America's cyber ambassador on how to spend $50 million in foreign aid
Congress gave America’s first cyber ambassador tens of millions of dollars to help other countries respond to hacks and expand secure internet access, and he has a grand vision for how to spend it.
The government funding bill that President Joe Biden signed in late March included $50 million for the State Department’s Cyberspace, Digital Connectivity and Related Technologies Fund, which lawmakers created in December. The new cyber aid fund represents one of the first big tests for Nathaniel Fick, the U.S. ambassador-at-large for cyberspace and digital policy, who leads State’s relatively new cyber diplomacy bureau.
“We need to demonstrate in the year ahead … that we are generating outsized returns for the United States and for our allies and partners in real security capacity, in real inclusive connectivity,” Fick, a former Marine Corps officer, cybersecurity CEO and venture capitalist, told Recorded Future News in a recent interview.
Fick will have to balance multiple competing priorities as he doles out funds. Proactive projects to build resilience, or reactive emergency aid during a crisis? How much for laying new undersea cables to boost island nations’ connectivity, and how much for promoting Western 5G equipment over cheaper Chinese alternatives? Paying for other governments’ cyberdefenses, or training those governments to improve their own systems?
The stakes are high for Fick’s office. Cyber experts hope the new fund will transform the U.S. government’s approach to economic competition with China, turbocharge its ability to defend partner nations like Ukraine and Israel from Russian and Iranian aggression and enhance the appeal of the United States’ pitch for a safer, freer internet.
“This is a big deal,” said Chris Painter, the top U.S. cyber diplomat from 2011 to 2017. “[Foreign] aid pays huge dividends for all of the U.S.’s cyber and digital programs, bolsters international security and is foundational to garnering greater international cooperation against shared threats.”
A boost for Biden’s cyber strategy
In authorizing the fund as part of the fiscal 2024 defense policy bill, Congress gave Fick a number of suggestions for how to spend the money, including helping partner governments develop the capability to investigate cybercrimes, training foreign counterparts to participate in global cyber policy discussions and promoting “innovation and competition.” But the Biden administration also has its own ideas.
The State Department sees the new fund as a potent tool for advancing its high-level cyber-diplomacy priorities, which include outfoxing China in the race to hone emerging technologies and bolstering the United States’ participation in the highly technical working groups and international conferences where experts hammer out fundamental technological standards.
Projects that directly support these goals — which are laid out in documents like the National Cybersecurity Strategy and the forthcoming International Cyber and Digital Strategy — “are naturally going to float higher on the list” during spending discussions, Fick said.
Officials also will prioritize projects that support what Fick called “consequential middle-ground states” — nations in regions like Latin America and Africa that are “somewhat aligned” with the U.S. but also “somewhat persuadable” by adversaries like Russia and China.
Another factor is how ready a country is to put the money to good use. “Some can absorb a lot, and some, frankly, can't,” Fick said. “In some places, we’re going right into AI governance training, but in other places, it's basic connectivity and very fundamental cyber-hygiene.”
Fick and his team are currently in the process of identifying the fund’s first tranche of recipients. He said he’s inclined to focus on a small number of projects and “do a few things really well, rather than spread [funding] too thin.”
Cables and carriers
Several of the administration’s guiding principles offer clues to where the initial funds could go.
Fick cited three themes: the need to zoom out from things like antivirus software and look at the entire technology ecosystem, including wireless networks, satellites and undersea cables; “digital solidarity,” or the idea that “we need to hang together with our like-minded allies and partners” on tech issues; and the importance of encouraging technology that promotes human rights.
“Rights-respecting technology” is particularly vital, Fick said, given the threat posed by authoritarian nations with “a very different view of the appropriate role of tech among their own citizens and with other countries in the world.” The Biden administration wants to fund projects that demonstrate the appeal of the United States’ internet-freedom agenda.
At the moment, the administration is especially focused on undersea cables, which are so important to commerce and communications that disruptions to them can wreak havoc on entire continents, as the ongoing cable repairs in West Africa have demonstrated. The U.S. and close Asia-Pacific allies like Japan and Australia are working together to lay cables that ensure internet connectivity without dependence on Chinese infrastructure. And with the main “trunk cables” already set for deployment, now is the least expensive time to lay “spur cables” that branch off and expand internet connectivity to far-flung island nations — including Micronesia, where China is challenging U.S. influence.
“It's a lot more expensive and disruptive to go back and do retrofits later,” Fick said. “And obviously, there's a geostrategic imperative here.”
With market incentives discouraging this kind of investment by the private sector, connecting the many widely scattered Pacific nations to the internet would be “a good early use of the fund,” Fick said.
In addition to undersea cables, trustworthy data centers are a national security imperative at a time when smart infrastructure and artificial intelligence are demanding increasing amounts of computing power and storage space. But like undersea cables, the U.S. hasn’t devoted enough energy or money to data centers, Fick said.
“It doesn't make any sense to have a trusted wireless network that is running alongside a Huawei data center that is connected via Huawei cable,” Fick said. “We have to think about these things a little bit more holistically.”
Of course, those trusted wireless networks still matter, and the new fund could help the U.S. convince other countries to deploy 5G using Western equipment instead of Chinese gear.
The U.S. and close cyber ally Costa Rica recently co-hosted a Regional 5G Network Workshop that brought together representatives from 15 countries and multiple telecom companies. Speaking before the summit, Fick said it would give the U.S. crucial insights about which countries are preparing to solicit bids for their 5G buildouts.
“It's incumbent upon us to make it cost-competitive” to choose Western vendors, Fick said. “There will be some opportunities coming out of that discussion in Latin America.”
Balancing acts
In doling out money, the State Department will have to balance two essential tasks: training partner countries to handle cyber incidents and digital policy issues themselves, and providing emergency aid to countries besieged by hackers.
The demand for cybersecurity training — known in the diplomacy business as “capacity building” — is “overwhelming,” Fick said. The State Department is improving its ability to provide “scalable and cost-effective” training, he added, which should help the department get the most value out of the limited dollars it can devote to this work.
Ukraine, a major recipient of U.S. cyber aid, is a natural candidate for some of this proactive support as it continues to repel a Russian invasion that has at times included aggressive cyberattacks.
If capacity building is the carefully planned proactive side of the equation, the reactive side — scrambling to support a partner facing a hacking emergency — is much harder to anticipate, which means it’s also harder to budget for.
“Bad things are going to happen in the world, and we're not going to be able to predict where those are, which is why we have to keep some powder dry,” Fick said. “We need to make sure that we have the capacity to respond robustly and quickly 24/7/365.”
The U.S. sent cyber response teams and aid funds to Albania in 2022 and Costa Rica in 2023 following major cyberattacks on those countries by the Iranian government and a Russian ransomware gang, respectively. “When the chips are down,” Fick said, “we are able to find the capacity.”
After an incident ends, capacity building plays a role in ensuring that the victim doesn’t come to depend on U.S. aid. The State Department and the Pentagon helped Albania launch a cybersecurity operations center and are helping Costa Rica do the same. U.S. support is about “catalyzing independence” for those countries, Fick said.
Lessons from the past
The creation of the new fund didn’t trigger a rush of aid requests from foreign governments — but only because those requests have been piling up for years.
“It's not like now we have people lined up outside the door and we didn't last week,” Fick said.
And as Fick’s team sketches out the contours of the new fund, they’re trying to fix problems that have bedeviled prior foreign-assistance programs.
One is flexibility. “One of the problems with the old [aid] model that we're trying to update is how heavily earmarked it was,” Fick says. Using military jargon, he asserted his intent to maintain his discretion to pick the best projects without preconditions: “We have an opportunity here to sustain our room for maneuver, and I don't want to cede that.”
Another challenge is speed. Requiring multiple agencies to sign off on every spending decision “is not a recipe for moving at the speed of our adversaries and moving at the speed of technology,” Fick said.
Finally, there’s the choice of private-sector partners. Fick is adamant that, when it’s time to pay for cyber incident response or antivirus software, his team will consider “a wide range of vendors,” not just the biggest or most politically connected firms. “I want to be able to go to the most effective tool for the problem we're trying to solve,” he said.
The scale of the world’s need for cyber aid is daunting. But while “demand is certainly going to outstrip supply,” Fick said, the fund’s initial $50 million budget is “a big step in the right direction.”
And Fick knows that how he spends the fund’s first allotment will go a long way toward determining whether Congress gives him more money.
The initial infusion is “is a big vote of confidence” in State’s new cyber bureau, Fick said. “Now it's on us in the year ahead to prove that we can invest it well.”
Eric Geller
is a freelance cybersecurity journalist covering all things digital security. He previously reported on cybersecurity for The Daily Dot, Politico, and The Messenger.