For decades, cybersecurity experts have been held back by a relative lack of federal involvement across a range of issues in cyberspace. Now they’ve finally got their wish, but will the Bureau of Cyberspace and Digital Policy (CDP), which the State Department announced last week, focus on all of the right issues?
For years there’s been a clear necessity for such an agency. Attacks such as last year’s Colonial pipeline hack and the 2020 Solar Winds attack on the U.S. software supply chain—both of which originated overseas—highlight the need to bring more federal clout to the cybersecurity conflict.
In this regard, the CDP should be an important step in improving the U.S.’s cyber defenses. The risk of a hostile foreign power turning off an electrical grid or a water utility and causing serious unrest is not a new one, but heightened tensions around the world and the tragedy unfolding in Ukraine have raised our awareness of the all-too-real presence of such threats.
The overall mission of the new bureau has not yet been discussed in great detail, but in making the announcement, officials said one focus will be ransomware and cyberattacks from state-sponsored groups in rogue nations. Presumably this means those high-profile exploits against critical infrastructure and industry.
But while attacks on oil processing plants and meat producers get all the attention, the CDP also has the chance to improve the lives of Americans in another important way—by taking on the rampant fraud that victimizes hundreds of thousands of people every year, many of whom are in retirement or other financially fragile positions. I would argue that this an area that also constitutes infrastructure in that it jeopardizes the retirement and safety nets of people nationwide.
We do not know at this point whether the bureau will take a similar position, but there’s no question that this issue is deeply hurting people across the country. Some find their entire life savings taken. And through loopholes in our own laws like the notorious Regulation E—the Federal Reserve Board rule giving guidance for electronic funds transfers and electronic debit cards—financial services companies will often disavow liability, leaving the victimized consumer powerless.
We have no shortage of agencies who investigate cybercrime within our borders. There’s CISA under the DHS, the FBI, the Secret Service. Virtually all local, state and federal agencies have some cyber investigations component, and there are literally thousands of them across the United States.
But reality is that cybercrime knows no borders, and while our national agencies do cooperate with counterparts in some other nations, their hands are tied as soon as they realize an attack came from a country that we don’t have an investigation and enforcement treaty with. More often than not, there’s nothing they can do. State and local agencies have even less influence.
With some of our allies, we do have diplomatic levers. Through a Mutual Legal Assistance Treat (MLAT), for example, the United States and countries including the U.K. and Canada honor each other’s data preservation letters, search warrants, and evidence. But no such agreement exists with many countries that act as hotspots for digital criminal activity.
This is where the CDP has the potential to play a transformative role in our war against cybercrime. Working to extend an MLAT to virtually every country, especially those where cybercriminals most often reside, is just one way the weight of the State Department can be brought to bear against bad actors. The agency can also streamline cooperation between the FBI and the Cybersecurity and Infrastructure Security Agency and similar enforcement bureaus overseas, as well as facilitate international dialog and policy negotiations at the U.N. and elsewhere.
It’s good to see the Biden administration taking the security industry’s cue that it’s time for all entities to work together to fight cybercrime and malicious social engineering online. We don’t need another cybersecurity agency. We have plenty of those. We need somebody at the national level that is moving the levers of diplomacy. We need a global, collective effort pulling together the threads of technology, policy, communications, and action. If given the mandate and the right tools, this new bureau could have an enormous impact.
Dan Woods is the vice president of the Shape Intelligence Center at F5 Shape Security. Prior to Shape, he worked for more than 20 years in local, state, and federal law enforcement and intelligence organizations, including the FBI, as a special agent, and the CIA, as a cyber operations officer.
(25)