new committee Chairman Gregory Meeks (D-N.Y.) to again introduce the bill.
“Unfortunately, the State Department’s reorganization does not lend itself to solving a long standing Foggy Bottom cybersecurity challenge: effective coordination,” McCaul said. “As the most recent Russian hack has shown, the State Department and our national security are in the bullseye.”
Meeks has been no less critical of the office, earlier this month putting out a statement strongly criticizing the State Department for its decision to “ram through its poorly considered and ineffective plan just days before Pompeo leaves office.”
“Everyone agrees the State Department needs a Cyber Bureau—but Secretary Pompeo’s plan is ill-suited to address the Bureau’s critical purpose,” Meeks said at the time.
On the other side of Capitol Hill, there is also opposition. A Senate aide told The Hill Friday that both the House Foreign Affairs and Senate Foreign Relations panels had thrown their support behind legislation that ensured that a State Department cyber bureau would report to the secretary “to ensure an adequate hearing of and reconciliation of both economic and security issues.”
“As currently designed, cyber issues are split into separate economic and security bureaus – this has led to confusion,” the aide said. “If the Biden Administration wishes to have an effective cyber strategy, it would be in their best interest to consult with Congress.”
Blinken stated the intention of the agency last week to review all the decisions made by the previous administration during its last weeks in office, and after the strong pushback around CSET, the new bureau is being reexamined.
“Secretary Blinken has expressed his support for the creation of the Bureau of Cyberspace Security and Emerging Technologies,” a State Department spokesperson told The Hill on Friday. “He will take a close look at where this bureau should be placed within the Department and what its mission and scope of responsibility will be.”
Painter, who spearheaded the creation of the original cyber coordinator office at the State Department in 2011, said he had confidence the agency would be able to effectively address the concerns around the bureau.
He noted that with new threats multiplying over the past decade from nations including China, Russia and Iran, along with cyber criminals, it was essential to prioritize cybersecurity on the international playing field.
“We are facing a more dangerous time now than we were facing when my office was created,” Painter said. “The threats were big then, but they are even greater now.”
-Updated at 10:15 p.m.