The Russian Foreign Intelligence Service’s compromise of U.S. company SolarWinds and a variety of other information technology infrastructures has been described as “the greatest cyber intrusion, perhaps, in the history of the world.” According to the Biden administration, the hack gave the Russians the ability to compromise or disrupt potentially 16,000 computer systems worldwide, enabling collection of vast amounts of information from federal departments and agencies, private companies, and other victims.
On April 15, the Biden administration outlined its response. The White House formally attributed the campaign to the Russian Foreign Intelligence Service, expelled Russian diplomats from the United States, imposed sanctions on six Russian technology companies that support the intelligence service’s cyber operations, and issued a new directive imposing sovereign debt sanctions on Russia. The administration’s actions were impressive in terms of their scope, drawing on many U.S. response options simultaneously.
While the most newsworthy aspects of Washington’s response to Russia was featured in the first two-thirds of the April 15 statement, the last section outlined important steps that will guide America’s international cyber policy for years to come. The Biden administration explained that it would be “supporting a global cybersecurity approach” through international capacity-building projects focused on enhancing understanding of the “policy and technical aspects of publicly attributing cyber incidents” and the provision of training to foreign partners on the applicability of international law in cyberspace. This effort highlights an often overlooked element of U.S. national security and cyberspace policy: Improved cyber security around the world and improved capacity to identify and hold accountable malign actors in cyberspace make the Internet safe for American users and everyone else. When the United States helps its international partners improve their own cyber security, the benefits reverberate across cyberspace.
Congress should create a new capacity-building fund dedicated to cyber security with the authority to provide assistance to countries of all income levels, in all parts of the world, especially during times of crisis. Despite the importance of capacity building as a national security priority, the legal authorities that enable U.S. cyber capacity building are inflexible and slow, often cobbled together from programs that were designed for Cold War-era diplomacy. These tools are insufficient to enable the United States — led by the State Department — to support foreig
Existing U.S. capacity-building programs also face challenges related to agility and are inadequately positioned within broader efforts to counter Beijing’s growing influence abroad. Foreign assistance moves slowly. Capacity-building programs are aimed at boosting the cyber maturity of partner and allied nations, a process that can take years, if not decades. And even countries with the most mature cyber capabilities are not immune to crisis. When such crises arrive, it may be critical for the United States to move money immediately to aid with incident response and remediation. Congress should ask the State Department to review — in consultation with other federal departments and agencies — the process of delivering foreign aid in times of crisis and how the process for cyber security capacity building can be streamlined or expedited during exigent circumstances so that the State Department can support foreign partners when they need it most. Such assistance would be similar to the rapid humanitarian and disaster relief aid that the State Department and USAID distribute during times of crisis.
When it comes to international capability in cyberspace, U.S. civilian agencies should take the lead. While the Defense Department has a huge role to play in keeping the country safe in cyberspace, U.S. diplomats are better positioned to advance U.S. cyber security interests in foreign capitals. Ensuring that all tools of international engagement — including military, diplomatic, and foreign assistance — are aligned is imperative to strengthening the credibility of America’s actions in cyberspace, and the Bureau of International Cyberspace Policy is a good focal point for that coordination within the State Department.
n partners working to mature their cyber security systems, much less to meet the needs of partner and allied nations during times of crisis. Without specifically dedicated funds, cyber security is forced to compete with a variety of other foreign assistance priorities.