Oral Testimony For Today's SFRC Hearing

Testimony before the Senate Foreign Relations Committee: Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, on "U.S. International Strategy for Cybersecurity. 

Full video from the testimony can be found here.


Cybersecurity is a new challenge for foreign policy.  The internet and other cyber technologies have reshaped economies and accelerated growth, providing immense benefit, but they can be used for purposes both good and or bad.  Digital networks provide countries with new ways to grow and trade, but they are also are a means of influence, coercion, and attack. 

Four countries – Russia, Iran, North Korea, and China – are our principle rivals in cyberspace.  To constrain them, we need better defense, penalties of malicious actions, and international agreement on the rules of responsible state behavior.  Getting these rules requires the support of our allies and the new regional powers. 

The U.S. approach to international cybersecurity is to seek agreement on norms and confidence building measures and to build mechanisms for cooperation.  Norms and CBMs are the best available approach.  A cyber treaty, for example, would be unenforceable.  Nor can we deter our adversaries.  Deterrence doesn’t work against espionage or crime, and may not work at all against non-state actors. 

The U.S. is involved in many discussions on cybersecurity, in the UN and in regional groups such as the OSCE, but progress has been slow.  The U.S. has had more success in revising its mutual security treaties with Asian allies and with NATO to make cyber security as part of collective defense.  

Cyberspace is a man-made environment operated by commercial companies.  This complicates efforts to reach agreement on security, and while there is international agreement that the private sector should play an appropriate role and that this role should reflect private sector competencies in technology and business, many countries would prefer that nation-states lead in any negotiation.

This Administration issued an International Cyber Strategy in 2011.  It is time to rethink this strategy in light of a changed international situation.  This is a much more difficult and contentious negotiating environment than 2011.  

The principle issue for reconsideration in U.S. strategy is whether to seek formal agreement first among like-minded countries or to continue to wait for agreement from rivals.  The U.S. has been reluctant to adopt a like-minded approach, fearing that we will lose the support of important countries like India or Brazil, but we face a determined effort by Russia and China to dismantle American leadership in international affairs and it will be difficult to win even limited agreement from these rivals on cybersecurity.

The Department of State also needs to reorganize for cybersecurity and adopt a more formal and permanent organization.

In the last decade, cybersecurity has become a central issue for international security and diplomacy.  Given its importance for our economy, international trade and for national security, cybersecurity should be part of the foreign policy agenda for this Congress.  

Thank you for the opportunity to testify.  I would be happy to take any questions.