Written by Sean Lyngaas

The State Department’s top cybersecurity official says he is “optimistic” the United States can strike a deal at the United Nations on norms for government behavior in cyberspace with multiple countries, including China and Russia, two of Washington’s biggest adversaries in the domain.

Despite myriad U.S. grievances with the Russian and Chinese governments over their hacking operations, Robert Strayer said there is ample precedent for a new agreement involving the three cyber powers.

“I think that it is possible because we have had three successful processes at the [United Nations] that have established that international law applies to cyberspace just like it does in the real world,” Strayer, a deputy assistant secretary of State, said in an interview.

“All of those successful, consensus-based documents required that the U.S., China, and Russia came to agreement on the terms.”

The last agreement at the UN forum, known as the Group of Governmental Experts was reached in 2015 and included no less than 20 countries, including the U.S., Russia, and China. The non-binding document affirms that a country shouldn’t carry out cyberattacks that intentionally damage another country’s critical infrastructure.

However, the latest round of talks collapsed in June 2017 amid reported acrimony between the U.S., Russia, and others over the right to self-defense in cyberspace.

Analysts say that for any new agreement on norms to have widespread impact, it must involve Russia and China. U.S. officials have accused hackers operating at the behest of Moscow of meddling in the 2016 U.S. presidential election, and those working for Beijing of stealing reams of intellectual property from U.S. companies over the years. The United States, of course, conducts its own hacking against foreign countries.

Despite all of those grievances – and diverging views on internet governance – Moscow also appears to be interested in reviving the UN dialogue. Russia plans to introduce a resolution in September calling for the UN GGE to reconvene, according to Russian newspaper Kommersant.

A ‘foreign policy imperative’

Strayer, a former general counsel at the Senate Foreign Relations Committee, has served as State’s top cyber diplomat since September. His appointment came in the wake of former Secretary of State Rex Tillerson’s decision to effectively downgrade State’s cybersecurity office and eliminate the position overseeing it. Tillerson cast the decision as a red-tape-cutting exercise, but critics said it de-emphasized U.S. cyber diplomacy at a time of prolific nation-state hacking.

Strayer rejected any notion of U.S. disengagement on the issue, saying that his team has been working steadily to develop a cyber deterrence strategy and bolster the computer security of allies.

“In my view, we’ve actually accelerated what we’re doing in taking a strategic and very determined approach about what our priorities are,” he told CyberScoop.

He was keen to discuss State’s recent cyber deterrence recommendations for the White House. The report is unusually explicit for a State Department document in that it calls on Washington to inflict “swift, costly, and transparent consequences” on foreign governments that use “significant” malicious cyber activity to harm U.S. interests.

While State issued the report, Strayer acknowledged that the department will rely on other agencies to implement its recommendations by attributing foreign hacking and imposing consequences on the hackers. Both domestically and internationally, “there’s a lot of work to be done to see this fully implemented,” he said of the report.

Advocates of U.S. digital diplomacy hope that newly minted Secretary of State Mike Pompeo, who was previously CIA director, will prioritize engagement on global cybersecurity issues more than Tillerson did.

Pompeo considers cyberspace a “foreign policy imperative” because it can affect “almost all of our important national interests,” Strayer told CyberScoop. Pompeo is, however, still reviewing any possible structural changes to the department, including whether to appoint a top cyber diplomat akin to the coordinator, according to Strayer.

Pompeo helped orchestrate President Donald Trump’s meeting last month with North Korean dictator Kim Jong Un. In advance of the summit, Pyongyang’s hackers showed no sign of shedding a reputation for brazen attacks on financial companies, and U.S. officials warned of a North Korean malware variant just days after the historic tête-à-tête.

The week following the Trump-Kim summit, Strayer led a U.S. delegation to South Korea for the fifth iteration of a bilateral cybersecurity dialogue that covered deterrence and military cooperation.

The elephant in the room, which didn’t make it into State’s press release, was hacking operations tied to North Korea. Asked about it, Strayer said the State Department is urging allies to “address [North Korean] malware in their territory and [to] be prepared and take appropriate defensive steps to protect their critical infrastructure and government systems,” he added.

“It’s important that we have shared understandings of those threats…so then we can jointly develop policy together,” Strayer said, speaking generally of relationships with allies.

Looking ahead, Strayer said the State Department plans to continue to use regional organizations like the Association of Southeast Asian Nations and the Organization of American States to help allies bolster their cybersecurity.

“We’re not trying to build the capacity of every country with our own dollars, but we’re seeking to leverage international regional bodies that can help us do that,” he said.

UPDATE: This story has been updated to clarify that Robert Strayer was referring to a possible norms deal at the United Nations involving multiple countries, including Russia and China.