In May 2023, the U.S. government pledged USD $25 million in assistance to Costa Rica to bolster its cybersecurity efforts and cyber posture. A year prior, Costa Rica suffered a debilitating series of ransomware attacks executed by the now defunct Conti ransomware gang that demanded USD $20 million or else the Costa Rican government would risk being “overthrown by means of a cyber attack,” as per a group statement. The attack impacted enough critical systems that the government had to declare a state of emergency. This marked the first time that a cybercriminal gang overtly attacked a nation state, exposing the cybersecurity weaknesses of a country, and affecting millions of people. It also showed the world that countries with limited technical capability and resources were vulnerable to persistent, sophisticated hostile cyber actors seeking to do them harm.
The incidents that impacted Costa Rica, Vanuatu (another technically developing country that was crippled by a cyber attack), and even Ukraine at the onset of its conflict with Russia reveal that countries need assistance during periods of crisis. What’s more, these events emphasize an important reality facing several governments in today’s cyber climate: cyber resiliency is more of an aspirational goal pursued through continuous effort than a quantifiable endpoint metric. What’s more, they clearly show that no country can go it alone no matter how cyber capable and powerful it may be. The current situation in Ukraine underscores how a seemingly localized geopolitical hotspot can quickly escalate and expand past its borders, bringing in both other state and nonstate actors into the cyber fray. The conclusion is clear: there is a cybersecurity void that can be filled with interstate cooperation, and while this doesn’t necessarily end hostile cyber engagement, it can certainly help a government mitigate and remediate the power and duration of attacks.
U.S. leadership in cyber matters has been quiet over the past several years, evidenced by its lack of assertion in such international venues as the UN’s Global Group of Experts where it has passively watched other countries push their own agendas. One think tank piece critiqued the United States’ leadership failure as a “collapse,” obstructing its ability to handle cyber threats to democracy and “the change in the international distribution of power.” Now it appears the United States government sees an opportunity to help re-establish itself via the State Department’s new Bureau of Cyberspace and Digital Policy, a role terminated in 2018 by the previous Administration. The new Bureau’s task is to address “the national security challenges, economic opportunities, and values considerations presented by cyberspace, digital technologies, and digital policy and promotes standards and norms that are fair, transparent, and support our values.” The Bureau is the diplomatic arm of the United States’ external cyber efforts, the carrot to the stick that is U.S. Cyber Command.
As part of its outreach mission, the Bureau is seeking to solidify a fund program to help countries in cybersecurity crises. The fund is part of a three-part plan that includes delivering “hands on” capacity building and brokering private sector involvement in helping to mitigate cyber threats. Indeed, there has been a growing bit of anecdotal evidence that where governments step up and engage their foreign counterparts with respect to cybersecurity, there has been some quantifiable measure of success. Foreign support of Ukraine is the latest example, and many believe that the transnational nature of cybercrime can only be confronted by unified effort to identify and map the activities of these gangs, and engage in multi-stakeholder actions to share timely information and execute law enforcement efforts to take them down.
The fund would complement the United States’ defense-forward initiative, an integral part of its National Cybersecurity Strategy whereby the U.S. government commits to deploying cyber hunt teams to regions and countries caught in the middle of ongoing cyber hostilities. Since operationalizing its Cyber National Mission Force (CNMF), U.S. Cyber Command (CYBERCOM) has developed a multi-team capability that includes being deployed to disrupt adversary operations in cyberspace. The CNMF has conducted at least 47 of these operations in 20 countries including Lithuania, Montenegro, and Ukraine, among others. The team’s successes have been acknowledged by the Secretary of Defense when he authorized the Force to become a subordinate command under CYBERCOM rubric. It’s clear that the United States is now willing to use the full extent of its reputed cyber capabilities to help allies and friends in need of its cyber expertise and power.
These two components – funding for partner cybersecurity and implementing active defense attacks – are indicative of the United States’ multi-lateral approach to improving its own cybersecurity by addressing global cybersecurity. Many have advocated international cooperation as an imperative given global interconnectivity but for a while there had been few actual tangible and collaborations yielding measurable results. This makes sense given the expanse of the operational environment, the larger understanding of the ever-evolving cybercrime ecosystem, the jurisdictions involved, cross-country legal requirements, and any other unforeseen issues that happen when countries cooperate. There have been law enforcement successes in taking down cybercrime markets and disrupting cybercrime gang operations, but when it has come to governments helping one another, efforts have largely seemed more symbolic engagement than practical, measurable collaboration.
And this appears to be what the United States is trying to change. President Biden has long espoused the United States’ consultation and cooperation with foreign partners as a cornerstone of his foreign policy. By extension, this philosophy has been ingrained in the U.S. cybersecurity strategy as well as through direct cyber engagement, a way to announce that the United States is back to reclaim its position as global cyber leader. Still, cyber diplomacy has changed over the past several years, and Washington’s biggest challenge may not selling the pitch as much as softening the perception of its own questionable activities in cyberspace, as adversaries like China try to exploit weaknesses in U.S. image, reputation, trust, and reliability.
Grant money and flexing cyber power are certainly compelling, but neither are assured paths to the top, nor do they guarantee keeping the position once there. How this strategy fares will largely be decided in if the United States can truly reclaim that desperately needed leadership position, or if the rest of the world prefers to hold back and see which cyber power will finally emerge as the primary influencer. Direct cyber engagement may be a new course to take, but the destination has always been there.