There’s no shortage of unfilled, important jobs in the federal government these days. Now the State Department appears poised to add to that list at the end of the month when it loses Christopher Painter, the department’s coordinator for cyber issues since 2011. No replacement for Painter has been announced, and Politico reports that the State Department is considering downgrading the position or even closing the cyber office altogether.
It sometimes seems like just about every U.S. government agency has a cyber division or task force of some sort, but the shuttering—or even shrinking—of the State Department’s cybersecurity efforts would leave a void that no other agency could fill. In recent years, the State Department has played a vitally important role in shaping international debates and decisions about internet security and internet freedom. That the administration is even considering such a move suggests it has almost no understanding of how integral international diplomacy is to trying to make real progress on these issues.
Unlike the Department of Homeland Security and the Defense Department—the two agencies in charge, respectively, of civilian and military cybersecurity efforts—the State Department has been one of relatively few voices in the U.S. government to acknowledge and grapple with the fact that trying to make the internet more secure often raises conflicting and contradictory priorities. In a speech at the Newseum in January 2010, then-Secretary of State Hillary Clinton tried to reconcile the importance of protecting critical computer systems and networks while enabling people everywhere in the world to have free access to online information, regardless of technical restrictions imposed by their governments.
“Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” she said. She also blasted countries that “erected electronic barriers that prevent their people from accessing portions of the world’s networks” and pledged continued financial support from the State Department for tools that would help people in those countries circumvent those barriers, like Tor, a service that routes internet users through different servers to shield their online activity. These are two priorities fundamentally at odds with each other. How do you catch and punish people who break U.S. laws online, while also making it possible for people in other countries to violate their own governments’ restrictions on internet use without being caught and punished?
The State Department hasn’t resolved that tension, but it has, historically, understood that both of those goals are important. That understanding has put it at odds with other branches of the government at times, especially those whose primary focus is making it harder for people to get away with anonymous activity online. For instance, a Washington Post headline in 2013 pointed out, “The NSA is trying to crack Tor. The State Department is helping pay for it.” Both of those missions are important—finding vulnerabilities in online services that can be exploited for national security and intelligence purposes, and funding tools that help protect people’s anonymity online. And there are not a lot of other government agencies besides State that are likely to champion the second mission as well as the first. By understanding that there are multiple, often conflicting dimensions to achieving cybersecurity in an international context, and trying to straddle that divide, the State Department has played a unique role in the federal government’s cybersecurity efforts.
In 2012, at the World Conference on International Telecommunications in Dubai, at a moment when many countries—including Russia—were eager to see the Internet controlled more directly by governments, the State Department led and coordinated the U.S. delegation, which advocated for an approach to internet governance that included companies and civil society, as well as government representatives. Over the course of the past decade, the State Department has had a profound impact on how the U.S. government understands what online security should look like, as well as how best to achieve it.
It seems almost ridiculously obvious to point out that cybersecurity for a global internet requires international perspectives and engagement—requires, in other words, the involvement of high-level State Department officials. That means not just working with governments in other countries to come to international agreements about cybercrime and policing, but also understanding what online security means to people in other countries and helping to supply the appropriate tools. No other government agency is poised to fill that role. Eliminating the State Department’s cyber office is likely to make the U.S. government’s stance on cybersecurity much narrower and less attuned to the complexities and contradictions of these issues. And a cybersecurity agenda dictated solely by domestic interests and priorities is unlikely to create internet policy that will be respected or accepted by other countries.