State Should Use Data and Evidence to Justify Its Proposal for a New Bureau of Cyberspace Security and Emerging Technologies
GAO-21-266R: Published: Jan 28, 2021. Publicly Released: Jan 28, 2021.
The State Department notified Congress in 2019 of its plan to create a new bureau to focus on cybersecurity and the security aspects of emerging technologies. In January 2021, the Secretary approved the bureau's creation. The Chair and Ranking Member of a House committee asked us to review State's efforts to advance U.S. interests in cyberspace.
State provided briefing slides with options on where to place the bureau and a memo on its final decision. But the documents did not show that State used evidence to justify its proposal or explain how it would address any challenges.
We recommended that State use evidence to justify its proposal.
What GAO Found
The Department of State (State) did not demonstrate that it used data and evidence to develop its proposal for establishing a new Bureau of Cyberspace Security and Emerging Technologies (CSET). In response to GAO requests for such data and evidence, State provided GAO with briefing slides outlining different options for the new bureau and an action memo, approved by the Secretary of State. The memo recommended that CSET focus on cyberspace security and the security aspects of emerging technologies and report to the Under Secretary for Arms Control and International Security, while the Bureau of Economic and Business Affairs (EB) would continue to have responsibility for digital economy issues.
However, State did not explain how it would address any challenges associated with the decision on CSET's organizational placement. For example, the memo did not address how State would coordinate internally on the cybersecurity aspects of digital economy policy issues with cyber diplomacy functions split between CSET and EB. The memo also did not specify how State would develop consolidated positions and set priorities for State's international cyberspace efforts, given the separation of these issues. Moreover, neither the briefing nor the action memo contained analyses supporting the additional details laid out in State's 2019 notification to Congress on CSET, including support for proposed resource allocations for the new bureau. Without developing data and evidence to support its proposal for the new bureau, State lacks assurance that its proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals. State needs to develop these areas further to better ensure the success of any new organizational arrangement.
Why GAO Did This Study
The United States and its allies are facing expanding foreign cyber threats as international trade, communication, and critical infrastructure become increasingly dependent on cyberspace. State leads U.S. government international efforts to advance the full range of U.S. interests in cyberspace. The Cyber Diplomacy Act of 2019 (H.R. 739, 116th Cong.), co-sponsored by 29 members of Congress, proposed the establishment of a new office within State that would have consolidated responsibility for digital economy and internet freedom issues, together with international cybersecurity issues. While the House Foreign Affairs Committee reported out this bill in March 2019, the full House of Representatives did not consider the bill prior to expiration of the 116th Congress. State subsequently notified Congress in June 2019 of its plan to establish CSET, with a narrower focus on cyberspace security and emerging technologies. On January 7, 2021, State announced that the Secretary had approved the creation of CSET and directed the department to move forward with establishing the bureau. However, as of the date of this report, State had not created CSET.
GAO was asked to review State's efforts to advance U.S. interests in cyberspace. This report examines the extent to which State used data and evidence to develop and justify its proposal to establish CSET. GAO reviewed available documentation and interviewed State officials. To determine the extent to which State used data and evidence to develop and justify its proposal to establish CSET, GAO assessed State's documentation against a relevant key practice for agency reforms compiled in GAO's June 2018 report on government reorganization.
What GAO Recommends
The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals. While State disagreed with GAO's characterization of its use of data and evidence to develop its proposal for CSET, it agreed that reviewing such information to evaluate program effectiveness can be useful. State commented that it has provided GAO with appropriate material on its decision to establish CSET and has not experienced challenges in coordinating cyberspace security policy across the department while the CSET proposal has been in discussion. State concluded that this provides assurance that CSET will allow the new bureau to effectively set priorities and allocate resources. The documents State provided in response to GAO's requests, including a set of briefing slides and an action memo to the Secretary, did not sufficiently demonstrate that it used data and evidence in developing its proposal. In addition, State's comment that it has not experienced coordination challenges in recent years is not sufficient evidence that the potential for such challenges does not exist. Without evidence to support the creation of the new bureau, State lacks needed assurance that the bureau will effectively set priorities and allocate appropriate resources to achieve its intended goals.
Recommendation for Executive Action
Comments: In comments on a draft of this report, the Department of State disagreed with our characterization of its use of data and evidence to develop its proposal for CSET but agreed that reviewing such information to evaluate program effectiveness can be useful. We will continue to monitor State's actions to address our recommendation and will provide updated information as it becomes available.
Recommendation: The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals.
Agency Affected: Department of State