The U.S. International Cyberspace and Digital Policy Strategy
Interview

The U.S. International Cyberspace and Digital Policy Strategy

Interview with Christopher Painter
October 23, 2024

In May 2024 the United States released the International Cyberspace and Digital Policy Strategy, outlining the U.S. approach to technology diplomacy. The strategy centers on the idea of digital solidarity to advance an open, resilient, defensible, and rights-respecting digital ecosystem. In this Q&A, Fern Hinrix interviews Christopher Painter, a former U.S. cyber diplomat, on the implications of the new strategy for building partnerships in Asia, addressing challenges and threats from Russia and China, and strengthening U.S. cybersecurity and digital policy going forward.

Why is the 2024 International Cyberspace and Digital Policy Strategy important for U.S. cybersecurity and cyber diplomacy?

The first time the United States developed a strategy like this was when I worked on the Obama administration’s 2011 International Strategy for Cyberspace. That was a landmark document because it was the first international strategy for cyberspace by any country and it dealt with a comprehensive range of topics—everything from hard security issues like norms and cyber conflict in a military context, to human right issues, to economic issues, all in one document. It was a clear articulation of the overall U.S. goal of an open, secure, interoperable, and reliable internet and information infrastructure, as well as of how all these areas fit together within that framework. It also cemented the idea of cyber diplomacy in U.S. foreign policy and called for partnerships around the world.

The creation of the 2024 International Cyberspace and Digital Policy Strategy was essential because of the changing geopolitical environment and evolving international challenges since the 2011 strategy was released. We are facing cyber intrusions from China, Russia, Iran, and North Korea, as well as challenges to innovation and human rights in digital areas. The 2024 strategy does not announce any new policies to mitigate these challenges, but it puts U.S. policies in the context of an overarching goal. It lays out comprehensive action items, including building secure infrastructure, aligning rights respecting and data governance policies, advancing responsible state behavior, strengthening partnerships, and building capacity, which is a critical underlying pillar. Additionally, the 2024 strategy is even broader than the 2011 strategy because of the incorporation of emerging technologies such as artificial intelligence.

The release of the 2024 strategy in May at the RSA Conference in San Francisco alongside an address from the secretary of state was also significant. This is an event that brings together tens of thousands of policy and technical experts. Too often we think about cybersecurity as only applicable to technical or military spaces, but we need to reframe it in terms of how we want to shape cyberspace so it serves the interests of the United States and the world more broadly. These are goals that require continuity of strategy. Regardless of the outcome of the 2024 presidential election, cyber and digital issues will likely still be a priority for the incoming administration.

The International Cyberspace and Digital Policy Strategy centers on the theme of “digital solidarity.” What is digital solidarity, and what are some of the challenges that accompany the incorporation of this new term into U.S. policy?

The core of digital solidarity is building alliances to solve different issues. My understanding is that it is intended to be a high-level unifying concept. It emphasizes that we are facing many different threats and challenges, but we also have lots of different opportunities. We are better at banding together, both within our borders and with other governments around the world, to advance our interests. For example, when you talk about norms and responsible state behavior, there is an emphasis not just on agreeing with countries on what those rules are, which has largely already been done, but also on having accountability for those rules. Digital solidarity means cooperating with like-minded countries within a large-tent environment to make sure that there are consequences for transgressions in cyberspace.

Digital solidarity implies that on the other side is digital authoritarianism. Digital authoritarianism is the strategy of China, Russia, and other more authoritarian regimes that are trying to restrict the internet or use cyber tools to launch disruptive effects. These are all the things the United States needs to counter by working with its allies and partners.

In terms of challenges, there has not been a significant negative reaction to the term. Perhaps some European countries coded digital solidarity as a response to digital sovereignty, so in that sense there is some concern about controlling markets, but those concerns have mostly been assuaged. On the other hand, I have not yet seen digital solidarity become a new globally used term either. It is somewhat of a marketing term, to be frank. No new initiative was announced in this strategy, and it is also not really a departure from the United States’ main goals.

The “2024 Report on the Cybersecurity Posture of the United States” emphasizes that the People’s Republic of China (PRC) “remains the most active and persistent cyber threat to U.S. Government, private sector, and critical infrastructure networks.” How does the International Cyberspace and Digital Policy Strategy seek to mitigate and defend against these threats?

China is always at the top of persistent cyber threats to the United States, and it has been at the top for a long time on several scales. These threats include increased cyber capabilities, theft of intellectual property, military activities, supply chain issues, and human rights violations. We have certainly seen disruptive cyber activities from the PRC, which is a serious concern. Across the board, China poses a threat not only by what it is doing within its own borders but also by what it seeks to export to other countries.

The 2024 International Cybersecurity and Digital Policy Strategy lays out these threats that need to be contested. There are different ways to contest them depending on the situation, including building capacity and working with partners to make sure they have tools and the ability to use those tools. Other strategies seek to counter some of the bad actions we are seeing, whether by making sure there are alternatives to supply chains that the United States does not view as trusted, setting universal standards rather than standards that benefit only one country, or making sure there is accountability for violations of the established rules in cyberspace.

Going back to digital solidarity, a big-tent like-minded approach is essential to mitigate these threats, particularly with some of China’s neighbors. We have seen a lot of aggression by China in the South China Sea, so having more influence in groupings like the Association of Southeast Asian Nations (ASEAN) to address cyber threats is important. Cybersecurity is not completely separated from other geopolitical issues. It is not so much that we have a cyber problem with China or Russia, but that we have a larger Russia problem and China problem. Cyber is one component of that.

The 2024 International Cyberspace and Digital Policy Strategy also highlights challenges around Russia and the PRC working to reshape norms governing cyberspace, including through multilateral forums like the United Nations. What is the U.S. strategy to counter these efforts?

Russia began these efforts in the United Nations, where it has pursued a cybersecurity treaty. But that was really meant to benefit Russia. First, the country is not going to comply with the treaty, so it is a way to restrain others. Second, the kind of provisions Russian leaders are looking for went beyond cyber to include free speech and other political interests. The United States has pushed back on that for years, partly by seizing the initiative. The United States led the idea of an international cyber stability framework that included adherence to international law. It said that international law applies to cyberspace and that there are certain norms of responsible state behavior. These norms are voluntary and nonbinding, but they are still political commitments.

Where we especially see China and Russia pushing back is on the idea that international humanitarian law applies in cyberspace. For example, the UN Ad Hoc Committee recently concluded negotiations for a convention against cybercrime designed to counter the use of information and communication technology for criminal purposes. This was Russia’s idea, although what came out was not what Moscow really wanted. Russia advocated for a large scope of crimes and minimal protection for human rights. Moreover, it once again wanted to include everything under the sun, not just cybercrimes, whereas the United States, Europe, and others wanted to focus on actual cybercrimes.

Russia is playing the long game. Moscow will continue to press both within and outside the United Nations to convince countries on the fence to join it. China has already aligned with Russia on a lot of these issues, such as creating a binding global cybersecurity treaty, while at the same time evading any real accountability. It is essential for the United States and a large group of countries partnered with the United States to continue to fight and advocate for U.S. interests in these multilateral forums. I don’t believe there will be strong accountability coming out of the United Nations in the near future. Therefore, countering Russia and China requires sustained effort over time, which is difficult for democracies to do sometimes, but it is paramount to do so because these challenges are not going away.

Looking forward, what would a successful implementation of the 2024 International Cyberspace and Digital Policy Strategy in the Indo-Pacific region look like, and what initiatives or partnerships are key to its success?

Implementing this strategy in the Indo-Pacific successfully will be largely based on existing dialogues and partnerships. Working with ASEAN and other regional organizations is critical, as is bilateral cooperation with several key countries. Singapore is a notable cybersecurity actor that is leading several efforts in Southeast Asia. India is another important country to work with, particularly because it is a swing state trying to walk a middle line. The United States has increasingly engaged with the Philippines on building cyber capacity because that country is vulnerable to threats from China.

In addition to these countries, coordination with U.S. allies such as South Korea, Japan, and Five Eyes partners Australia and New Zealand is valuable. Australia and New Zealand, in particular, have cooperated with the United States and Pacific Island countries to build capacity. However, all these countries have different views on cyber and digital policy. Because the 2024 strategy is very broad, there needs to be an understanding that countries do not have to agree on everything to be partners on some key issues.

One important tool is the Cyberspace, Digital Connectivity, and Related Technologies Foreign Assistance Fund created in the 2023 State Department Authorization Act. This fund gives the State Department’s Bureau of Cyberspace and Digital Policy $150 million over five years to build foreign cybersecurity capacity and support rights-respecting technologies. This kind of capacity building is essential. But with limited resources, the United States still has to make judgments on what countries to prioritize based on its interests and their needs. This money needs to be effectively used in the Indo-Pacific, but also in other key areas such as the Western Balkans and Africa.

Looking forward, it is critically important that cybersecurity and digital policy continue to be an international priority for the United States. A lot of policymakers either are scared of these topics or think they are too technical to deal with. We need to embrace these issues as the geopolitical challenges they are, both now and in the future, because they are not going to be trivial or sideline issues. Cybersecurity and digital policy will be core components of national security, economic security, and human rights going forward.


Christopher Painter is a former top U.S. cyber diplomat with over 25 years of experience in cyber policy, cyber diplomacy, and combatting cybercrime. He currently serves in a number of capacities, including on the board of the Global Forum on Cyber Expertise Foundation.

This interview was conducted by Fern Hinrix, an intern with the Technology and Geoeconomic Affairs group at NBR.