Skip to main content

Cyber Diplomacy: State Should Use Data and Evidence to Justify Its Proposal for a New Bureau of Cyberspace Security and Emerging Technologies

GAO-21-266R Published: Jan 28, 2021. Publicly Released: Jan 28, 2021.
Jump To:

Fast Facts

The State Department notified Congress in 2019 of its plan to create a new bureau to focus on cybersecurity and the security aspects of emerging technologies. In January 2021, the Secretary approved the bureau's creation. The Chair and Ranking Member of a House committee asked us to review State's efforts to advance U.S. interests in cyberspace.

State provided briefing slides with options on where to place the bureau and a memo on its final decision. But the documents did not show that State used evidence to justify its proposal or explain how it would address any challenges.

We recommended that State use evidence to justify its proposal.

Department of State sign outside of its headquarters

Skip to Highlights

Highlights

What GAO Found

The Department of State (State) did not demonstrate that it used data and evidence to develop its proposal for establishing a new Bureau of Cyberspace Security and Emerging Technologies (CSET). In response to GAO requests for such data and evidence, State provided GAO with briefing slides outlining different options for the new bureau and an action memo, approved by the Secretary of State. The memo recommended that CSET focus on cyberspace security and the security aspects of emerging technologies and report to the Under Secretary for Arms Control and International Security, while the Bureau of Economic and Business Affairs (EB) would continue to have responsibility for digital economy issues.

However, State did not explain how it would address any challenges associated with the decision on CSET's organizational placement. For example, the memo did not address how State would coordinate internally on the cybersecurity aspects of digital economy policy issues with cyber diplomacy functions split between CSET and EB. The memo also did not specify how State would develop consolidated positions and set priorities for State's international cyberspace efforts, given the separation of these issues. Moreover, neither the briefing nor the action memo contained analyses supporting the additional details laid out in State's 2019 notification to Congress on CSET, including support for proposed resource allocations for the new bureau. Without developing data and evidence to support its proposal for the new bureau, State lacks assurance that its proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals. State needs to develop these areas further to better ensure the success of any new organizational arrangement.

Why GAO Did This Study

The United States and its allies are facing expanding foreign cyber threats as international trade, communication, and critical infrastructure become increasingly dependent on cyberspace. State leads U.S. government international efforts to advance the full range of U.S. interests in cyberspace. The Cyber Diplomacy Act of 2019 (H.R. 739, 116th Cong.), co-sponsored by 29 members of Congress, proposed the establishment of a new office within State that would have consolidated responsibility for digital economy and internet freedom issues, together with international cybersecurity issues. While the House Foreign Affairs Committee reported out this bill in March 2019, the full House of Representatives did not consider the bill prior to expiration of the 116th Congress. State subsequently notified Congress in June 2019 of its plan to establish CSET, with a narrower focus on cyberspace security and emerging technologies. On January 7, 2021, State announced that the Secretary had approved the creation of CSET and directed the department to move forward with establishing the bureau. However, as of the date of this report, State had not created CSET.

GAO was asked to review State's efforts to advance U.S. interests in cyberspace. This report examines the extent to which State used data and evidence to develop and justify its proposal to establish CSET. GAO reviewed available documentation and interviewed State officials. To determine the extent to which State used data and evidence to develop and justify its proposal to establish CSET, GAO assessed State's documentation against a relevant key practice for agency reforms compiled in GAO's June 2018 report on government reorganization.

Recommendations

The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals. While State disagreed with GAO's characterization of its use of data and evidence to develop its proposal for CSET, it agreed that reviewing such information to evaluate program effectiveness can be useful. State commented that it has provided GAO with appropriate material on its decision to establish CSET and has not experienced challenges in coordinating cyberspace security policy across the department while the CSET proposal has been in discussion. State concluded that this provides assurance that CSET will allow the new bureau to effectively set priorities and allocate resources. The documents State provided in response to GAO's requests, including a set of briefing slides and an action memo to the Secretary, did not sufficiently demonstrate that it used data and evidence in developing its proposal. In addition, State's comment that it has not experienced coordination challenges in recent years is not sufficient evidence that the potential for such challenges does not exist. Without evidence to support the creation of the new bureau, State lacks needed assurance that the bureau will effectively set priorities and allocate appropriate resources to achieve its intended goals.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of State The Secretary of State should ensure that State uses data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals.
Closed – Implemented
State did not initially concur with the recommendation, but subsequently took steps that fulfilled our recommendation. In January 2021, GAO reported that State had not demonstrated that it used data and evidence to develop its proposal for establishing a new cyber bureau. At that time, the bureau was to be called the Bureau of Cyberspace Security and Emerging Technologies. Our prior work has shown that federal decision makers need evidence about whether federal programs and activities achieve intended results as they set priorities and consider how to make progress toward objectives. Further, agencies are better able to address management and performance challenges when managers effectively use data and evidence to achieve program goals, such as State's plan for establishing a cyber bureau. GAO recommended that State use data and evidence to justify its current proposal, or any new proposal, to establish the Bureau of Cyberspace Security and Emerging Technologies to enable the bureau to effectively set priorities and allocate resources to achieve its goals. State reviewed best practices from past organizational reviews within the Department and also reviewed GAO reports to better inform organizational structures for considerations. Because of GAO's recommendation and GAO's previous reports, State took action conducting internal assessments and evidence based reviews to identify known gaps in expertise and desired end states for leadership. After months of reviews, State developed a proposal to establish the Bureau of Cyberspace and Digital Policy (CDP) which was formally stood up in April 2022. Implementing data and evidence based reviews helped to ensure that State's final proposal will achieve its intended results.

Full Report

GAO Contacts

Topics

CommunicationCritical infrastructureCybersecurityCyberspaceCyberspace threatsData collectionDiplomacyEmerging technologiesInternational securityInternational tradeInternetManagement challengesNational security