The Department of State had notified Congress in 2019 of its plans to create a bureau within the department to focus on cybersecurity, but a lack of data and evidence to justify the proposal may halt its progress.
In January of this year, former Secretary of State Mike Pompeo approved the creation of the Bureau of Cyberspace Security and Emerging Technologies (CSET), while the House chamber requested that the Government Accountability Office (GAO) review these efforts in establishing a cybersecurity bureau. Sens. Angus King, I-Maine and Ben Sasse, R-Neb.; and Reps. Mike Gallagher, R-Wis., and Jim Langevin, D-R.I., criticized State’s move to establish the bureau in the final days of the Trump Administration.
In its review, GAO found that State’s proposal was not able to demonstrate a use of data and evidence in its development. State did provide information on procedural actions, such as the CSET reporting to the Under Secretary for Arms Control and International Security, but it did not “address any challenges associated with the decision on CSET’s organizational placement.”
A memo provided to GAO by State “did not address how State would coordinate internally on the cybersecurity aspects of digital economy policy issues with cyber diplomacy functions split between CSET and EB (Bureau of Economic and Business Affairs).” Further, it didn’t specify how State would develop consolidated positions and set priorities for its international cyberspace efforts.
GAO recommended that State use data and evidence to justify its proposal, or any new proposal, to establish CSET “to enable the bureau to effectively set priorities and allocate resources to achieve its goals.”
State disagreed with GAO’s characterization of its use of data and evidence to develop its CSET proposal but did agree that reviewing that information to evaluate program effectiveness can be useful.