The State Department erred by not consulting with other agencies in developing plans for a new bureau of cyberspace security and emerging technologies, the Government Accountability Office concluded.
“While State is not legally obligated to involve other agencies in the development of its plans for the new bureau, our prior work on government reforms and reorganizations has shown that it is important for agencies to directly and continuously involve key stakeholders, including agencies supporting similar goals, to develop proposed reforms, such as State’s plan for establishing CSET,” reads a report GAO released Tuesday.
Last June, the State Department told Congress that the new bureau was necessary to improve coordination with other agencies working on national security issues, but the department later told GAO plans for the new bureau doesn’t involve changing any of its current procedures for avoiding fragmentation or overlap with other agencies.
State said the reorganization of its affairs—the new bureau would merge staff from its office of the coordinator for cyber issues and the office of emerging security challenges within the bureau of arms control, verification and compliance—were an internal matter and that it would add to its capacity to engage on cyber issues internationally.
Among other agencies, GAO interviewed officials at the Department of Homeland Security, which is also looking to increase its international engagement. “DHS officials told us that they would like to be aware of State’s activities and would offer insights if they had access to State’s CSET bureau plans,” GAO wrote.
The report said potential negative effects include increased costs or inefficiencies from unnecessary overlap or duplication of efforts. At the same time, another GAO report, released on the same day, notes progress in the government’s attempt to coordinate cyber activities, but recommends Congress and the National Security Council take action to improve the effectiveness of the administration’s national cyber strategy.
“Although the reports aren’t directly related to each other, both emphasize the need for clearer coordination across the federal government on cyber issues,” GAO’s Nick Marinos told Nextgov. “Clarity in overall leadership and methods to know that federal agencies are coordinating on key topics such as cyber diplomacy could help us ensure that we are headed in the right direction toward overcoming these urgent challenges as a nation.”
GAO noted it has been calling for a comprehensive strategy and clearly defined leadership for more than a decade. In September 2018, the White House released its national cyber strategy but an implementation plan describing which agencies would be responsible for various parts of the plan was never made public.
GAO has now reviewed the implementation plan and the new report notes that while the national cyber strategy addresses “organizational roles, responsibilities, and coordination,” by assigning parts of the strategy to various agencies, crucial accountability measures are missing.
“NSC staff stated that federal entities are responsible for determining the status of the activities that they lead or support, and for communicating the status of implementation to relevant NSC staff members,” GAO wrote. “However, the implementation plan also states that a federal entity responsible for a specific activity can exclude itself from reporting this information if it determines that a respective activity is ongoing and has no discrete goals or measures of performance.”
GAO recommended the NSC update its strategy documents to include such goals and performance measures, as well as resource information. It also recommended Congress consider legislation to designate a leadership position in the White House with commensurate authorities. Then National Security Director John Bolton eliminated a role of White House cyber coordinator in 2018.
“We requested an explanation from the NSC as to which official or officials now maintain responsibility for the duties previously attributed to the Cyber Coordinator position,” GAO said. “NSC staff stated the Cyber directorate and corresponding senior director, who reports to the Assistant to the President for National Security, now fulfill those duties, but did not provide a description of what those responsibilities include.”
Members of the Cyberspace Solarium Commission touted the report to promote provisions in the next National Defense Authorization Act that would create an office of a National Cyber Director staffed with about 70 full-time employees.
“Today’s GAO report is further confirmation of the Solarium Commission’s conclusion that strong, central leadership is needed to address increasing cyber threats,” members of the commission wrote.