Good afternoon! It’s a pleasure to be back to talk to the “Thinking Globally” program at the Foreign Service Institute (FSI), though I do wish we were able to meet in person, rather than simply through this video teleconference. I very much enjoy interacting with these classes, for you represent the future of American diplomacy.
As we “think globally” this afternoon, I thought it might be useful to explore one of the global issues that has become a focus of considerable effort and attention in the diplomatic community in recent years, as well as more broadly: cyberspace security.
When my grandfather was a young man, a “computer” was someone’s job description, rather than a word used to describe a machine or device. In those days, it just meant somebody with pencils, paper, maybe a slide rule, and math skills of a caliber that I certainly lack.
But all this was then just starting to change in the wake of British mathematician Alan Turing’s 1936 paper in the Proceedings of the London Mathematical Society, “On Computable Numbers.” In that paper, Turing worked through mathematics demonstrating his remarkable insight that merely with enough record-keeping power, a single machine could be used to compute any computable sequence, and could do this with as few as only two internal states — such as “zero” and “one.”
That was, in effect, the birth of what we now call computers — all but infinitely programmable devices, which Alonzo Church dubbed “Turing Machines” in 1937 — and thus the birth of our present digital age. And it is indeed extraordinary to think what has been built upon those early insights into the possibility of computation, as subsequent generations have constructed soaring architectures of software, and a bewildering kaleidoscope of software applications, that have revolutionized life in the modern world in ways far beyond my capacity to enumerate.
One towering achievement built upon Turing’s work that I must note, however, is the success of U.S. researchers working some 30 years later at the Defense Advanced Research Projects Agency (or DARPA). On October 29, 1969, DARPA researchers sent the first host-to-host message, between laboratories at the University of California Los Angeles and the Stanford Research Institute, thus creating the Internet. Today, more than half the world’s population is online and the Internet contributes trillions of dollars to the global economy.
So just as one can find Sir Christopher Wren’s epitaph inscribed beneath the great dome of St. Paul’s Cathedral in London — Si monumentum requiris circumspice: “If you seek my monument, look around you” — so too can we see Turing’s own monument all around us every day, in the innumerable facets of our digitally-facilitated 21st-Century world.
But there, it turns out, lay the seeds of a problem. Precisely because Turing’s globe-encircling digital monument towers over so much of modern life, and because — as we know with painful acuteness in the arms control, nonproliferation, and disarmament business — no powerful tool comes without the possibility of misuse, the epochal invention of what we now call “software” and computing has its own dark shadow. With every facet of our economy and our security hugely dependent upon digital systems, our public and private entities now struggle to secure these systems against all manner of cyber assailants who threaten to penetrate, steal from, hijack, degrade, manipulate, or destroy them.
Today, going on 90 years after Turing’s pathbreaking paper, malicious cyber activities and the threat of cyber aggression, including against extremely sensitive aspects of national critical infrastructure has, unfortunately, become a very real and ever present aspect of modern national security affairs. In the 21st Century, “cyberspace” — a physically nonexistent but, paradoxically, an extremely real and consequential sort of “place” — has emerged as a critical domain of conflict, a potential “battlespace” of no less consequence than the traditional 20th Century “Holy Trinity” of land, air, and sea. Our strategic competitors and adversary states know this, and they are moving fast and ruthlessly to augment their ability to hold us at risk in innumerable ways.
So how do we safeguard cyberspace as a source of prosperity and prevent it from being torn apart by conflict and instability? How do we protect our security and economic interests, and deter aggression, in this domain? And why am I raising this issue with you, who are being trained at FSI to serve as champions of American diplomacy on the United States’ diplomatic “front lines” overseas? In a security arena that most people associate simply with highly technical issues of coding and hardware, what can diplomats bring to meeting the challenges of cyberspace security?
Well, a lot. For one thing, our country can protect its interests and advance international peace and security in cyberspace in many of the ways it does elsewhere: by using diplomacy to promote our values, to build relationships with international counterparts and other stakeholders, and to cultivate alliances and coalitions of likeminded partners who can meet challenges and help deter and respond to threats together. Many others have critical roles to place in cyberspace security, of course — including in defending our networks against attack, gathering the information we need about our adversaries in order to meet the threats they present, and in implementing countermoves where that proves necessary — but in the norm-promotion and transnational relational aspects of this whole-of-system effort, we diplomats are an important force-multiplier.
At the State Department, the Office of the Coordinator for Cyber Issues (S/CCI) leads the U.S. government’s diplomatic efforts across the full range of international cyber policy issues that affect our foreign policy, and works to promote measures to ensure that cyberspace remains an open, interoperable, secure, and reliable domain. We are working to improve our ability to conduct cyberspace security diplomacy — as well as to meet the security challenges presented by certain emerging technologies such as Artificial Intelligence and 5G applications — by establishing within the Department a new Bureau of Cyberspace Security and Emerging Technologies (CSET) to report to the Under Secretary for Arms Control and International Security. Eleven months after notifying Congress of our plans, we still await its agreement to our establishing this new bureau, but S/CCI is on the job and working hard already, and we hope to begin our work under a fully fledged CSET Bureau very soon.
U.S. foreign policy in cyberspace security is clear: together with our international partners, the United States promotes responsible state behavior in cyberspace, and when states fail to live up to those standards, we work to hold them accountable. I’ve spoken elsewhere about our diplomatic efforts to promote responsible behavior in protean new arenas where traditional rules-focused arms control approaches seem untenable, but cyberspace has really been at the cutting edge of this endeavor. For more than a decade, in fact, and across three U.S. presidential administrations, we have been working to promote responsible state behavior in cyberspace, and with much success.
The basic concept is hardly shocking. Before you can enlist other states to ensure accountability of those engaging in irresponsible behavior, and before you can deter destabilizing and provocative actions, states first needed a way to identify just what irresponsible behavior actually is. States also needed mechanisms to manage tension, and through which to engage with each other, when incidents occur. Building support for such norms and establishing such mechanisms is at the core of our diplomatic agenda.
At the United Nations, for instance, we have helped build a new consensus around three key elements of an international framework of responsible state behavior in cyberspace:
1) the affirmation that existing international law applies to state behavior in cyberspace just as it does in other potential conflict arenas (i.e., that cyberspace is not a lawless, “anything goes” domain even in wartime);
2) adherence to certain non-binding norms of responsible state behavior in cyberspace during peacetime; and
3) the development and implementation of practical confidence-building measures to reduce the risk of conflict and escalation in cyberspace.
Together, these elements help build trust, enhance transparency, and decrease the risk of conflict. They also provide a normative basis for collective action by responsible states against those who act irresponsibly as judged in light of these principles. This serves the interests of accountability and is designed to make malicious cyber activity less attractive, less common, and more costly for malign actors. These elements also serve, in other words, the interests of deterrence.
The President’s U.S. National Cyber Strategy of September 2018 laid out the United States’ vision for ensuring that there are consequences for irresponsible behavior that harms us and our partners. And State Department diplomats are at the forefront of U.S. efforts to ensure that malicious actors face swift, costly, and transparent consequences.
It used to be a sort of popular conventional wisdom that one of the biggest challenges in cyberspace stemmed from the fact that it was essentially impossible to have confidence in the true source of malicious cyber activity. Cyber deterrence, and indeed any sort of response to cyberattack, it was believed, was unavailable because one could never really know who had hit you.
While attribution is certainly very difficult in cyberspace, however, this received wisdom turns out not to be entirely true. For a sophisticated player — and, make no mistake, the U.S. national security apparatus is extremely sophisticated in these respects — it actually is possible to do more by way of attribution than most observers once thought possible. It is sometimes even possible to share enough information with one’s friends and partners that they, too, can have a reasonable degree of confidence in the source of an attack. And this gives us additional possibilities not just for more direct forms of response and deterrence, but indeed for cyber diplomacy.
Our policy and our actions are clear in this respect, and they contribute both to reinforcing norms of responsible behavior and to deterring irresponsible actions. We will “name and shame” foreign adversaries who conduct disruptive, destabilizing, or otherwise malicious cyber activity against the United States or our partners. And we do.
The most recent example of this occurred just a few months ago, with a public U.S. statement about the October 2019 cyber attack against the country of Georgia, attributing this assault to the Main Center for Special Technologies (also known as “Unit 74455”) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, the military intelligence organization known as the GRU. The incident, which directly affected the Georgian population, disrupted operations of several thousand Georgian government and privately-run websites and interrupted the broadcast of at least two major television stations. After Georgia issued a statement, the U.S. quickly followed suit, along with other countries — fully seventeen of them. The EU High Representative also issued a declaration condemning the cyber attack on behalf of the European Union and all 27 of its member states.
Such a coordinated diplomatic campaign doesn’t happen by accident, of course, and we are proud to have built a coalition of responsible countries that was able to take action to call out Russia for that incident. This attribution case illustrates the kind of coordination that we believe is critical to helping deter malicious cyber activity by irresponsible states.
Nor was this our first success in building a coalition of cyber attribution. From the “WannaCry” ransomware attack to the “NotPetya” malware that affected thousands of computers worldwide in 2016 and 2017, and the depredations of the Chinese hackers of the “APT10” group who worked with the People’s Republic of China’s Tianjin State Security Bureau for more than a decade to steal information from managed service providers and Western technology companies, more and more countries are attributing cyber attacks and issuing statements of support to those that do. The United States now has repeatable processes in place to deliberate, to decide and, ultimately to respond more nimbly when such incidents occur, as well as to bring our partners along with us.
This is all a part of the “Cyber Deterrence Initiative” we are building and implementing pursuant to the U.S. National Cyber Strategy — which made clear that
“[t]he imposition of consequences will be more impactful and send a stronger message if it is carried out in concert with a broader coalition of like-minded states. The United States will launch an international Cyber Deterrence Initiative to build such a coalition and develop tailored strategies to ensure adversaries understand the consequences of their own malicious cyber behavior. The United States will work with like-minded states to coordinate and support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken, and joint imposition of consequences against malign actors.”
This is exactly what we are now doing, led by State Department cyber officers. Piece by piece and precedent by precedent, we are building ever-greater support for norms of responsible behavior in cyberspace, and we are making it increasingly likely that the perpetrators of such malicious activity — and their state-level backers — will be identified. Diplomacy is thus at the center of our efforts to hold malicious actors accountable, and U.S. diplomats lead the way.
So as we engage here in “thinking globally” about the foreign policy and national security challenges that face our nation, don’t forget the increasingly important role that is being played by cyberspace security diplomacy. This is just one of the ways that the State Department is today adapting traditional diplomatic forms, tools, and skillsets to 21st-Century problems, and it is important and exciting work.
As brilliant as Alan Turing was, I doubt that even he could have foreseen the need for a modern cadre of cyber diplomats in the 21st Century. Nevertheless, there clearly is such a need, and perhaps some of you will end up joining us in this important work.
Thank you for listening, and I look forward to our discussion.