In September 2018, the White House announced a new federal cybersecurity strategy to make critical infrastructure more resilient to hacking, shore up supply chains and “identify, counter, disrupt, degrade and deter behavior in cyberspace.”
The ambitious document, which the White House described as the United States’ “first fully articulated cyber strategy” in 15 years, aimed to reduce the occurrence of damaging cyberattacks on U.S. interests.
Two years later, a review of the strategy by the Government Accountability Office, a nonpartisan congressional agency, has found key gaps in the way the White House is trying to execute that plan. In the face of persistent cyber-threats from foreign powers, the Trump administration’s effort to mobilize resources to fix important U.S. security weaknesses risks coming up short without a better plan to execute the strategy, GAO said in a report published Tuesday.
The National Security Council’s implementation plan for the strategy does not include goals and timelines for dozens of activities that are deemed priorities for various agencies, from incident response to training exercises, according to GAO. Further, while the strategy and implementation plan “address some of the characteristics of an effective national strategy,” GAO said, the plan fails to identify resources needed to carry out 160 of those activities.
GAO said NSC staff “neither agreed nor disagreed” with the watchdog’s recommendation that officials update strategy documents to measure performance and track progress.
In response to a request for comment on the report, NSC spokesman John Ullyot said, “The cybersecurity environment dynamically evolves day-to-day and week-to-week, and the current structure and process over the implementation of policy ensures that the United States continues to operate in a relevant fashion.”
The report come as the U.S. government continues to try to fend off hacking threats from China, Iran, North Korea and Russia. Multiple government agencies, from the Department of Homeland Security’s cybersecurity agency to the FBI, have been more aggressive in publicly exposing hacking tools allegedly used by foreign spies. But critics have argued there needs to be more leadership and coordination on cybersecurity policy from the White House.
GAO investigators agreed. The agency backed the creation of a new senior position at the White House to oversee cybersecurity policy — a move that has had bipartisan support on Capitol Hill. Former national security adviser John Bolton eliminated the White House cybersecurity coordinator in 2018, describing it as redundant and already addressed by other roles at the NSC.
But the lack of a coordinator comes at a cost, according to GAO.
“It is still unclear which executive branch official is ultimately responsible for not only coordinating implementation of the strategy, but also holding federal agencies accountable once activities are implemented,” the GAO report states.
Ullyot, the NSC spokesman, said that responsibility is carried out by an NSC senior director for cybersecurity.
“While all executive power is vested in the president, the transfer of the responsibilities of the White House cybersecurity coordinator position to the senior director for cybersecurity eliminated layers of bureaucratic inefficiency that had needlessly slowed the coordination of policies and decisions in the executive branch,” Ullyot said.
A bipartisan quartet of lawmakers seized on the GAO report to advocate passing legislation establishing a senior cybersecurity post in the White House.
GAO sizes up another key cyber initiative
In a separate report published Tuesday, GAO faulted the State Department for not coordinating with other agencies in setting up a new cyber-diplomacy bureau — another important cybersecurity initiative from the Trump administration.
State Department officials last year sent Congress a plan for establishing the Bureau of Cyberspace Security and Emerging Technologies after Rex Tillerson, Trump’s first secretary of state, had disbanded State’s cybersecurity coordinator position, effectively downgrading the coordinator’s office.
The new bureau is an effort to reemphasize U.S. cyber diplomacy, including work on hashing out norms for responsible state behavior in cyberspace. But multiple agencies that work with the State Department on cybersecurity issues — including the departments of Homeland Security, Justice and Treasury — weren’t consulted in setting up the new bureau, GAO said.
State Department officials responded to GAO’s criticism by saying the reorganization was an internal matter and needn’t involve other agencies, according to the report.
Politico was first to report on GAO’s report on the State Department.