CHAPTER 110 —INFORMATION SECURITY AND CYBER DIPLOMACY
§10301. United States international cyberspace policy
(a) In general
It is the policy of the United States—
(1) to work internationally to promote an open, interoperable, reliable, and secure internet governed by the multi-stakeholder model, which—
(A) promotes democracy, the rule of law, and human rights, including freedom of expression;
(B) supports the ability to innovate, communicate, and promote economic prosperity; and
(C) is designed to protect privacy and guard against deception, malign influence, incitement to violence, harassment and abuse, fraud, and theft;
(2) to encourage and aid United States allies and partners in improving their own technological capabilities and resiliency to pursue, defend, and protect shared interests and values, free from coercion and external pressure; and
(3) in furtherance of the efforts described in paragraphs (1) and (2)—
(A) to provide incentives to the private sector to accelerate the development of the technologies referred to in such paragraphs;
(B) to modernize and harmonize with allies and partners export controls and investment screening regimes and associated policies and regulations; and
(C) to enhance United States leadership in technical standards-setting bodies and avenues for developing norms regarding the use of digital tools.
(b) Implementation
In implementing the policy described in subsection (a), the President, in consultation with outside actors, as appropriate, including private sector companies, nongovernmental organizations, security researchers, and other relevant stakeholders, in the conduct of bilateral and multilateral relations, shall strive—
(1) to clarify the applicability of international laws and norms to the use of information and communications technology (referred to in this subsection as "ICT");
(2) to reduce and limit the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public;
(3) to cooperate with like-minded countries that share common values and cyberspace policies with the United States, including respect for human rights, democracy, and the rule of law, to advance such values and policies internationally;
(4) to encourage the responsible development of new, innovative technologies and ICT products that strengthen a secure internet architecture that is accessible to all;
(5) to secure and implement commitments on responsible country behavior in cyberspace, including commitments by countries—
(A) not to conduct, or knowingly support, cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors;
(B) to take all appropriate and reasonable efforts to keep their territories clear of intentionally wrongful acts using ICT in violation of international commitments;
(C) not to conduct or knowingly support ICT activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure providing services to the public, in violation of international law;
(D) to take appropriate measures to protect the country's critical infrastructure from ICT threats;
(E) not to conduct or knowingly support malicious international activity that harms the information systems of authorized international emergency response teams (also known as "computer emergency response teams" or "cybersecurity incident response teams") of another country or authorize emergency response teams to engage in malicious international activity, in violation of international law;
(F) to respond to appropriate requests for assistance to mitigate malicious ICT activity emanating from their territory and aimed at the critical infrastructure of another country;
(G) not to restrict cross-border data flows or require local storage or processing of data; and
(H) to protect the exercise of human rights and fundamental freedoms on the internet, while recognizing that the human rights that people have offline also need to be protected online; and
(6) to advance, encourage, and support the development and adoption of internationally recognized technical standards and best practices.
(
Statutory Notes and Related Subsidiaries
Support of Policy in United Nations
§10302. International cyberspace and digital policy strategy
(a) Strategy required
Not later than 1 year after December 23, 2022, the President, acting through the Secretary, and in coordination with the heads of other relevant Federal departments and agencies, shall develop an international cyberspace and digital policy strategy.
(b) Elements
The strategy required under subsection (a) shall include—
(1) a review of actions and activities undertaken to support the policy described in
(2) a plan of action to guide the diplomacy of the Department with regard to foreign countries, including—
(A) conducting bilateral and multilateral activities—
(i) to develop and support the implementation of norms of responsible country behavior in cyberspace consistent with the commitments listed in
(ii) to reduce the frequency and severity of cyberattacks on United States individuals, businesses, governmental agencies, and other organizations;
(iii) to reduce cybersecurity risks to United States and allied critical infrastructure;
(iv) to improve allies' and partners' collaboration with the United States on cybersecurity issues, including information sharing, regulatory coordination and improvement, and joint investigatory and law enforcement operations related to cybercrime; and
(v) to share best practices and advance proposals to strengthen civilian and private sector resiliency to threats and access to opportunities in cyberspace; and
(B) reviewing the status of existing efforts in relevant multilateral fora, as appropriate, to obtain commitments on international norms regarding cyberspace;
(3) a review of alternative concepts for international norms regarding cyberspace offered by foreign countries;
(4) a detailed description, in consultation with the Office of the National Cyber Director and relevant Federal agencies, of new and evolving threats regarding cyberspace from foreign adversaries, state-sponsored actors, and non-state actors to—
(A) United States national security;
(B) the Federal and private sector cyberspace infrastructure of the United States;
(C) intellectual property in the United States; and
(D) the privacy and security of citizens of the United States;
(5) a review of the policy tools available to the President to deter and de-escalate tensions with foreign countries, state-sponsored actors, and private actors regarding—
(A) threats in cyberspace;
(B) the degree to which such tools have been used; and
(C) whether such tools have been effective deterrents;
(6) a review of resources required to conduct activities to build responsible norms of international cyber behavior;
(7) a review, in coordination with the Office of the National Cyber Director and the Office of Management and Budget, to determine whether the budgetary resources, technical expertise, legal authorities, and personnel available to the Department are adequate to achieve the actions and activities undertaken by the Department to support the policy described in
(8) a review to determine whether the Department is properly organized and coordinated with other Federal agencies to achieve the objectives described in
(9) a plan of action, developed in coordination with the Department of Defense and in consultation with other relevant Federal departments and agencies as the President may direct, with respect to the inclusion of cyber issues in mutual defense agreements.
(c) Form of strategy
(1) Public availability
The strategy required under subsection (a) shall be available to the public in unclassified form, including through publication in the Federal Register.
(2) Classified annex
The strategy required under subsection (a) may include a classified annex.
(d) Briefing
Not later than 30 days after the completion of the strategy required under subsection (a), the Secretary shall brief the Committee on Foreign Relations of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Armed Services of the Senate, the Committee on Foreign Affairs of the House of Representatives, the Permanent Select Committee on Intelligence of the House of Representatives, and the Committee on Armed Services of the House of Representatives regarding the strategy, including any material contained in a classified annex.
(e) Updates
The strategy required under subsection (a) shall be updated—
(1) not later than 90 days after any material change to United States policy described in such strategy; and
(2) not later than 1 year after the inauguration of each new President.
(
Statutory Notes and Related Subsidiaries
Definitions
"Secretary" and "Department" as used in this section mean the Secretary and Department of State, unless otherwise specified, see section 9002 of
§10303. Cybersecurity recruitment and retention
(a) Sense of Congress
It is the sense of Congress that improving computer programming language proficiency will improve—
(1) the cybersecurity effectiveness of the Department; and
(2) the ability of foreign service officers to engage with foreign audiences on cybersecurity matters.
(b) Technology talent acquisition
(1) Establishment
The Secretary shall establish positions within the Bureau of Global Talent Management that are solely dedicated to the recruitment and retention of Department personnel with backgrounds in cybersecurity, engineering, data science, application development, artificial intelligence, critical and emerging technology, and technology and digital policy.
(2) Goals
The goals of the positions described in paragraph (1) shall be—
(A) to fulfill the critical need of the Department to recruit and retain employees for cybersecurity, digital, and technology positions;
(B) to actively recruit relevant candidates from academic institutions, the private sector, and related industries;
(C) to work with the Office of Personnel Management and the United States Digital Service to develop and implement best strategies for recruiting and retaining technology talent; and
(D) to inform and train supervisors at the Department on the use of the authorities listed in subsection (c)(1).
(3) Implementation plan
Not later than 180 days after December 23, 2022, the Secretary shall submit a plan to the appropriate congressional committees that describes how the objectives and goals set forth in paragraphs (1) and (2) will be implemented.
(4) Authorization of appropriations
There is authorized to be appropriated $750,000 for each of the fiscal years 2023 through 2027 to carry out this subsection.
(c) Annual report on hiring authorities
Not later than 1 year after December 23, 2022, and annually thereafter for the following 5 years, the Secretary shall submit a report to the appropriate congressional committees that includes—
(1) a list of the hiring authorities available to the Department to recruit and retain personnel with backgrounds in cybersecurity, engineering, data science, application development, artificial intelligence, critical and emerging technology, and technology and digital policy;
(2) a list of which hiring authorities described in paragraph (1) have been used during the previous 5 years;
(3) the number of employees in qualified positions hired, aggregated by position and grade level or pay band;
(4) the number of employees who have been placed in qualified positions, aggregated by bureau and offices within the Department;
(5) the rate of attrition of individuals who begin the hiring process and do not complete the process and a description of the reasons for such attrition;
(6) the number of individuals who are interviewed by subject matter experts and the number of individuals who are not interviewed by subject matter experts; and
(7) recommendations for—
(A) reducing the attrition rate referred to in paragraph (5) by 5 percent each year;
(B) additional hiring authorities needed to acquire needed technology talent;
(C) hiring personnel to hold public trust positions until such personnel can obtain the necessary security clearance; and
(D) informing and training supervisors within the Department on the use of the authorities listed in paragraph (1).
(d) Incentive pay for cybersecurity professionals
To increase the number of qualified candidates available to fulfill the cybersecurity needs of the Department, the Secretary shall—
(1) include computer programming languages within the Recruitment Language Program; and
(2) provide appropriate language incentive pay.
(e) Report
Not later than 1 year after December 23, 2022, and annually thereafter for the following 5 years, the Secretary shall provide a list to the appropriate congressional committees that identifies—
(1) the computer programming languages included within the Recruitment Language Program and the language incentive pay rate; and
(2) the number of individuals benefitting from the inclusion of such computer programming languages in the Recruitment Language Program and language incentive pay.
(
Statutory Notes and Related Subsidiaries
Definitions
For definitions of "Department", "Secretary", and "appropriate congressional committees" as used in this section, see section 9002 of
§10304. Short course on emerging technologies for senior officials
(a) In general
Not later than 1 year after December 23, 2022, the Secretary shall develop and begin providing, for senior officials of the Department, a course addressing how the most recent and relevant technologies affect the activities of the Department.
(b) Throughput objectives
The Secretary should ensure that—
(1) during the first year that the course developed pursuant to subsection (a) is offered, not fewer than 20 percent of senior officials are certified as having passed such course; and
(2) in each subsequent year, until the date on which 80 percent of senior officials are certified as having passed such course, an additional 10 percent of senior officials are certified as having passed such course.
(
Statutory Notes and Related Subsidiaries
Definitions
"Secretary" and "Department" as used in this section mean the Secretary and Department of State, see section 9002 of
§10305. Establishment and expansion of Regional Technology Officer Program
(a) Regional Technology Officer Program
(1) Establishment
The Secretary shall establish a program, which shall be known as the "Regional Technology Officer Program" (referred to in this section as the "Program").
(2) Goals
The goals of the Program shall include the following:
(A) Promoting United States leadership in technology abroad.
(B) Working with partners to increase the deployment of critical and emerging technology in support of democratic values.
(C) Shaping diplomatic agreements in regional and international fora with respect to critical and emerging technologies.
(D) Building diplomatic capacity for handling critical and emerging technology issues.
(E) Facilitating the role of critical and emerging technology in advancing the foreign policy objectives of the United States through engagement with research labs, incubators, and venture capitalists.
(F) Maintaining the advantages of the United States with respect to critical and emerging technologies.
(b) Implementation plan
Not later than 180 days after December 23, 2022, the Secretary shall submit an implementation plan to the appropriate congressional committees that outlines strategies for—
(1) advancing the goals described in subsection (a)(2);
(2) hiring Regional Technology Officers and increasing the competitiveness of the Program within the Foreign Service bidding process;
(3) expanding the Program to include a minimum of 15 Regional Technology Officers; and
(4) assigning not fewer than 2 Regional Technology Officers to posts within—
(A) each regional bureau of the Department; and
(B) the Bureau of International Organization Affairs.
(c) Annual briefing requirement
Not later than 180 days after December 23, 2022, and annually thereafter for the following 5 years, the Secretary shall brief the appropriate congressional committees regarding the status of the implementation plan required under subsection (b).
(d) Authorization of appropriations
There is authorized to be appropriated up to $25,000,000 for each of the fiscal years 2023 through 2027 to carry out this section.
(
Statutory Notes and Related Subsidiaries
Definitions
For definitions of "Secretary", "appropriate congressional committees", and "Department" as used in this section, see section 9002 of
§10306. Vulnerability disclosure policy and bug bounty program report
(a) Definitions
In this section:
(1) Bug bounty program
The term "bug bounty program" means a program under which an approved individual, organization, or company is temporarily authorized to identify and report vulnerabilities of internet-facing information technology of the Department in exchange for compensation.
(2) Information technology
The term "information technology" has the meaning given such term in
(b) Vulnerability Disclosure Policy
(1) In general
Not later than 180 days after December 23, 2022, the Secretary shall design, establish, and make publicly known a Vulnerability Disclosure Policy (referred to in this section as the "VDP") to improve Department cybersecurity by—
(A) creating Department policy and infrastructure to receive reports of and remediate discovered vulnerabilities in line with existing policies of the Office of Management and Budget and the Department of Homeland Security Binding Operational Directive 20–01 or any subsequent directive; and
(B) providing a report on such policy and infrastructure to Congress.
(2) Annual reports
Not later than 180 days after the establishment of the VDP pursuant to paragraph (1), and annually thereafter for the following 5 years, the Secretary shall submit a report on the VDP to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Select Committee on Intelligence of the Senate, the Committee on Foreign Affairs of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Permanent Select Committee on Intelligence of the House of Representatives that includes information relating to—
(A) the number and severity of all security vulnerabilities reported;
(B) the number of previously unidentified security vulnerabilities remediated as a result;
(C) the current number of outstanding previously unidentified security vulnerabilities and Department of State remediation plans;
(D) the average time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(E) the resources, surge staffing, roles, and responsibilities within the Department used to implement the VDP and complete security vulnerability remediation;
(F) how the VDP identified vulnerabilities are incorporated into existing Department vulnerability prioritization and management processes;
(G) any challenges in implementing the VDP and plans for expansion or contraction in the scope of the VDP across Department information systems; and
(H) any other topic that the Secretary determines to be relevant.
(c) Bug bounty program report
(1) In general
Not later than 180 days after December 23, 2022, the Secretary shall submit a report to Congress that describes any ongoing efforts by the Department or a third-party vendor under contract with the Department to establish or carry out a bug bounty program that identifies security vulnerabilities of internet-facing information technology of the Department.
(2) Report
Not later than 180 days after the date on which any bug bounty program is established, the Secretary shall submit a report to the Committee on Foreign Relations of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Foreign Affairs of the House of Representatives, and the Committee on Homeland Security of the House of Representatives regarding such program, including information relating to—
(A) the number of approved individuals, organizations, or companies involved in such program, disaggregated by the number of approved individuals, organizations, or companies that—
(i) registered;
(ii) were approved;
(iii) submitted security vulnerabilities; and
(iv) received compensation;
(B) the number and severity of all security vulnerabilities reported as part of such program;
(C) the number of previously unidentified security vulnerabilities remediated as a result of such program;
(D) the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans for such outstanding vulnerabilities;
(E) the average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities;
(F) the types of compensation provided under such program;
(G) the lessons learned from such program;
(H) the public accessibility of contact information for the Department regarding the bug bounty program;
(I) the incorporation of bug bounty program identified vulnerabilities into existing Department vulnerability prioritization and management processes; and
(J) any challenges in implementing the bug bounty program and plans for expansion or contraction in the scope of the bug bounty program across Department information systems.
(
Statutory Notes and Related Subsidiaries
Definitions
"Department" and "Secretary" as used in this section mean the Department and Secretary of State, unless otherwise specified, see section 9002 of
§10307. Digital Connectivity and Cybersecurity Partnership
(a) Digital Connectivity and Cybersecurity Partnership
The Secretary is authorized to establish a program, which may be known as the "Digital Connectivity and Cybersecurity Partnership", to help foreign countries—
(1) expand and increase secure internet access and digital infrastructure in emerging markets, including demand for and availability of high-quality information and communications technology (ICT) equipment, software, and services;
(2) protect technological assets, including data;
(3) adopt policies and regulatory positions that foster and encourage open, interoperable, reliable, and secure internet, the free flow of data, multi-stakeholder models of internet governance, and pro-competitive and secure ICT policies and regulations;
(4) access United States exports of ICT goods and services;
(5) expand interoperability and promote the diversification of ICT goods and supply chain services to be less reliant on imports from the People's Republic of China;
(6) promote best practices and common standards for a national approach to cybersecurity; and
(7) advance other priorities consistent with paragraphs (1) through (6), as determined by the Secretary.
(b) Use of funds
Funds made available to carry out this section may be used to strengthen civilian cybersecurity and information and communications technology capacity, including participation of foreign law enforcement and military personnel in non-military activities, notwithstanding any other provision of law, provided that such support is essential to enabling civilian and law enforcement of cybersecurity and information and communication technology related activities in their respective countries.
(c) Implementation plan
Not later than 180 days after December 22, 2023, the Secretary shall submit to the appropriate congressional committees, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Oversight and Accountability of the House of Representatives an implementation plan for the coming year to advance the goals identified in subsection (a).
(d) Consultation
In developing and operationalizing the implementation plan required under subsection (c), the Secretary shall consult with—
(1) the appropriate congressional committees, the Committee on Appropriations of the Senate, and the Committee on Appropriations of the House of Representatives;
(2) United States industry leaders;
(3) other relevant technology experts, including the Open Technology Fund;
(4) representatives from relevant United States Government agencies; and
(5) representatives from like-minded allies and partners.
(e) Authorization of appropriations
For the purposes of carrying out this section, funds authorized to be appropriated to carry out
(
Editorial Notes
References in Text
The Foreign Assistance Act of 1961, referred to in subsec. (e), is
Statutory Notes and Related Subsidiaries
Definitions
For definitions of "Secretary" and "appropriate congressional committees" as used in this section, see section 6002 of
§10308. Cyber protection support for personnel of the Department of State in positions highly vulnerable to cyber attack
(a) Definitions
In this section:
(1) At-risk personnel
The term "at-risk personnel" means personnel of the Department—
(A) whom the Secretary determines to be highly vulnerable to cyber attacks and hostile information collection activities because of their positions in the Department; and
(B) whose personal technology devices or personal accounts are highly vulnerable to cyber attacks and hostile information collection activities.
(2) Personal accounts
The term "personal accounts" means accounts for online and telecommunications services, including telephone, residential internet access, email, text and multimedia messaging, cloud computing, social media, health care, and financial services, used by Department personnel outside of the scope of their employment with the Department.
(3) Personal technology devices
The term "personal technology devices" means technology devices used by personnel of the Department outside of the scope of their employment with the Department, including networks to which such devices connect.
(b) Requirement to provide cyber protection support
The Secretary, in consultation with the Secretary of Homeland Security and the Director of National Intelligence, as appropriate—
(1) shall offer cyber protection support for the personal technology devices and personal accounts of at-risk personnel; and
(2) may provide the support described in paragraph (1) to any Department personnel who request such support.
(c) Nature of cyber protection support
Subject to the availability of resources, the cyber protection support provided to personnel pursuant to subsection (b) may include training, advice, assistance, and other services relating to protection against cyber attacks and hostile information collection activities.
(d) Privacy protections for personal devices
The Department is prohibited pursuant to this section from accessing or retrieving any information from any personal technology device or personal account of Department employees unless—
(1) access or information retrieval is necessary for carrying out the cyber protection support specified in this section; and
(2) the Department has received explicit consent from the employee to access a personal technology device or personal account prior to each time such device or account is accessed.
(e) Rule of construction
Nothing in this section may be construed—
(1) to encourage Department personnel to use personal technology devices for official business; or
(2) to authorize cyber protection support for senior Department personnel using personal devices, networks, and personal accounts in an official capacity.
(f) Report
(1) In general
Not later than 180 days after December 22, 2023, the Secretary shall submit to the appropriate committees of Congress a report regarding the provision of cyber protection support pursuant to subsection (b), which shall include—
(A) a description of the methodology used to make the determination under subsection (a)(1); and
(B) guidance for the use of cyber protection support and tracking of support requests for personnel receiving cyber protection support pursuant to subsection (b).
(2) Appropriate committees of Congress defined
In this subsection, the term "appropriate committees of Congress" means—
(A) the appropriate congressional committees;
(B) the Select Committee on Intelligence and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(C) the Permanent Select Committee on Intelligence and the Committee on Oversight and Accountability of the House of Representatives.
(
Statutory Notes and Related Subsidiaries
Definitions
For definitions of "Department", "Secretary", and "appropriate congressional committees" as used in this section, see section 6002 of