The U.S. Now Has a National Cybersecurity Strategy, but Is It as Strong as It Could Be?

In February, Change Healthcare, the largest health care payment processer in the United States, was the victim of a ransomware attack that disrupted services across the country. The attack threatened health care workers’ paychecks, impacted the ability to fill prescriptions, and even disrupted patient care throughout the health care system. 

Attacks like this underscore the need for action to protect our nation’s critical services, such as health care, water, electric, and our financial institutions. Last year, the White House issued a National Cybersecurity Strategy that outlines steps the government is taking to address the longstanding cybersecurity challenges facing the country. We looked at the national strategy’s plans and found some key weaknesses that could diminish its effectiveness and cost taxpayers more money. 

Today’s WatchBlog post looks at our new report and what we found.

Image

Cybersecurity leaders have incomplete plans for measuring success and failures of cyber efforts

The White House National Cybersecurity Strategy and the plan to implement it outlined efforts to address cybersecurity challenges, like protecting the privacy of public data and defeating ransomware. The strategy is intended to better secure cyberspace and ensure the United States is in the strongest possible position to realize all the benefits and potential of a digital future. 

But the strategy doesn’t include outcome-oriented performance measures for various cybersecurity initiatives, such as information sharing or modernizing federal agency defenses. Therefore, federal cybersecurity leaders do not have a comprehensive way to assess or ensure that their efforts are accomplishing greater cybersecurity. 

We asked officials why plans do not include these important measures. They told us that it was not realistic to develop outcome-oriented measures at this point because of the inherent difficulty of measuring success in cybersecurity. But some of the key information needed to measure outcomes is already available. For example, the Department of the Treasury already collects information on the number and dollar value of ransomware-related incidents. In calendar year 2021, the reported total dollar value was about $886 million.

Knowing the size of a problem can help officials set goals to reduce it, know the effectiveness of actions, and direct resources where needed. But as discussed above and in the graphic below, the plan lacks this key element. 

Extent to Which the March 2023 National Cybersecurity Strategy and July 2023 Implementation Plan Addressed GAO's Desirable Characteristics of a National Strategy

Image

A cost estimate will cost taxpayers, but not having one may cost them even more 

There’s no price tag for how much it will cost to develop and implement a national cybersecurity strategy. Federal officials we interviewed said estimating this cost is unrealistic due to the current budget process where cost may be embedded in agencies’ baseline budgets. 

We agree that it may not be possible to estimate every initiative. But some initiatives under the plan could have significant costs and should be estimated to make sure funds are directed where needed and used effectively. For example, one initiative tasks the Department of Justice with enhancing its capabilities for responding to cyber campaigns against the United States. A cost estimate would help make sure that these efforts have enough funds, staff, and other resources to be effective.

Developing a national strategy is a critical step in addressing our nation’s cyber challenges. But to be effective, the strategy needs clear measures of success and an estimate of the costs to achieve them. As a result, we’ve made recommendations to address gaps in current implementation efforts. 

Learn more about our work on the National Cybersecurity Strategy by checking out our latest report or by visiting our key issues web page on cybersecurity.

• GAO’s fact-based, nonpartisan information helps Congress and federal agencies improve government. The WatchBlog lets us contextualize GAO’s work a little more for the public. Check out more of our posts at GAO.gov/blog.