By gutting its cyber staff, State Department ignores congressional directives

The State Department has demonstrated it does not understand that cyber power is critical to geopolitical power. In the course of reorganizing offices and reducing staff over the past three weeks, the department’s political appointees have gutted President Trump’s ability to work with partners and allies on cybersecurity and technology resilience. Congress will need to intervene to defend its bipartisan effort to bolster cyber diplomacy. 

For years, Washington’s efforts to hold China, Russia, and Iran accountable for malicious cyber activity were hamstrung by an inability to effectively work with allies to quickly identify and punish perpetrators. America’s allies were failing to prevent cyberattacks on critical systems that the U.S. military needed to operate securely overseas. Instead, these attacks cascaded across continents and hit the U.S. homeland. And U.S. adversaries were running circles around the West’s principled stance on privacy and security in cyberspace, instead reshaping telecommunications infrastructure and the internet in their image. 

After watching successive administrations dither, Congress took a stand, passing the Cyber Diplomacy Act in 2022. The law tasked a new State Department Bureau of Cyberspace and Digital Policy (CDP) with promoting reliable and secure internet infrastructure, building the cyber capacity of U.S. partners, and advancing technology and cybersecurity policies globally that bolster U.S. economic and national security interests. 

To accomplish this mission, CDP pulled together existing, disparate economic and international security functions related to cyber and technology into a single, more efficient operation. By all accounts, this consolidation made CDP successful.

When Congress tasked the bureau with managing a unique cyber assistance fund to rapidly respond to incidents overseas, CDP created a mechanism to airdrop expertise into partner countries in as little as two days.

Likewise, when Congress tasked the bureau with securing communications technology, semiconductor supply chains, and other emerging technology, the bureau paired U.S. seed funding with investments from allies and technology companies to box out Chinese firms attempting to dominate telecommunications in the Indo-Pacific. 

On July 1, however, the State Department stepped backwards. Despite its stated goal of creating a “more agile Department” and reducing duplicative offices, Foggy Bottom pulled CDP apart into multiple offices, each of which now holds a piece of the cyber mission. CDP lost its division responsible for responding to cyberattacks to a new bureau on emerging threats. Its strategy team moved to the personal staff of the undersecretary of economic growth. And its internet freedom team went to the undersecretary for public diplomacy. 

CDP will now consist of two slimmed down teams. One will focus on internet governance and technical standards, the other on using U.S. foreign aid to bolster allied cybersecurity. However, after the trifecta of the dissolution of the U.S. Agency for International Development, the foreign aid freezes earlier this year, and Congress’ acquiescence to billions of dollars in cuts to previously allocated foreign aid, it is not clear what funds CDP will have to help U.S. allies. 

Unfortunately, the crippling of State’s cyber diplomacy capabilities is not just the result of the restructuring, but also a significant loss of subject matter expertise. In the course of reducing its overall workforce in mid-July, State fired at least a half dozen people from CDP. The bureau lost two strategists and five of only eight experts working on bilateral and regional affairs. 

CDP had expected to bring in staff from other technology-focused offices as they were dissolved. Instead, quantum, artificial intelligence, and other technology experts were fired. Over the past few months, other CDP staff have accepted the department’s offers of deferred resignation and early retirement. And State reassigned CDP’s acting head, leaving the bureau without a leader. 

At an April hearing about CDP, the House Foreign Affairs Committee’s Europe Subcommittee Chairman Keith Self, R-Texas, affirmed the importance of State’s cyber capabilities. “The U.S. is not facing these real and growing threats alone,” he noted. “Through cooperation with our allies and partners, the U.S. will continue to work to combat malign cyber activities from the PRC, Iran, North Korea and Russia.” 

After a bipartisan show of support for the bureau, the subcommittee staff are drafting components of a State reauthorization bill from Foreign Affairs Committee Chairman Brian Mast, R-Fla., that would bolster CDP’s mandate. If Foggy Bottom keeps undercutting CDP, however, there may be little left to reauthorize. 

Chairman Mast indicated he plans to bring the reauthorization bill to the floor at the end of September. Lawmakers need to weigh in with State Department leadership sooner rather than later, however, to remind Secretary of State Marco Rubio that he himself voted for the Cyber Diplomacy Act when he served in the Senate. He knew then what members know now: Without strong cyber capabilities within the State Department, America’s partners will turn to unreliable associates in China for infrastructure investment and succumb to cyberattacks that place U.S. forces overseas at risk.

It will take years to rebuild State’s capabilities. While Congress should move quickly to re-integrate CDP’s component pieces, reauthorize cyber foreign assistance, and restart secure technology projects, the loss of subject matter experts will take longer to fix. The cyber experts with sought-after skills that State let go are not waiting by the phone to get their old jobs back. They will move on to higher-paying private sector jobs. Only after the department re-commits to its cyber mission and places a Senate-confirmed ambassador at the helm of the bureau will the department have a hope of reconstituting all that it lost over a few weeks in July.