Dr. Christopher Ashley Ford, Assistant SecretaryBureau of International Security and Nonproliferation
Center for Strategic and International Studies
Good afternoon, everyone, and thank you for inviting me to participate in this event. You have no reason to know it, but I actually got my start in the think tank world at the Center for Strategic and International Studies (CSIS) — as an Africanist, of all things, working as a summer intern for Helen Kitchen in your African Studies department, way back in 1990. It was, in fact, my first introduction to what a think tank is, and what a think tank does, so thank you for that formative experience.
None of us imagined at that point that something called “cyberspace” would be such an important part of the 21st Century international security environment, of course, but here we are.
But that’s why I should really start today by offering special thanks to you, Jim , for your indispensable service as Rapporteur for several successive cyber-focused U.N. Groups of Governmental Experts (GGEs) where some extremely important work was done in articulating norms of responsible behavior for cyberspace. There aren’t many people around who can claim to have had so formative an impact upon an entire field of diplomacy as Jim has had in the cyber arena, so on behalf of the Department, I congratulate and thank him for all his contributions.
For my own part, I’d like to say a few words today about what we’re currently doing in the U.S. Government in the field of cyberspace security diplomacy. At a time when lurid, real-time headlines and the swirl of an oncoming U.S. presidential election understandably offer innumerable opportunities for distraction, I think it’s vital not to lose sight of the fact that important ongoing policy initiatives continue to advance — and that there is actually a great deal of really valuable continuity and evolutionary progress in U.S. cyber diplomacy.
Why we should need to pay attention to such things, of course, is pretty obvious. In this ever more Internet-connected age, it is no surprise that cyber threats continue to increase. The more indispensable such connectivity is for commerce, communications, and innumerable aspects of daily life, the more that malicious actors see opportunities to steal (or hold hostage) the information lifeblood of our contemporary economy, or otherwise to profit malevolently from these modern dependencies. But the problem goes beyond the “ordinary” criminality of fraud and theft, and even the “traditional” cyber espionage undertaken by states.
The emergence of a new era of great power competition has raised the stakes in the cyber arena. Adding to the problems we already faced from cyber criminality, we now also must address a new layer of geopolitical threat from the revisionist powers of the People’s Republic of China (PRC) and Russia — states that use cyber tools to steal technology to build up their military capabilities, to prepare for devastating attacks upon our critical infrastructure in the event of crisis or conflict, to carry out disruptive cyber attacks aimed at destabilizing our allies and partners, and to influence and manipulate our electoral processes. This shift in the threat is a challenge of enormous magnitude, and one to which the non-authoritarian world is still only in the early stages of mounting effective responses.
This expert audience at CSIS needs no primer on the threefold threat we face from cyber-facilitated technology-transfer, potential disruptive or destructive cyber attacks against critical infrastructure, and cyber-facilitated political manipulation. What I’d like to outline this afternoon is what we are doing — at least in my own piece of the State Department — in responding to these threats.
Before I address the various steps we’re taking, however, let me say a quick word about what I am pleased to say we are not doing.
“Arms Control” in Cyberspace
What we are not doing is reflexively chasing solutions that cannot address the problems that we face in cyberspace. Effective risk reduction in cyberspace is challenged by several important characteristics of the cyber domain.
- First, malicious cyber activity can be carried out across a spectrum that spans activities both above and below the legal threshold of a use of force.
- Second, impending cyber attacks offer few external observables, giving little strategic or tactical warning and complicating the ability to attribute responsibility for an incident and to verify compliance with accepted norms of behavior.
- And third, the technologies involved in cyber operations, and their ubiquity and often dual-use nature, not to mention their possession by both state and non-state actors, make cyberspace tools difficult to define or control, while raising the possibility that efforts to achieve such control would have severe repercussions for innovation and economic development.
All of this makes effective “arms control,” at least as traditionally conceived, difficult or impossible in protean, rapidly evolving, high-technology domains such as cyberspace. As I have also pointed out with respect to the high-technology domain of outer space, if one aims to limit or ban “weapons” in cyberspace in the way that traditional arms control tries to address other dangerous tools, it is all but impossible to come up with a good definition.
There seems to be no way to avoid being either damagingly over-inclusive in ways that would also prohibit technologies essential to peaceful civilian and scientific uses, dangerously under-inclusive in ways that would miss entire categories of potential “weaponry,” or in fact both. Moreover, even if you could define the problem, no one’s ever been able to offer an intelligible scheme for verifying a prohibition. So like outer space, cyberspace: “is a domain in which technologies are evolving so quickly, private and governmental actors are intertwined, and definitions of what can be a ‘weapon’ are so vague, that it is hard to see how traditional, rule-based and legally binding ‘prohibitory’ approaches to arms control could work.”
Accordingly, the United States has long rejected efforts to impose traditional arms control measures on offensive cyber capabilities. Such a stance is especially important given the degree to which Russian and PRC campaigns to promote “arms control” in cyberspace have focused less on actual measures to reduce the risk of conflict involving technical cyber operations than they have focused on efforts merely to co-opt arms control rhetoric in support of campaigns by those authoritarian regimes to legitimize oppressive controls over the political content of Internet communications.
As so often in diplomacy, therefore, not doing dumb things is half the battle. Accordingly, we continue to resist the temptation to engage in quixotic “arms control” efforts in cyberspace, especially when such proposals originate from dictatorial regimes that are themselves engaged in some of the world’s most egregious cyber behavior.
Frameworks for Responsibility and Restraint
So that’s what we’re not doing. What about what we are doing?
Well, one critical plank of the U.S. agenda is to promote clear understandings of what constitutes responsible State behavior in cyberspace — which Jim knows full well, thanks (as I noted) to his outstanding contributions in this area.
As I have explained elsewhere, U.S. diplomats – for more than a decade, in fact, and across three U.S. presidential administrations – have been working with counterparts around the world to articulate and to promote such voluntary, non-binding norms.
One of these key principles is the idea that international humanitarian law, international human rights law, and indeed also the United Nations Charter itself, apply to State behavior in cyberspace in the event of armed conflict. Led by the United States, a broad coalition of diplomats carried the day on this at the 2013 cyber GGE, which articulated by consensus that “nternational law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible environment.” This conclusion was reiterated by a subsequent GGE in 2015, and both reports have been endorsed by U.N. Member States. Russia has recently started to try to walk back its commitment to this principle — and we must all join in condemning and resisting this — but the achievement of the United States and its GGE partners in making these points clear was a huge step forward for cyber diplomacy.
Beyond articulating the applicability of international law, moreover, United Nations cyber GGEs have also spelled out voluntary, non-binding norms of responsible State behavior that apply short of armed conflict. The consensus 2015 GGE report, for instance, recommended among other things that States should not “conduct or knowingly support activity … that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” The U.N. General Assembly has by consensus called on all states to be guided by these norms.
These principles are voluntary, non-binding norms rather than legally binding requirements. Nevertheless, they are a major step forward in creating expectations of responsible behavior in the cyber domain to help guide State actions and encourage restraint and prudence in cyber operations.
And that brings me to some of our more recent innovations. For such understandings of what constitutes responsible behavior are also critical to understanding what behavior is irresponsible — and that, in turn, opens up possibilities for efforts to make such irresponsibility increasingly unattractive to its would-be perpetrators. This is the burgeoning arena of cyberspace deterrence.
Explicit strategies of deterrence are only relatively recent additions to U.S. cyberspace policy. For a while, the United States seemed almost to hope that the mere example of its good-faith engagement with malicious cyber actors such as Russia and the PRC might be enough to persuade them to rein in their bad behavior. In 2013, for instance, the Obama Administration established a new communications channel for addressing cyberspace problems that connects the U.S. State Department to the Ministry of Defense in Moscow.
Such direct, domain-specific channels can indeed provide a valuable means with which parties can communicate about emergent issues in ways that could help them manage crises and prevent inadvertent escalation. While an important step forward, however, that new link did not represent a fully adequate answer, because U.S. policy at the time seemingly ignored the element of deterrence. The approach then seemed to rest on the idea that communication alone could address growing cyberspace threats, as if the Kremlin’s malicious cyber activities were simply miscalculations or mistakes that would be stopped if we simply pointed them out. That “pure communication” approach collapsed in response to Moscow’s efforts to influence the 2016 U.S. elections because the Russian activity in question, of course, wasn’t a misunderstanding or error that might be corrected after having attention drawn to it, but instead a deliberate policy choice.
But we have learned the lessons of that history, and we have come more explicitly to incorporate elements of deterrence into cyberspace security diplomacy as well. The lessons of the last few years have made clear that having a framework of responsible state behavior is not enough in itself: there must also be consequences for the violation of such norms.
This approach builds upon the 2018 U.S. National Cyber Strategy, which made clear that:
“s the United States continues to promote consensus on what constitutes responsible state behavior in cyberspace, we must also work to ensure that there are consequences for irresponsible behavior that harms the United States and our partners…. The United States will launch an international Cyber Deterrence Initiative to build … a coalition and develop tailored strategies to ensure adversaries understand the consequences of their own malicious cyber behavior. The United States will work with like-minded states to coordinate and support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken, and joint imposition of consequences against malign actors.”
This work involves the whole U.S. interagency. Pursuant to the 2018 Department of Defense Cyber Strategy, for instance, the armed forces “defend forward to disrupt or halt malicious cyber activity at its source … to stop threats before they reach their targets.” The Justice Department uses its own authorities against malicious cyber actors, including just this very afternoon, when Justice indicted six Russian military intelligence officers for involvement in “some of the world’s most destructive malware to date,” including in attacks which caused blackouts in Ukraine, as well as unleashing the incredibly destructive “NotPetya” virus.
For our part, we at the State Department have also played a leading role in this — in particular, through building the aforementioned Cyber Deterrence Initiative, or CDI. On the one hand, we have continued the work I’ve already described to promote acceptance of and adherence to the U.S.-developed framework of responsible state behavior in cyberspace. On the other, we have worked within the U.S. government and with international partners to build a shared capacity to swiftly impose consequences when our adversaries transgress this framework. Working with interagency colleagues, we have developed policies, processes, and response options that allow us to act quickly. We have also worked closely with likeminded countries to build a flexible model for organizing cooperative responses to significant cyber incidents.
“Attribution diplomacy,” as I call it, is a critical part this work. It used to be assumed in some quarters that cyber attribution was more or less impossible, but thankfully that’s not true. It’s not easy, of course, but it’s hardly impossible, and we’re getting better not just at doing attribution ourselves but at mobilizing partners to condemn malicious cyber activity as well. This is a critical component of our cyberspace security diplomacy.
In September 2019, for instance, 28 states joined in a “Joint Statement on Advancing Responsible State Behavior in Cyberspace,” which included a commitment to “work together on a voluntary basis to hold states accountable when they act contrary to this framework.” In February 2020, 20 individual states – and the European Union as a whole – also joined in condemning the disruptive cyber attack against the country of Georgia that was mounted in October 2019 by the Russian GRU military intelligence service.
In April 2020, moreover, the United States and several other likeminded countries issued concerted statements in response to an alert issued by the Czech Republic about its detection of impending cyber attacks targeting its health sector, warning that such actions would result in consequences. This was the first time that likeminded states have ever come together to warn against a specific future cyber attack, and we believe our warning had an effect; despite preparatory work by the would-be perpetrators, no major cyber attack ultimately occurred in that case.
Reinforced by the increasing imposition of not just United States but now also European Union sanctions in egregious cyber cases, this cyberspace security diplomacy is helping to increase the costs and risks faced by the perpetrators of malicious cyber activity. There’s a long way to go, of course, but we’ve been making really important strides.
Organizing the State Department for Success
As a final note, I should also recount that the State Department is finally organizing itself for success in this arena, too. As far as I can tell, it is all but universally agreed that the Department badly needs a bureau the full-time job of which is to address cyberspace security and emerging technology (ET) issues. Such points have been made, for instance, by the National Security Commission on Artificial Intelligence, the Cyberspace Solarium Commission, and by world-class think tanks such as you good folks at CSIS.
Well, we at the Department agree with that, and this is why Secretary Pompeo notified Congress in 2019 of our intention to create a new Bureau for Cyberspace Security and Emerging Technologies (CSET).
Our move to create CSET is based on the idea that in addition to the need to ensure that the Department is fully staffed and prepared for the ongoing challenges of cyberspace security diplomacy, we also need full-time specialist expertise to address the security challenges presented by rapid developments in ET areas such as artificial intelligence and machine learning, quantum information science, nanotechnology, biological sciences, hypersonic systems, outer space, additive manufacturing, and directed energy.
The 2017 National Security Strategy, after all, acknowledges that maintaining a competitive advantage in ET is critical to national security interests and economic growth. Our strategic competitors certainly think so, and they are working as fast as they can to seize advantage in these areas. We must not allow ourselves to be left behind.
Hitherto, no one bureau at State has been responsible for ensuring that the Department develops and implements coordinated diplomatic responses to the national security-related aspects of cyberspace and of current and future ET. So we’re going to fix that. Reporting to the Under Secretary for Arms Control and International Security, CSET will finally allow the State Department to be properly organized to handle these various security challenges.
Nevertheless, actually getting this done has been hard — and needlessly, even embarrassingly, so. Secretary Pompeo notified Congress of our intent to create the new bureau in the summer of 2019. Thanks to the refusal of merely two Members of Congress who have kept “holds” upon our creation of this new bureau, however, CSET still does not exist, nearly a year and half later. Our adversaries are surely delighted by this, of course, for their activities against the United States have faced no “hold,” and indeed they are accelerating.
So I hope this roadblock will be quickly overcome, for the State Department badly needs to posture itself against the security challenges this country faces in cyberspace and in connection with emerging technologies. We badly need to reorganize and resource our cyber diplomats, but other countries – both partners and adversaries – have moved forward to establish analogous institutions, while we have been held back by those two Members of Congress.
Within the Department, we’ve long done good work on these issues, and have coordinated smoothly across multiple bureaus, but we can do better. With CSET, I trust we soon will.
So, all in all the breadth and the severity of the cybersecurity threats we face are great, and they are growing. Nevertheless, the U.S. Government is now mounting increasingly effective responses — not least, here at State.
This is a challenging arena, and it will require much hard work and attention in the years ahead. But we are now on the right path, and we are making progress.