The State Department’s new International Cyberspace and Digital Policy Strategy calls for mutual assistance, increased cyber aid to developing economies, and secure technologies that can compete with what China offers to states looking for assistance and economic growth. The cybersecurity strategy casts the United States as a necessary leader in technological development and the establishment of norms, warning of the consequences of a rival such as China or Russia stepping into that role.
Cybersecurity strategy offers four-point plan for building up global digital ecosystems
The International Cyberspace and Digital Policy Strategy centers itself on the concept of “digital solidarity” between US allies and developing nations, with expanded public-private partnerships joining government agencies to cover everything from the undersea internet cables that connect continents to emerging AI technologies.
The cybersecurity strategy asks these partners to rally around three central principles: a broad vision of cyberspace grounded in commitment to international law and agreements, fundamental data security and privacy practices, and greater diplomatic involvement across all elements of the digital ecosystem. Four proposed “action areas” narrow these broad principles down to somewhat more specific categories of activity: promoting and maintaining a resilient digital ecosystem, aligning rights-respecting approaches to digital and data governance with international partners, building coalitions and partnerships to address pernicious cyberspace threats, and providing partners with needed digital cyber capacity.
State-sponsored hacking has been going on for at least three decades now, but the cybersecurity strategy appears to have been prompted by a recent rash of bolder-than-usual actions by US rivals and the increasing possibility of multiple major sustained armed conflicts around the world. All of this can loosely be traced back to 2021 when cyber criminals in Russia, not known to be state-supported but benefiting directly from the laissez-faire attitude of domestic law enforcement, crossed the line of causing widespread physical logistical damage as a part of their ransomware attacks. That has graduated to reports that foreign APT teams have been lurking in utility grids and water stations for years, apparently waiting to cause chaos should an armed conflict involving them begin. State-backed actors have also been more aggressive about breaking into foreign government servers and email accounts in their intelligence-gathering operations.
The cybersecurity strategy essentially formalizes what have been sporadic actions by the Biden administration since 2021 in the area of establishing stronger international norms and agreements, particularly with smaller nations that China might look to woo by offering foreign aid and infrastructure. Much of the “minilateralism” effort of this nature seems to be focused on Asia and Latin America’s smaller countries, where the administration has already distributed hundreds of millions of dollars in foreign aid to assist in responding to ransomware incidents that hit government agencies. It also ties together the White House’s previous National Cybersecurity Strategy, issued a little over a year ago, and the Defense Department’s cybersecurity strategy from late 2023 with the country’s intentions for foreign policy going forward.
New cybersecurity strategy also addresses quantum computing
In addition to AI, the cybersecurity strategy identifies five key points of focus: biotechnology, advanced telecommunications, clean energy, microelectronics, and quantum computing. “Microelectronics” seems to refer to the fact that the US produces very little of its own supply, but also to an increasing need for segmentation of production of technology to be used in sensitive applications.
While AI is the topic of most immediate concern, quantum computing is addressed as the looming threat of the near future. The paper notes the NIST’s recent selection of four algorithms to function as the post-quantum cryptography standard, and declares that the Department of State will work to internationalize them as a part of its “digital solidarity” effort.
The cybersecurity strategy also discusses the building of secure cloud infrastructure in nations that may be targeted by China or Russia with short-term economic aid packages. But the US faces more than just a bidding war here, as it also notes a deep sense of distrust in some parts of the world due to its laws and practices as regards interception of foreign data. The report does not mention anything new to appease these concerns, however, instead touting the protections offered by the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act and promising to “work with international partners” going forward.
On the front of seemingly out-of-control cybercrime, the cybersecurity strategy proposes continuing to support the existing Budapest Convention while pushing for UN action on a cybercrime treaty.
James McQuiggan, Security Awareness Advocate at KnowBe4, notes that this may be the most important of the short-term goals outlined by the government: “Strengthening international cooperation is crucial to preserving cyberspace’s borderless environment. While the strategy supports collaboration, there is a more significant opportunity for a global standard for cyber warfare and cybercrime. Cyber diplomacy could also focus on establishing international cyber incident response teams. With increasing amounts of data generated globally, the strategy could review and examine the complexities of data sovereignty and the secure cross-border flow of data, including developing international agreements that respect the data privacy laws of individual countries while facilitating global commerce and security. Cybersecurity strategies often focus on defense and response. However, fostering a culture of cyber resiliency where nations anticipate, prepare and recover from cyber incidents could be more emphasized as it should not only focus on technical defenses but also training, awareness and building a strong security culture within the nations to be proactive on potential cyberthreats. As AI technologies connect with cyberspace operations, the strategy could benefit from a more explicit stance on ethical AI use. Ensuring AI systems are used responsibly in cybersecurity operations would emphasize transparency, accountability and respect for privacy and human rights.”
Austin Berglas, Global Head of Professional Services at BlueVoyant, sees immediate attention to cybercrime as a vital component given that these threat actors are not likely to lose the “safe haven” countries they can operate from with impunity: “The newly released United States International Cyberspace & Digital Policy Strategy details a broad approach to addressing numerous recurring issues which continue to threaten global national security. Backstopped by Secretary Blinken’s statement, ‘The United States will work with any country or actor that is committed to developing and deploying technology that is open, safe, and secure, that promotes inclusive growth, that fosters resilient and democratic societies, and that empowers all people,’ this policy strategy acknowledges that no single entity can fully protect its national interests without deep and loyal cooperation from their partners. Digital solidarity intends to move the U.S. and allies past the decades-old mantra of the importance of information sharing and into four formalized action areas, with specific lines of effort, addressing data governance, artificial intelligence, supporting the digital global ecosystem, and countering threats to critical infrastructure. As the world moves toward increased automation, threats in cyberspace will continue to become more complex; threat actors will continue to conduct anonymized attacks from safe haven countries unless powerful and influential nations combine forces to remove safe harbors and hold those countries accountable; and cyberspace will remain the wild west, unless these leading nations organize and formalize digital policies, law, and regulatory standards.”