Cyber Strategy Update with Robert L. Strayer

Listen & Download

Join us for a teleforum with Robert L. Strayer, Deputy Assistant Secretary of State for Cyber and International Communications and Information Policy, who will talk about the State Department’s efforts under the National Cyber Strategy and Cybersecurity Executive Order 13800 as well as international diplomatic engagement to facilitate the adoption of secure and reliable telecommunication technology.


Robert L. Strayer, Deputy Assistant Secretary of State for Cyber and International Communications and Information Policy, U.S. Department of State


Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

Event Transcript

Operator:  Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's International & National Security Law Practice Group, was recorded on Tuesday, June 18th, 2019, during a live teleforum conference call held exclusively for Federalist Society members.


Micah Wallen:  Welcome to The Federalist Society’s teleforum conference call. This afternoon’s topic is a Cyber Strategy Update with Robert Strayer. My name is Micah Wallen, and I’m the assistant director of Practice Groups at The Federalist Society.


      As always, please not that all expressions of opinion are those of the expert on today’s call.


      And today, we are fortunate to have with us Robert Strayer, who is the Deputy Assistant Secretary of State for Cyber and International Communications and Information Policies at the U.S. Department of State. After our speaker gives his opening remarks, we will then go to audience Q&A. Thank you for sharing with us today. Robert, the floor is yours.


Robert L. Strayer:  Thanks, Micah. I wanna thank The Federalist Society for inviting me to participate in this teleconference and for all of you for joining. I thought I would give about 15 minutes of opening remarks to explain what I do at the State Department and what our office is doing in the area of cyber policy, and then hopefully have enough time to answer plenty of your questions.


      So my office covers a broad spectrum of cyberspace policy issues on internet policy ranging from how we cooperate with allies to counter cyber-attacks, to promoting the free flow of data that really underpins our digital economy, to engaging with industry on a number of issues including emerging technology regulatory policies. It’s important that we work across the board of all of the cybersecurity, as well as the digital economy issues to ensure that we’re protecting United States and our allies, and that we truly continue to benefit from the model of the internet that we have established in the United States and, really, that the world has adopted. We need to do that to ensure that we continue to reap the benefits of the internet and massive amounts of innovation that we’ve seen over the last few decades.


It’s becoming clear that almost every significant national security and economic interest is, in some ways, impacted by our larger digital ecosystem. So, just as we deal with all other important trans-national international issues, the State Department is involved in those discussions, and we use our diplomatic tools as well as all tools of our national power to ensure that we’re advancing our interests in cyberspace and the digital economy.  


      So I wanna talk about two main legal documents and policy documents that we’ve worked on in this administration. First being our National Cyber Strategy and the other one being Executive Order 13800, which is our Cybersecurity Executive Order titled Strengthening Cybersecurity Federal Networks and Critical Infrastructure. That Executive Order was issued by the president in May of 2017, and, over the course of the next year, we’ve produced a number of reports under that Executive Order. Of course, as the Executive Order was titled, it focuses on strengthening the security of our federal government networks as well as our national critical infrastructure. But there’re two important components that the State Department was the lead in drafting and collaborating with all other relevant agencies in the federal government in producing reports.


      One was an international engagement strategy, and that international engagement strategy has two main prongs. The first being that we want to enhance the resiliency of our global cyber ecosystem. Meaning that we want to ensure that countries can improve their abilities to identify, detect, respond, and recover from malicious cyber activity, because we know that, instantaneously, we can have a cyber threat in one part of the globe reach another. It’s critical that we work with partners, and allies, and all countries, really, to reduce the amount of malicious cyber activity that can affect us within our borders.


      So we want to ensure that no nation is a safe haven for cyber attackers. That means ensuring they can develop capabilities to respond to those threats, to receive threat information, process that, and take action, as well as share threat information themselves. The other main component about that capability building is that we need countries to have a legal framework in place so that they can investigate, prosecute, and in some cases, extradite cyber criminals. There’s something called the Budapest Convention that went into effect in 2004, and that has served as a framework for improving cyber crime capabilities across the globe. There’s, roughly, 70 countries who have acceded to the Budapest Convention, and about 60 more countries use that as the framework for their laws.


      Now, under this prong of the Executive Order, this report on international engagement, the other main part was increasing our ability to respond to nation states, proving what we call cyber stability among nations by reducing the risk of conflict stemming from cyberspace. And how we get at that is over a number of years, roughly, in the last decade, we sought to establish the applicability of international law in cyberspace. So just as in a physical world, international law applies concepts of sovereignty in non-interference with the internal affairs of the country, that also should apply in cyberspace.


      We’ve also established through a mechanism at the United Nations, roughly, 12 norms of responsible state behavior. These norms were agreed to by the countries that participate in what they call a Group of Government Experts process. This Group of Government Experts included Russia and China, and then, in subsequent, a General Assembly Resolutions, those norms were agreed to and amplified. The important part of these norms is -- by the most important one would be that nations should not seek to disrupt or to destroy the critical infrastructure of another country that could be seen as the golden rule in cyberspace.


      So, as part of our efforts, under the Executive Order and what later became the national cyber strategy, we, at the State Department, led an effort to draft a national deterrent strategy in cyberspace. That became another report that was filed within the Executive Order reports, but it forms, what they call, pillar three of the National Cyber Strategy international engagement prong. And that’s where we are looking at what we need to do to deter other nations.


We know that these norms, or responsible state behavior and, applicably, even international law, alone are not sufficient to deter nation states from taking advantage of cyber capabilities. They see them as asymmetric tools to achieve ends that they could not otherwise achieve in the areas of national security and economic capabilities. So they cyber in ways that will seek to advantage themselves as well as in political military areas.


      So knowing that those norms are not self-enforcing, we’ve come to the judgement that we need to have an ability to change the risk calculates for other countries to affect their cost benefit analysis of this by increasing, not just as we have in the past, our defensive capabilities, but to work on what kinds of swift, transparent, and costly consequences we can bring to bear to convince the decisionmakers in other governments that it’s not worth using these cyber tools that could be destabilizing, disruptive, or destructive. To do that, we need a much broader set of consequences. For many years, of course, we’ve had diplomatic tools that we’ve used including using attribution. We’ve also used sanctions policy, but there’s a broader set of tools that we could bring to bear to influence decisionmakers in other governments.


We also realize that to have greater impact and greater legitimacy to our efforts, it’s important to work with other governments to do attributions together and then bring these consequences to the table. So we’ve been working with other governments to align our policies in this areas. And lastly, we need to message this to an adversary so that they know that there are activities if they conduct, they will be responded to in a way that brings forward consequences that will make them reassess whether they want to undertake that type of activity given the cost.


So that is the rough outline of our national cyber deterrent strategy under both the National Cyber Strategy and within the Executive Order on securing cyberspace. This isn’t just a conceptual effort – since 2017, we’ve had two very significant destructive cyber-attacks between WannaCry in May of 2017, which was done by North Korea, and in June of 2017, which was the NotPetya attack by Russia, which originally started in Ukraine but quickly spread around the world. Both of these disrupted critical infrastructure, and it was a very foreseeable outcome that that would be what would happen with the type of malware being used.


We saw shipping and transportation system disrupted. We also saw manufacturing of pharmaceuticals and the, just, basic access to hospital computer systems disrupted by those cyber-attacks. We saw a great deal of coordination among countries in addressing those problems, at the time, but later, we also had a great deal of cooperation in having countries join together and doing joint attribution to the countries who had conducted the cyber-attacks. The high-water mark, I think, of our coordination on attribution was when Russia sought to undermine the organization for the prohibition of chemical weapons. We had more than 22 governments joined together in the attribution of that cyber-attack. So, building on those attributions, we can now seek to implement consequences against malicious actors in the future.


      And another area, that I wanted to touch on, was we continue to talk to governments in an area where we’re not just talking about improving our cybersecurity but also protecting human rights in the long term, protecting our data, and ensuring that we have regulatory policies that meet our goals. And that is with regard to fifth generation of wireless technology or 5G. 5G—to give a, just, more general statement about the technology—is going to be providing massive throughput of data with very little latency in the delay, and it will also connect tens of billions of more devices.


When all these devices and sensors are, then, inter-connected, it’s going to empower a whole new set of critical infrastructure. So everything from autonomous transportation at work and autonomous vehicles to telemedicine—because you’ll have the sensors of quick processing of data—to having just our traditional critical infrastructure in the form of electricity and water supply being provided over the top of the underpinning of the data transmission that will occur through 5G. 5G, really, will be about all of the critical infrastructure that is very important to our daily lives.


      So, with that truly significant amount of critical infrastructure at stake, as 5G develops, we really need to make sure that that is something that cannot be compromised by a foreign adversary. There’re, of course, some very important cybersecurity practices that are being billed into fifth generation of wireless networks by the telecommunications operators. But one also needs to look at the adversary, the threat, that could be coming at us. And, with regard to that, we know that there are certain vendors of the 5G equipment and software that are in China, and they are under Chinese National Intelligence Law and other laws.


The Chinese can direct the activities of those vendors without judicial review—an extraditional mandate—and that gives us great concern about the ability for those vendors to be required by the Chinese government or the Chinese communist party to take actions that are not in our interests or in the interests of our foreign partners. As our societies become more and more interconnected and global supply changes are more interconnected, a disruption to the supply chain, or activities in another country, would almost immediately have impacts to the United States as well.  


      We’re also very concerned about the ability of a government like China to acquire data from those networks. We know they could exfiltrate data. It could be personal data. It also could be commercial data. In the past, of course, China has conducted one of the largest schemes to acquire intellectual property, commercial data through the compromise of global managed service providers and cloud providers. We, along with the U.K. and a dozen other countries, last December, attributed the APT10 group to China into the compromise of these many service providers, which were used to compromise, then, the clients of those providers, which were truly the biggest companies on the globe, and the access to their data, then, was then used to be shared with Chinese companies.


      So we know that China has a track record of using data or seeking acquired data for its own commercial purposes. We also know that in the case of the Xinjiang province, in China, that China has used data and technology to surveille their own people—a minority group called the Uighurs—to determine what kind of activities they’re engaged in, to suppress their freedom of expression and freedom of association, and then to, now, send more than a million Uighurs to reeducation camps in that province. So, with the lack of an independent judiciary—and there had been a judicial review—controls of data, we’re very concerned about how China might, in the future, with the ability to acquire massive amounts of data from us and our partners, proceed in ways that would undermine fundamental human rights.


      I guess, the other two things I should mention is that our response in the United States are not just a diplomatic effort around the world to talk about our concerns and to talk here in the United States about them. On May 15th, President Trump signed an executive order that will allow us to secure our information communications technology networks from technology that is controlled by adversaries. That is a roughly five-month period, then, where under that Executive Order that the Secretary of Commerce will develop an interim final rule to implement that objective.


      The second legal action was with regard to the company Huawei. The Commerce Department, on May 15th, added Huawei to what is known as the restricted entities list, which requires that -- someone exporting technology from the U.S. to Huawei needs a license from the Commerce Department. So those were two legal actions that are part of our overall effort in concerns about the Chinese technology in Huawei.


      So happy to answer any questions anyone has. I look forward to hearing your questions.


Micah Wallen:  Thank you, Robert. While we let those question lines fill up, Robert, did you wanna talk a little bit more about what the 5G issue means in terms of global policy and falling behind amongst competitors like China and Russia and how that works?


Robert L. Strayer:  Yeah. Sure. Happy to answer that. So, about a year ago, there was really not much discussion about 5G supply chain security. And, of course, what 5G will be has come into more crisp focus because of the standard setting bodies completing their work as well as an understanding of how critical infrastructure will be able to use the sensors and devices provided by 5G connectivity.


We now realize the stakes are very high, so we’ve set out on a diplomatic campaign around the globe, including spending a lot of time in Europe with our partners there talking about our concerns to lead them on and bring them along with us on an education path to better understand what 5G means and the security risks that are there, as well as the ability for a government like China, given their legal system and lack of independent judiciary, to direct companies to undertake actions not in their interest or in our interest.


So that’s generally how we’ve approached this as a diplomatic effort. I mentioned those other two legal tools that we will use. No company in the United States, none of the major four providers of wireless service in the U.S., will use an untrusted vendor, will use Huawei or ZTE, and last year, Congress passed a law through the National Defense Authorization Act to prohibit the federal government from purchasing any technology from Huawei or ZTE.


So we’ve taken some pretty strong measures against those companies to protect our networks, and we’re encouraging our partners to adopt similar measures to protect their telecommunications networks.


      So at this point, we really hear from a lot of countries that say, “Yes. We understand that there’s a true supply chain security risk quite apart from the normal cybersecurity issues that are important to think about when you’re developing a telecommunications network.” In fact, more and more countries are saying they, at least, want to exclude Huawei and ZTE from the core of their telecom networks and only allow them at the edge or periphery.


Now, let me just dive into that for just a minute. The distinction between the core and the edge of a 5G network really is vanishing. It used to be that all the real computing power and in telecom network was in its center and its core and that where you were closest to the user, with antennas and radios connecting to handset devices, was more or less a dumb connection. It wasn’t something that had computing power and really facilitating it in a real way. But in 5G, because critical infrastructure needs to have very low latency, that is low delay, the computing power needs to occur right where that critical infrastructure is right next to the user.


So really the whole network will have smart components distributed throughout it. There really won’t be a distinction between the critical and non-critical parts of a 5G network. So we say anywhere on that network needs to be secure and there’s no place in that network for untrusted vendors that could gather data, in ways that I described earlier, to exfiltrate it or to cause a compromise of that critical infrastructure through the actions of an adversary with remote access. So I hope that gives you an overview of our efforts there.


Micah Wallen:  Absolutely. And we will now go to our first question.


Megan Brown:  Hey, Rob. This is Megan Brown over at Wiley Rein. Thanks for taking the time to do this with The Federalist Society. I was wondering, since you’ve been generous enough to do this, if you could comment a bit on the challenges you guys see from the fact that a lot of this international norm building in cyber can’t be really talked about that easily publicly, and the disconnect there, and your perspective on what challenges that poses for you guys to drive norms forward while only being able to really talk about a portion of what is going on from both a positive and a negative perspective, if that makes sense?


Robert L. Strayer:  Absolutely, Megan. Yeah. Thanks a lot for that question. That is very insightful, and that is one of our challenges, for sure, is our ability to talk about what we do in cyberspace.


Well, one thing what we do is we try to be as transparent as possible, and, of course, there are limitations. But that’s why we think it’s very important to put out reports under this Executive Order to actually have a -- we obviously have a National Security Strategy, but to also have a national cyber strategy nested under that to also -- we have a Department of Defense cyber strategy. I think we’re one of the few countries in the world to have a public national cyber strategy from our defense department. So we try to explain our doctrine and our methodologies about how we view cyberspace to be as transparent as possible, even if we can’t talk about particular operational activities. We talk about how we view cyberspace. What principles we want to apply.


      Another thing that’s important is that there’s something called confidence building measures that are used in a number of other areas of international policy to try to establish trust between countries and to address any concerns or potential escalatory activity that’s occurring. So, in cyberspace, we’ve gone around to a number of different regional forums and also at the United Nations to talk about the confidence building measures that could help in cyberspace to help nations understand each other’s activities and have a better lay of the land as to how they approach cyberspace.


Micah Wallen:  All right. We’ll now move to our next question.


Carter Page:  Hi, this is Carter Page. I’m curious to know what reaction you’ve gotten for with respect to the problems that occurred in the State Department and the FISA abuse during the Obama administration. I’m wondering if you’ve noticed, when dealing with a lot of other countries around the world, whether there’s been any backlash related to that given the corruption that occurred during the 2016 election, and any response you’ve received.


Robert L. Strayer:  Yeah. Thanks, Carter. Thanks for that question. I actually, to be honest, haven’t really been on the front end of that issue from our foreign partners or them asking about it. I think they probably, if I had to speculate, are directing those questions to the Department of Justice. I’ve read the papers understanding on the background on this. But it hasn’t really come my direction.


Micah Wallen:  I’m not seeing any other questions roll in right away. Did you have any closing remarks for us, Robert?


Robert L. Strayer:  No. I just appreciate everyone’s time and reach out to me directly at the State Department if you like. I’m always eager to have input from others, thoughts on particular issues. We cover a vast array of policy. I just tried to touch on two relatively, I think, interesting topic areas for folks, but working on a bunch of other things. So feel free to reach out at any time and provide your thoughts, or if you have questions about -- let us know what you need to know more about. So I really appreciate everyone joining today.


Micah Wallen:  Absolutely. And on behalf of The Federalist Society, I’d like to thank our expert for the benefit of his valuable time and expertise today. We welcome listener feedback by email at [email protected]. Thank you all for joining us. We are adjourned.


Operator:  Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at