6 June 2022

Can the State Department’s Cyber Bureau Tackle Digital Repression?

Steven Feldstein

Digital technology is exerting a powerful influence on war, geopolitics, and global norms. In Ukraine, internet platforms like TikTok have unmasked the Kremlin’s fabricated narrative about conducting a “special military operation” and showcased—missile by missile and war crime by war crime—the reality of Russia’s invasion, galvanizing global opinion. In China, AI-enabled surveillance is a key weapon used by authorities to subjugate the country’s minority Uighur population, including the mass collection of biometric information from nearly nineteen million people. In the United States, cyberattacks linked to Russian hackers took down the largest fuel pipeline in the United States, leading to oil shortages across the East Coast, panic buying at gas pumps, and anxiety within the government about the spreading damage. The digital disruption sweeping the world is not relegated to a single domain; it involves security concerns, economic considerations, political questions, and human rights issues.

And yet, the State Department has been slow to recognize these challenges and reorganize itself accordingly. Secretary of State Antony Blinken’s announcement in April 2022—which establishes a new bureau of cyberspace and digital policy (CDP), alongside an office of the special envoy for critical and emerging technology—is a critical step in the right direction. The offices will bring sorely needed coordination, credibility, and resources to tackling major policy issues in the digital age. But creating new bureaus is one thing. Ensuring that the new structure will successfully drive U.S. policy, coordinate effectively with external partners, promote American interests, and protect digital freedoms is another matter. To that end, many important questions remain unanswered.

Establishing a dedicated bureau to manage the State Department’s cyber policy and emerging technology efforts is not a new idea. Back in 2011, the State Department formed a cyber coordination office, led by Chris Painter, to oversee cybersecurity priorities. This office worked closely—oftentimes awkwardly—with the International Communications and Information Policy (CIP) office, based in the Bureau of Economic and Business Affairs (EB). Under the Trump administration, the State Department reorganized the cyber office into a new cybersecurity and emerging technology bureau (CSET), which Secretary of State Mike Pompeo approved just days before the end of Trump’s presidency. This decision immediately ran into resistance due to its heavy emphasis on security—Pompeo placed CSET under the authority of the undersecretary for arms control, effectively relegating digital policy as a security concern.

When Biden came into office, his team put a pause on CSET. While Biden officials deliberated, stakeholders continued to push for a cyber bureau, arguing that the State Department needed a single place to run policy coordination and alleviate external confusion about who was in charge of what function. The creation of CDP in April represented the culmination of efforts to bolster State’s tech capacity. So far, initial signs are encouraging. Approximately sixty staffers, largely from the cyber coordination office and CIP, will staff the new bureau, with another thirty positions to be added. In addition, the State Department has requested $37 million for the bureau’s programming in fiscal year 2023. As former cyber coordinator Painter notes, this is sending “a strong message to both our friends and even our adversaries that this is something we care about deeply.”

Looming Questions

Despite these positive steps, looming questions remain. For one, it is unclear why the State Department decided to create two separate entities with independent reporting lines to the deputy secretary rather than merging cyberspace policy and emerging technology into a single bureau. If a major rationale for the CDP bureau was to foster bureaucratic coherence, it’s unclear why the State Department established two independent structures working on overlapping issues. Some experts say that emerging technology issues should be kept separate from cyber policy, arguing that the core challenges are distinct and that combining them would “generate multiple practical problems.” To be sure, emerging technologies have economic and security considerations that are distinct from legacy information and communication technologies. But drawing a clear line between digital policy and emerging technology is problematic. Take the issue of surveillance. On the one hand, managing U.S. policy toward cyber intrusion and spyware programs clearly falls within CDP’s mandate. But what about AI-enabled surveillance, such as facial recognition or other biometric technologies? Does it make sense to parse out surveillance policy based on the technological platform? The good news is that this arrangement is only supposed to last for a year, at which point the State Department will reevaluate the utility of keeping these functions separate.

Of equal importance is determining which persons will lead the CDP bureau and office of the special envoy. CDP will be overseen by a Senate-confirmed Ambassador-at-Large (AAL). This is a tricky position to fill. Ideally, the nominee will have significant experience directing a large tech organization, will be familiar with CDP’s three buckets of issues (security, economic, and human rights), and will also possess global stature. Few individuals have all of these traits. Many assume that the nominee will come with a strong background in cybersecurity and good knowledge of digital economy issues. Nathaniel Fick, a cybersecurity expert and former Marine, has reportedly been tapped to serve as the AAL. But there are questions about how the bureau will tackle digital freedom under his leadership.

The inaugural head of CDP will set the future tone and direction of the bureau. Selecting an individual who lacks a track record on digital freedom issues may reinforce concerns that human rights are a lower priority for CDP and could also be a lost opportunity to fully elevate all three digital policy issues. In general, it is unclear whether CDP merely represents the merging of CIP with the cyber coordinator’s office, with limited personnel thrown in to handle digital freedom, or whether CDP will be a central focal point for the State Department’s tech policy. The current picture is muddled. Critical issues such as cybercrime and cryptocurrencies remain with other State bureaus. In the long-term, does such bureaucratic fragmentation best serve the foreign policy interests of the United States?

What About Digital Repression?

Confronting digital authoritarianism and stanching the erosion of digital rights worldwide is a foreign policy priority for Biden (and is also the subject of my book, The Rise of Digital Repression). Just three weeks after State announced the establishment of CDP, the White House launched a high-level initiative, a “Declaration on the Future of the Internet,” which was signed by sixty countries worldwide and is intended to reverse efforts to splinter the internet, push back against authoritarian use of technology for censorship and surveillance purposes, and offset the spread of disinformation and harmful content.

The administration is clearly getting serious about countering digital authoritarianism—but will CDP make a difference in this problem? It is hard to imagine that CDP will meaningfully affect digital repression trends. The digital freedom unit’s staffing projection is small, and it remains the only CDP functional area lacking a deputy assistant secretary. In actuality, CDP will play a backseat role to the democracy and human rights bureau (DRL), which remains the policy centerpiece for combatting digital authoritarianism, based in part on its longstanding mandate from Congress to tackle internet freedom concerns. DRL has built up a strong internet freedom team that is leading on a host of digital policy issues, from network shutdowns to surveillance controls. It would make little sense, just for the sake of bureaucratic cohesion, to transfer this function to CDP. That doesn’t mean that CDP doesn’t have a role to play on these issues; it’s just that it will have to be deliberate and purposeful about finding the right opportunities. Several areas come to mind.

First, the digital freedom unit can help bridge the traditional cyber policy separation between human rights concerns and economic and security matters. Because the unit resides in the same bureau and reports up to the same boss as the cybersecurity and digital economy functions, this will give the unit greater visibility into policy deliberations traditionally run out of CIP or the cyber coordinator’s office. The digital freedom unit should have a more prominent role and voice on issues ranging from privacy and content moderation to regulating dual-use technologies.

Second, there are various policy gaps that the digital freedom unit can address. One such issue is cyber norms. Particularly in light of Russia’s invasion of Ukraine—which has seen the Kremlin conduct damaging cyber-attacks, launch information operations and propaganda, and implement internet disruptions—there is a pressing need to clarify states’ digital obligations in wartime and establish underlying rules governing their behavior. This has implications for national security and commerce, as well as for digital rights. It is logical for CDP to engage on cyber norms, and for the digital freedom unit to play a lead role. Another policy gap relates to content moderation. There is a growing global struggle between principles of free expression and states’ legitimate interests in mitigating harmful content on internet platforms and social media. U.S. policy remains inconsistent and disjointed. The unfortunate consequence is that countries like India, Turkey, and Nigeria are taking advantage of this vacuum to devise their own rules when it comes to strong-arming digital platforms and facilitating internet splinternet trends. Like the cyber norms issue, content moderation straddles economic, security, and digital rights matters. It is an area of policy contestation where CDP’s digital freedom team can have a meaningful voice.

CDP’s Future

The CDP bureau and the office of the special envoy for emerging technology are important first steps towards establishing a more serious and consistent State Department voice on digital policy. Many crucial decisions have yet to be made, such as who will lead these new entities and how they will balance competing priorities in their bid to elevate digital policy in the State Department. Digital tech policy defies easy categorization—no longer can it be broken down into neat security, economic, or human rights categories. Increasingly, these issues are intertwined. These problems demand an integrated response and reinforce the importance of CDP’s mandate. Given the enormity of digital challenges the United States faces from geostrategic peer competitors, there is little time to waste in bolstering this function.

No comments: