The Department of State notified Congress in 2019 of its plan to create a new bureau to focus on cybersecurity and the security aspects of emerging technologies. In January 2021, the Secretary approved the bureau’s creation. The Chair and Ranking Member of a House committee asked the Government Accountability Office (GAO) to review State’s efforts to advance U.S. interests in cyberspace.
In its report, released on January 28, GAO said State did not demonstrate that it used data and evidence to develop its proposal for establishing the new Bureau of Cyberspace Security and Emerging Technologies (CSET). In response to GAO requests for such data and evidence, State provided GAO with briefing slides outlining different options for the new bureau and an action memo, approved by the Secretary of State. The memo recommended that CSET focus on cyberspace security and the security aspects of emerging technologies and report to the Under Secretary for Arms Control and International Security, while the Bureau of Economic and Business Affairs (EB) would continue to have responsibility for digital economy issues.
However, State did not explain how it would address any challenges associated with the decision on CSET’s organizational placement. For example, the memo did not address how State would coordinate internally on the cybersecurity aspects of digital economy policy issues with cyber diplomacy functions split between CSET and EB. The memo also did not specify how State would develop consolidated positions and set priorities for State’s international cyberspace efforts, given the separation of these issues. Moreover, neither the briefing nor the action memo contained analyses supporting the additional details laid out in State’s 2019 notification to Congress on CSET, including support for proposed resource allocations for the new bureau. Without developing data and evidence to support its proposal for the new bureau, GAO maintains that State lacks assurance that its proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals.
GAO recommends that the Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals. While State disagreed with GAO’s characterization of its use of data and evidence to develop its proposal for CSET, it agreed that reviewing such information to evaluate program effectiveness can be useful. State commented that it has provided GAO with appropriate material on its decision to establish CSET and has not experienced challenges in coordinating cyberspace security policy across the department while the CSET proposal has been in discussion. State concluded that this provides assurance that CSET will allow the new bureau to effectively set priorities and allocate resources. The watchdog responded that the documents State provided in response to GAO’s requests, including a set of briefing slides and an action memo to the Secretary, did not sufficiently demonstrate that it used data and evidence in developing its proposal. In addition, GAO said State’s comment that it has not experienced coordination challenges in recent years is not sufficient evidence that the potential for such challenges does not exist. GAO concludes that without evidence to support the creation of the new bureau, State lacks needed assurance that the bureau will effectively set priorities and allocate appropriate resources to achieve its intended goals.