From the U.S. Government Accountability Office, www.gao.gov Transcript for: Implementing a National Cybersecurity Strategy Description: Increasingly-sophisticated cyberthreats have underscored the need to strengthen the federal government's role in protecting critical infrastructure. These threats pose serious challenges to our economy, as well as our national security and your personal privacy. So, what is the federal government doing to prepare and protect against these threats? We talk with GAO's Nick Marinos, an expert on cybersecurity and data protection, and a director in our Information Technology and Cybersecurity Team. Related GAO Work: GAO-20-629, Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy Released: September 2020 [Intro Music] [Nick Marinos:] Cybersecurity and the risks from cyberthreats are really something that affects the entire nation. [Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office--I'm Holly Hobbs. Increasingly-sophisticated cyberthreats have underscored the need to strengthen the federal government's role in protecting critical infrastructure--which includes systems that house your cellphone data, credit scores, and our election infrastructure. These threats pose serious challenges to our economy, as well as our national security and your personal privacy. So, what is the federal government doing to prepare and protect against these threats? Today we talk with GAO's Nick Marinos, an expert on cybersecurity and data protection, and a director in our Information Technology and Cybersecurity Team. Thank you for joining us Nick. [Nick Marinos:] Thanks a lot Holly. [Holly Hobbs:] So Nick, we've got an election coming up in November. And the security of that election from cyberthreats is on a lot of our minds. What can you tell us about the election and cyberthreats? [Nick Marinos:] Well let me start by saying that the threats are definitely real. So, we should be concerned and we should be focusing and constantly vigilant. And that means the entire nation itself. The national election is really administered at the local level. We're talking about over 10 thousand local municipalities that have responsibilities, states, you've got federal agencies involved. And so it really shows an example of how cybersecurity and the risks from cyberthreats are something that affects the entire nation. And actually, this is why GAO--since 1997--has designated cybersecurity as a high risk area for the nation. [Holly Hobbs:] And your report looks at the National Cyber Strategy, a policy that was issued by the White House 2 years ago. Can you tell us a little about that strategy? [Nick Marinos:] So the strategy came out in September of 2018, and at that time the strategy outlined the priorities of the executive branch. It talked about many of the things that actually we covered within the high risk area. We've talked about the challenges related to protecting federal government systems, how the federal government operates and coordinates with the private sector on critical infrastructure issues of which elections are one of them. But we're also thinking of things like the electricity grid, the financial services sector, among the about 16 sectors that are identified as critical infrastructure. And so the strategy talked, at somewhat a high level, but across a lot of these topic areas about what the priorities were. What it didn't have at the time were a lot of the details that would help to know who's involved and what needs to be done to actually implement this strategy. [Holly Hobbs:] So how far along is the federal government in implementing that strategy, and do we know if it's working? [Nick Marinos:] Unfortunately, we don't know how far along we've come in implementing it. But to credit the Executive Branch--in the summer of 2019, led by the National Security Council's staff, there was an implementation plan developed. And this plan had actually many of the things that one would expect to see, sort of desirable characteristics of a national strategy. And those included breaking down the priorities that were outlined in the strategy into about 200 activities. Each of those activities had federal agencies identified as the leads. There were other agencies identified as supporting. There were even tiers established that sort of talked to intent of how frequently or how involved the National Security Council and its staff would be in sort of ensuring these activities were completed. But in other ways, the plan wasn't complete. For example, you would need to know what your goals are, sort of how will you know whether an activity has been completed or not. And in some instances, we saw that that didn't exist for some of those activities. Likewise we'd also want to know: what are some of the resources needed to execute this plan. And that information was lacking as well. And probably most importantly, although there was a set of tiers set up that was sort of meant to show how involved the National Security Council staff were to be in following up on that, we didn't really see a process for doing so. Ultimately it was viewed to be the responsibility of the federal agencies to ensure that they were completing the activities in support of the plan. So, unfortunately that leaves us not quite knowing how far along we've come in implementing the strategy. [Holly Hobbs:] So, we know a lot of people in the U.S. have been impacted by cyberattacks, and that these attacks will continue to be a threat. And it sounds like the federal government has a plan intended to make us safer, but doesn't know the extent to which that plan has been implemented. Nick, what actions are needed to support the National Cyber Strategy and make sure it's being fully implemented by federal agencies? [Nick Marinos:] So we think there are really two things that could help get us there. The first is, and we make a recommendation to the National Security Council, calling for them to fill in those gaps. Specifically, better outline goals and timelines, figure out what the resources are that are needed to complete the strategy's efforts, and then ultimately come up with a way to check up on agency progress. The second thing is that, you know, we and others have for the last 2 decades spoken to the urgency and necessity of clearly defining a central leadership role when you're talking about overcoming a national issue like cybersecurity. And so we've actually made a recommendation to Congress to consider passing legislation that will ultimately designate a leadership position within the White House that would have the appropriate authorities and reach across the federal government to coordinate this effort. And unfortunately, since the White House Cybersecurity Coordinator position was eliminated back in 2018, we really haven't had clarity as to who within the White House is responsible for coordinating the government's response to these issues. And so ultimately we're hoping that Congress can consider passing legislation that would carry that forward into the future, identifying someone that would ultimately be responsible for those efforts. [Holly Hobbs:] And Nick, last question--what's the bottom line of this report? [Nick Marinos:] The bottom line is that without a clear central leader to coordinate, the White House really won't be able to ensure that federal agencies are executing those activities that are necessary to support the effort and ultimately to overcome this urgent challenge. [Holly Hobbs:] That was Nick Marinos talking about GAO's recent report on the national cyber strategy. Thank you for your time Nick! [Nick Marinos:] Thanks very much, Holly. [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. And make sure you leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.