In the What’s Next? section of our recent analysis of the U.S. Turning Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica, we mentioned that we would continue to follow the money. Specifically: Where is The State Department sending the next $25 Million block of cash to aid in a regional response to a major cyberattack? Sure enough: we have been tracking this week a significant proposal – formalizing The State Department cyber aid program represented by the initial monies offered to Costa Rica and Albania during their cyberattack crises.
State Department, Congress Working on Formal Program for US Cyber Aid
As reported by Martin Matishak at The Record:
The State Department’s roving ambassador for cybersecurity, Iraq combat vet Nate Fick, recently said the department would “push” for a special, flexible fund to assist friendly foreign countries in cybersecurity crises, adding he was optimistic Congress would approve the necessary changes to statute. “We’re in a two-way conversation on it right now,” Nathaniel Fick, the ambassador at large for the State Department’s Bureau of Cyberspace and Digital Policy, said during a Defense Writers Group Breakfast. “And my sense is there’s pretty broad bipartisan support for it on the Hill,” he added, without mentioning specific congressional offices. “I think there’s a pretty broad awareness that we need to do it now.”
The fund is part one of a three-part plan, as reported by Sydney J. Freedberg, Jr. at Breaking Defense, Fick laid out in the following manner to “‘close the gap [in] global demand for capacity building, ‘ including:
- ‘A push for a dedicated cyber assistance fund. We did it after 9/11 for counterterrorism, we should do it now,’ [Fick] said of the fund last week in the final minutes of an Atlantic Council panel with other senior cyber officials from Justice, Homeland Security, and the White House. “We don’t have the mechanisms in place for a rapid, dedicated response. That would help a lot, and I think there’s support for it on the Hill.”
- ‘We need to get beyond flying people around the world to deliver hands-on capacity building,’ he said. ‘That’s necessary, but it’s insufficient. [We can] deliver scaled capacity building using online tools that we do to complement in-person delivery. So we need to modernize our delivery mechanisms for basic cyber capacity building globally.’
- Third – and ‘this is a lesson I think we saw in Ukraine; we’ve seen it in Albania in the wake of the Iranian cyber attack – there’s a large role for the private sector here, where we can play a brokering and introduction kind of role, but they’re not government dollars being used, and we can bring a lot of private sector capacity to bear quickly.'” (2)
The Need for Speed: Procurement of Global Cyber Aid, Accelerants and Exponential Innovation
It continues to surprise us how often we have to find a needle in a haystack in coverage of the accelerants and exponential innovation at play in the USG, the broader economy, and society at large. OODA Loop props go out to Feedberg, Jr. over at Breaking Defense for this important analysis of the exponential structural drivers behind Nick’s three-part plan:
- The State Department did not respond to Breaking Defense’s request for more information about the funding or Fick’s broader plan, but it’s probably no coincidence that all three pillars militate for greater speed.
- More flexible funding means not having to wait for the congressional appropriations cycle, where even emergency supplemental funds take months to pass and regular budgets take a year, not counting years of prep work within the executive branch.
- More online training means helping foreign partners get the skills they need without having to wait for an American expert to fly out.
- And more mobilization of the private sector means the US can facilitate a response from whatever company is quickest, without waiting for government processes at all.
- Speed matters because cyber attacks often happen without warning and rapidly evolve even after discovery. Now, it may take weeks or months for hackers to gain access to a system, scout out its weak points, and tailor the software to exploit them, but once the groundwork’s laid, a damaging attack or theft of data can take place in seconds.
- And it’s strategically important to help targets when they’re hurting most, not months after, noted another federal official speaking alongside Fick.
“When people experience cyber attacks, whether it’s companies, whether it’s individuals, whether it’s nation-states, they’re at their most vulnerable,” said Marshal Miller, a former prosecutor who’s now principal associate deputy Attorney General at the Department of Justice. “When we as a government can help those folks at that moment, that’s an incredible relationship-building opportunity.”
The FBI, for example, has “cyber action teams… ready to move to any part of the globe to help an ally or a partner, [such as] recently, Montenegro, Costa Rica, [and] other countries,” Miller continued. “We’ve been able to help them when they’re at their most vulnerable and that’s a great way to not only defend [friends] and disrupt [foes], but also build alliances and relationships.” Sometimes the US even manages to get in ahead of the crisis, as with the military team US Cyber Command deployed to Ukraine three months before Russia’s February 2022 invasion. (2)
What Next?
“It’s dollars. It’s software. It’s capacity building, and training people. But it’s also … conceptual assistance. It’s organizational assistance. It’s cultural assistance…”
Ambassador at Large, State Department, Bureau of Cyberspace and Digital Policy, Nate Fick’s comments on:
The Cyber Assistance Fund
- The effort would include a fund dedicated to technology support, as well as other forms of assistance.
- The goal is “to think a little bit more holistically about what assistance means.”
- Fick said the existing U.S. assistance mechanism is “not architected” for such matters, especially cybersecurity.
- “There has to be some weird sense of prioritization and our cyber assistance needs to serve our foreign policy priorities. The number’s not 25 million bucks times 192. That’s not the number,” he said, referring to the number of existing nations. “But we’re in the process of figuring out what can both meet the need and be achievable.”
- The cyber assistance effort would not necessarily have to be cut out of whole cloth, but rather increases in technology assistance “ideally” would “come mostly from a reapportionment of other resources, because it can’t just all be net new.”
- “I am under no illusion we cannot and should not look to deliver sort of Albania-like levels of assistance everywhere that’s needed,” according to Fick, who traveled to the country in the wake of the Iranian cyber strikes. (1) (2)
The Three-Part Plan
- “It’s dollars. It’s software. It’s capacity building, and training people. But it’s also … conceptual assistance. It’s organizational assistance. It’s cultural assistance,” he told reporters. “A lot of time and effort and energy and expertise goes into building out a strategy or building out a set of best practices … These things exist within the U.S. government. We are now providing those kinds of templates to our partners so they don’t have to reinvent the wheel. They have to tailor it for their unique circumstance.”
- “It doesn’t have the kind of flexibility that you need to address cyber issues,” he said. For example, “a lot of assistance dollars are actually not able to support military or law enforcement organizations. That’s a challenge in the cybersecurity space when those are exactly the organizations that own those capabilities in partner countries where we may want to go help out.”
- He also added there is a “full pipeline of conversations” simultaneously underway with nations around the globe for assistance activities. He did not mention any specific countries.
- The cyber diplomat also said he didn’t have an exact dollar figure in mind for the program.
- More broadly, “the demand for capacity building and [cyber] literacy support around the world is absolutely overwhelming,” Fick said. “And it takes a bunch of a bunch of different forms… We tend to think of it in terms of technology capacity building; that’s only a piece.”
- “One of the greatest areas of assistance that we can give allies and partners is actually in the conceptual arena, the cultural arena, the strategic arena,” Fick continued. “Sure, approaches have to be tailored to unique national circumstances, but a lot of what we’ve done across the different parts of the US government can in fact be templated and customized [to fit our allies]. Let’s not reinvent the wheel.”
- The bureau aims to have a cyber officer in every U.S. embassy around the world by the end of 2024, Fick said.
- But for all the US is already doing, the appetite for such assistance, leadership, and ideas in cyberspace is tremendous, said Fick.
- “I was in Brussels on March 2, the day that the [US National Cybersecurity] strategy was released, and I really got a visceral sense of the hunger on the part of our NATO allies and our colleagues across the [European Union]. I spent the entire day fielding very specific, detailed, insightful questions that come only from reading it closely and thinking deeply about it. So make no mistake, our national strategy is of great interest to allies and partners around the world.” (1) (2)
The U.S. Turns Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica
The OODA Network on the 2023 National Cybersecurity Strategy
The Missing Piece of the National Cybersecurity Strategy
“The Era of the Global Internet is Over” According to CFR Task Force Report
The New State Department Bureau of Cyberspace and Digital Policy
Nate Fick Confirmed to Lead State Department Bureau of Cyberspace and Digital Policy
Nate Fick on Dynamic Leadership and Adapting to Change
Nate Fick on His Early Career, Writing ‘One Bullet Away’, The Stoics and Dynamic Leadership (Part 1 of 2)
