Although the U.S. and Chinese governments blame each other for cybermischief, they should collaborate to battle common cyberthreats, the State Department's top cyberdiplomat says.
For example, organizations in both nations are victimized by distributed-denial-of-service attacks that can cripple websites. "Frankly, the ... thing that I think is important for China and the U.S. is collaborating against third-party threats," says Christopher Painter, the State Department's cyber-issues coordinator, says in an interview with Information Security Media Group (see transcript below).
"We're obviously willing to work with China on some of these cybersecurity issues and, as I said, trying to build better cooperative frameworks for that, but also to have a way for us to communicate if there's a crisis," Painter says.
Still, the Chinese gripe that the United States government hacks into China's computer networks as the U.S. complains that China intrudes into its government, military and corporate systems, pilfering military and trade secrets.
"With China, obviously, the president has expressed deep concern over the wholesale effect on trade secrets and business proprietary information," Painter says. "That's something we ... will continue to raise. But at the same time, we need to build a more cooperative framework between the two countries and more transparency between us because I think that has been lacking."
In the interview, Painter also addresses U.S. outreach to other nations to help them develop their own national cybersecurity strategies. "That's important because it elevates [cybersecurity] as a priority issue and it pulls governments together and makes sure they have the right institutions," Painter says. "It also makes it easier to have bilateral conversations both on the technical level and policy level with countries."
The strategy also works toward building a cooperative framework between countries around certain top-level threats, such as the recent DDoS attacks that targeted U.S. financial institutions (see Banks' Leadership in DDoS Fight).
"When we see a threat, we've been reaching out not just at a technical level, but on a diplomatic level too, to say this is important to us and we want to encourage cooperation," Painter says.
In the first part of a two-part interview, Painter explains:
- The growing role of his office in working within the federal government and with other nations in building security in cyberspace;
- Cybersecurity initiatives the United States has with Russia and China; and
- Why adoption by other nations of a cybersecurity framework makes cyberspace safer.
In part two, Painter discusses how the bests idea to secure the Internet do not come from the top-down government approach imposed by some foreign governments, but from the openness derived by a multi-stakeholder process.
In 2009, Painter served as acting White House cybersecurity coordinator. When Howard Schmidt became cybersecurity coordinator in early 2010, Painter became his principal adviser until he was named the State Department cyber-issues coordinator in 2011. Earlier in his career, Painter served as deputy assistant director of the FBI cyber division; principal deputy chief at the Justice Department's computer crime and intellectual property division and as an assistant U.S. attorney, prosecuting hacker Kevin Mitnick in the mid-1990s.
Coordinator of Cyber-Issues
ERIC CHABROW: Take a few moments to explain what the State Department's coordinator of cyber-issues does.
CHRIS PAINTER: We look at the full range of different cyber-issues, and that's everything from the social issues; human rights issues; governance issues; cybercrime issues; cybersecurity due diligence issues as we call them; countries having national strategies, countries having institutions like CERTs in place, and working with countries to cooperate through international security issues, which are issues around cyberconflict. I think there have been some major accomplishments recently on that front in something called the UN Group of Government Experts.
Finally, we work with agencies in our government to combat threats and to build cooperation in combating threats internationally. We're working with a host of different folks in the State Department across the regional bureaus, across the functional bureaus, and really making this more of a diplomacy policy priority rather than just a technical issue, which I think it was looked at in the past as and now is something that really drives our economy, our societies and is an important international policy issue for us and for other countries.
CHABROW: A few months after you took office, four cabinet secretaries unveiled the government's International cyberstrategy with a goal to work with other nations to promote an open, interoperable, secure and reliable information communication infrastructure. How's that strategy working out?
PAINTER: I think very well. That strategy's very important for us to bring our own government together, because many different agencies in our government have a piece of our international issues, our international diplomacy, everyone from DHS to the departments of Justice, Commerce, Treasury and Defense. Every agency has a piece of this. It really brought all those agencies and all those missions together in one document with this overarching goal of an open, interoperable, secure, reliable information and communications infrastructure around the world based on appropriate norms of state behavior.
But that's been our underlying strategic document. Since that document has come out, we, working closely with our interagency partners, have been advancing that international strategy and advancing our cyberdiplomacy. I'll give you some highlights of that. We've launched whole-of-government dialogues with many other countries around the world, and whole of government is important here because it's not enough for just the State Department to be talking to a foreign ministry someplace. It's much better for us to have all of our colleagues throughout the government as a unified team talking to a whole of government on the other side on these issues, as they're looking at these increasingly as serious policy issues. We've launched these whole-of-government dialogues with Brazil, India, Germany, South Africa, Korea and Japan. We're creating what's called the Joint Presidential Commission and a working group on cyber with the Russian Federation. We recently had the first inaugural meeting of our cybersecurity working group with China. We're doing more of these kinds of engagements, both with our traditional allies and friends, but also with other countries, too, around the world. That's been important and one highlight. I think those discussions and all those forums are important.
Second, we've been doing a lot of capacity-building and outreach to the developing world. This issue is important not just for the developed world but for the developing world, too. As they now start developing their own broadband communication policies, getting more connectivity, they [should] develop those policies in a way that really champions the open nature of the Internet, but also makes it secure. We've done regional capacity-building seminars, one in partnership with the government of Kenya for the West African countries; one in Senegal and one in Ghana for the French and English East African countries. We're planning more of those kind of activities.
The third is that we have made some real progress on a number of fronts. Many countries have cyberstrategies now. Cybersecurity strategies are very important because they elevates that [security] as a priority issue and it pulls governments together and makes sure they have the right institutions. But it also makes it easier to have bilateral conversations both on the technical level and policy level with countries. There's something like almost 20 countries that have cyberstrategies. About 10 countries now have positions that mirror mine; they've created positions in their foreign ministries to really raise the diplomatic aspects of this. I think that's important as well.
Then, we're also trying to build a more cooperative framework around cybersecurity. When we see a threat, [such as] a denial-of-service attack against our financial institutions, we've been reaching out not just at a technical level, but on a diplomatic level too, to say this is important to us and we want to encourage cooperation. Of course, we will be responsive on that side too.
On the international security front, there's a landmark consensus that was reached in what's called the Group of Governmental Experts in the UN. It said that international law applies, including the law of conflict, in cyberspace, just like it does in the physical world. Now, we've said that in the U.S. for some time. Vice President Biden said that two years ago. But having a group that includes Russia, China, India and others I think is very powerful and very important, and also affirms the importance of doing confidence-building measures between countries to try to make sure they don't have the kind of escalation, misperceptions or miscalculations. President Obama announced the first bilateral confidence-building measure in cyberspace with the Russian Federation at the G8 Summit, and we're also working in a number of international forums to do that.
We have a lot more to do, but I'm very heartened to see this not being looked at as an issue just for the geeks anymore, but an issue that really is something that's a serious policy issue for us to grapple with.
Working with China, Russia
CHABROW: You mentioned a few times working with China and Russia, as well as other nations. As you know, many people see China and Russia as adversaries to the United States in cyberspace. Some would even call them enemies. How do you characterize our relationship with these nations in regards to cybersecurity?
PAINTER: I think it's important for us to engage with all countries around the world, and I think it's important for us to engage with Russia and China. With Russia, as I mentioned, it was very important for us to establish these cyber confidence-building measures. For Russia, let me tell you what those are. One of them is more exchange of certain technical information about threats. One of them was an exchange of military doctrine in cyberspace. We had our defense strategy for operating in cyberspace and the Russian Federation had a white paper that their [Ministry of Defense] created. That builds better understanding between the countries of what we're doing. The third was the creation of two things: a phone hotline and also using the Nuclear Risk Reduction Center, which not surprisingly was originally used for nuclear issues, but now is used for a number of issues like climate change and other issues. We've now extended this to being used for cyber-issues. If there's a major cyber-event emanating from the other territory, we can use these communication mechanisms to make sure there's not a misperception or miscalculation. That's important. We're not going to agree with China or Russia on every issue in cyberspace, to be sure, but we need to make practical progress that makes sure that we're answering the threats that are out there.
With China, obviously, the president has expressed deep concern over the wholesale effect on trade secrets and business proprietary information. That's something we have and we will continue to raise. But at the same time, we need to build a more cooperative framework between the two countries and more transparency between us because I think that has been lacking. When the two presidents met at their summit, they agreed to form this working group. ... One of the advantages is it has the full range of agencies on both sides, on both the military and civilian side, to discuss issues of concern, like the concern I just mentioned. But it also looks for areas where we can cooperate and try in practical areas to cooperate, and it also is a forum for us to discuss the appropriate norms in cyberspace, to have an actual sustained discussion, not a discussion once at a conference or once a year in the summit, but actually have a sustained discussion on these issues. I will say that I thought it was a very constructive beginning and discussion when we met for the first time a couple of weeks ago. We'll meet again before the end of the year, but I think both sides are dedicated to making that conversation work.
CHABROW: What concerns have the Chinese expressed about the United States?
PAINTER: You've heard what the Chinese have said in the press, that they're concerned about cybersecurity, intrusions and cyber-attacks against them that come from all over the world. We're obviously willing to work with China on some of these cybersecurity issues and, as I said, trying to build better cooperative frameworks for that, but also to have a way for us to communicate if there's a crisis.
I'd like to see if we can extend what we've done with the Russian Federation, and that applies to China as well, but also look for other areas that we cooperate in. You've heard some of the things that they've expressed. We want to certainly hear that out; we want to discuss that; we want to get a little more detail about what those concerns are and see if we can address those. Frankly, the other thing that I think is important for China and the U.S. is collaborating against third-party threats. I mentioned the denial-of-service attack. That's a good example. To the extent that there are bots that are located in China, that's a place I'd like to see us cooperate.
CHABROW: They share more of the same concerns than where we may have some disagreements. True?
PAINTER: I think it's a mix. The important thing is to try to make progress in the areas where we can. We can make practical progress while at the same time trying to understand where the differences are and see if we can make progress on that. [We'll] work to really ameliorate and mitigate the concerns that we have raised, and will continue to raise, until they're really mitigated. ... It's also important that, within a framework, it reports up through our strategic security dialogue with China, which deals with a whole range of strategic issues, what's called the S&ED, Strategic and Economic Dialogue, which just happened a couple weeks ago, and that's very high level. It keeps the attention on these issues.
Cyber and Diplomacy
CHABROW: You've been in this job for 2Â½ years. Do you see more cyber generally involved in diplomacy than you did when you started the job? How does it manifest that way?
PAINTER: When I started, it was just me. This is the first foreign ministry anywhere in the world that said cyber is an important enough issue and it's spread out enough within the department because there are all of these different people who are working on it that we really need to try to, for want of a better term, up our game. [We need to] make sure that we're speaking with one voice in our U.S. policy, working together with the different stakeholders both within government and outside of government, the private sector and civil society, to really make this more of a priority and integrate these issues. When we talk about cybersecurity, human rights and governance issues, it's important that we think about all those as a package because they're in many ways interrelated, and the debates that happen in a lot of these forums are interrelated. That was two years and four months ago.
Since then, as I mentioned, about 10 countries have created similar posts. We launched all these dialogues. The countries raise this routinely in high-level meetings with the U.S. ... Everyone cares about cyber, and that's a good thing. It's really raised the profile on this issue around the world, and I increasingly see that everywhere I go, every trip I take and every meeting I have. It's something that's not just this pigeonholed issue, but an issue that's increasingly being seen as a very important future of almost every country.