The U.S. and its allies face expanding foreign cyber threats as international trade, communication, and critical infrastructure grow increasingly dependent on cyberspace. In 2019, the State Department said it would establish a Bureau of Cyberspace Security and Emerging Technologies (CSET) to focus on the issue.
Now, a Government Accountability Office (GAO) review has found that while State works with other federal agencies on international cyber issues, it has not informed or involved these partners in planning the new bureau, which could increase the risks of duplicating efforts and more.
Officials from six agencies that work with State on cyber diplomacy efforts told GAO that State did not inform or involve them in the development of its plan to establish CSET. They also said they were unaware of the plan. The Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury generally work with State on cyber diplomacy issues in a decentralized manner through a number of State bureaus, offices, and overseas missions. Officials from these agencies told GAO that they work with State both through formal mechanisms, such as the National Security Council’s Cyber Response Group, and through informal or ad hoc mechanisms.
State officials confirmed that, as of March 2020, they had not consulted with other agencies about their plan for establishing CSET as described in the department’s June 2019 Congressional Notification. GAO’s review found State has not initiated a process to involve other federal agencies in the development of its plans for the new CSET bureau. State officials told GAO that they were not obligated to consult with other agencies before completing the CSET plan because it was an internal decision.
GAO recommends that the Secretary of State should ensure that State involves federal agencies that contribute to cyber diplomacy to obtain their views and identify any risks, such as unnecessary fragmentation, overlap, and duplication of these efforts, as it implements its plan to establish the Bureau of Cyberspace Security and Emerging Technologies.
State did not concur, noting it was unaware that any of the other agencies GAO spoke with had consulted with State before reorganizing their cyberspace security organizations, and thus suggesting this is not a widely adopted practice in the U.S. government.
State also disagreed that it should consider other agencies as stakeholders in an internal State reform and noted the department had consulted with Congress and stakeholders within the department. In addition, State noted that consolidating security related aspects of cyberspace policy within CSET would enable it to have a more effective engagement with interagency stakeholders by reducing or better managing program fragmentation, overlap, and duplication. Finally, State asserted that its current processes for coordinating with the cited agencies avoid unnecessary fragmentation, overlap, and duplication of cyber diplomacy efforts and it has not proposed changing these processes.
GAO countered these arguments and pointed to prior work that has shown that successful reforms require an integrated approach that involves key stakeholders and others. The watchdog added that consulting with agencies on the reorganization plan would enable State to incorporate their insights from a frontline perspective as well as help to facilitate the development of State’s reform goals and objectives for CSET.
GAO concluded that State has provided no evidence to support its assertion that its current processes avoid fragmentation, overlap, and duplication, or that its reorganization plan will mitigate any risks. It will therefore continue to monitor and review State’s overall planning process for establishing CSET as part of ongoing work on this topic.
