The State Department's New Cyber Reports Miss the Point Entirely

On May 31, the State Department released summaries of reports on deterrence and international engagement in cyberspace. In Executive Order 13800, President Donald J. Trump instructed federal agencies to produce a report on “options for deterring adversaries.” The order also instructed the secretary of state, coordinating with other federal agencies, to submit a report “documenting an engagement strategy for international cooperation in cybersecurity.”

With U.S. cyber policy facing serious challenges and questions about the Trump administration’s approach to cyber threats rife, these reports provided the administration with an opportunity to formulate strategies to improve cyber engagement and deterrence. However, the summaries suggest the reports fail to acknowledge the crisis that U.S. cyber policy faces and recycle ideas that have been around for years. The administration’s behavior also raises doubts that it is willing and able to implement what the reports recommend. 

The summary of the international engagement report speaks of a “new call to action.” The summary of the deterrence report claims it provides a “new U.S. vision” for deterring adversaries. Neither summary includes anything indicating the reports involve novel ideas. The descriptions of the problems in question are generic. The prescribed objectives and means of implementation repeat what appeared in policies of the Bush and Obama administrations. This continuity might mean that the Trump administration’s penchant for abandoning conventional approaches for radically different strategies will not define its cyber policy.

However, continuity between these reports and documents issued during previous administrations does not inspire confidence. Neither summary engages with concerns that conventional wisdom in this area has not produced desired outcomes across a range of objectives, including domestic cybersecurity and internet freedom. Nor do they mention the policy disaster that occurred when Russia manipulated cyberspace to influence electoral politics in the United States, despite the claim that the “preeminence of liberal democratic values” hinges on what happens in cyberspace.

The engagement summary emphasizes that the United States will “continue to take a comprehensive, yet strategic, approach to international cooperation in cyberspace.” Its recommendations contain familiar objectives, such as defending multistakeholder internet governance, and activities, such as capacity building. Repetition of such objectives and activities suggests that the Trump administration believes it will be more successful with these ideas than previous administrations.

However, the summary does not illuminate how the administration will produce better outcomes using the same approaches. The administration’s ability to conduct cyber diplomacy has been questioned since former Secretary of State Rex Tillerson abolished the Office of the Coordinator of Cyber Issues, leading critics to argue that “uncertainty surrounding State’s cyber portfolio sends the wrong message to the world about U.S. willingness to shape international behavior in cyberspace.”

This question is also pertinent given the administration’s “America First” skepticism about diplomacy and cooperation. The engagement summary calls for “cooperation with foreign partners and allies,” but, in other areas, such as trade and the Iran nuclear deal, the administration has aggravated allies and partners on matters of strategic importance. How cyber diplomacy will fare amidst deteriorating relations between the United States and friendly countries is not clear.

According to the deterrence summary, deterring malicious cyber activities requires “a fundamental rethinking” of policy. The summary reveals no such rethinking. It argues that deterrence by denial through strong cyber defenses is “foundational to the U.S. deterrence approach.” However, it describes no recommendations for improving it. The summary acknowledges that promoting “a framework of responsible behavior in cyberspace” is necessary but not sufficient, but it contains no suggestions for strengthening deterrence by norms.

Despite the continued growth of cybercrime, the summary states that criminal charges, prosecutions, and sanctions can “deter most would-be malicious [nonstate] actors.” Concerning terrorists, the summary identifies the need to strengthen deterrence by denial, including preventing and disrupting “access to malicious cyber capabilities.” For this purpose, the summary recommends, without specifics, exploring new uses of existing legal authorities, amending such laws, and/or developing new authorities.

The deterrence summary identifies malicious cyber activities by states that do not constitute a use of force as the most difficult problem. Its recommendations are general and break no new ground concerning deterrence by retaliation—create a policy for when the United States will impose consequences, develop a range of consequences to impose, conduct interagency planning for imposing consequences, and build support from other states concerning the imposition of consequences.

Few would quarrel that the United States should have a policy guiding deterrence by retaliation. However, the summary describes no guidance on important questions, such as what criteria should the U.S. government use in deciding when and how to retaliate? The emphasis on interagency coordination for producing consistent deterrent responses and managing risk escalation rings hollow given elimination of the White House cyber coordinator position and infighting within the administration over control of the cybersecurity portfolio.

Thus, the summaries and the circumstances in which they appear suggest the reports probably do not constitute seminal documents in the evolution of U.S. cyber policy. Release of the full reports would facilitate a better understanding of what a year of effort across the federal government produced for President Trump to consider.