GAO Says the National Cyber Strategy Needs Central Leadership and More Structure
Published: October 08, 2020
Federal Market AnalysisCritical Infrastructure ProtectionCybersecurityEOPPolicy and Legislation
A Government Accountability Office audit concludes the National Cyber Strategy needs a designated central leader and better defined agency performance measures.
Some members of Congress requested that the Government Accountability Office (GAO) assess the roles and responsibilities of federal entities tasked with supporting national cybersecurity and to determine the extent to which the executive branch has developed a national strategy and a plan to manage its implementation. As part of the assessment GAO reviewed the White House’s September 2018 National Cyber Strategy and the June 2019 Implementation Plan from the National Security Council (NSC). Twenty three federal entities have roles and responsibilities for developing cybersecurity policies, monitoring critical infrastructure protection efforts, sharing information to enhance cybersecurity across the nation, responding to cyber incidents, investigating cyberattacks, and conducting cybersecurity-related research.
GAO analyzed 13 federal agencies that perform specialized or support functions for critical infrastructure security and resilience and 10 additional entities based on its prior reviews of national cybersecurity and related executive policy and national strategy. GAO also analyzed the National Cyber Strategy and Implementation Plan to determine if they aligned with the desirable characteristics of a national strategy.
Current Cybersecurity Strategy Implementation is a Mixed Bag
GAO found that the current strategy and implementation plan addressed the areas of purpose, scope, and methodology; organizational roles, responsibilities, and coordination; and integration and implementation. However, GAO also concluded that work is still needed to more fully address the areas of problem definition and risk assessment; goals, objectives and performance measures; and resources, investments, and risk management.
Of particular concern to GAO was the less structured and defined approach that the NSC in the Trump Administration has for managing national cyber strategy and how it monitors agency progress in achieving priorities or executes their activities.
Of the 191 activities delineated in the Implementation Plan that federal entities are to undertake to achieve the priorities outlined in the National Cyber Strategy the Implementation Plan did not define goals and timelines for 46 of the activities or identify the resources needed to execute 160 activities. GAO recommended to the National Security Council that they should work with the relevant federal entities to update cybersecurity strategy documents “to include goals, performance measures, and resource information, among other things.”
Regarding the current level of structure and defined approaches the NSC uses to lead and monitor federal agencies GAO expressed concern that the ambiguity of who at the NSC is ultimately responsible for both coordinating government-wide activities as well as holding agencies accountable for results will lead to a failed strategy. These responsibilities were previously assigned to the former White House Cybersecurity Coordinator, a position created in the Obama White House but that the Trump Administration has chosen to forego, distributing the responsibilities among senior NSC staff. Looking for clear central leadership, GAO recommends to Congress that they should adopt legislation “to designate a leadership position in the White House with the commensurate authority to implement and encourage action in support of the nation’s cybersecurity.” Of course, this fits with one of the many legislative proposals that the Cybersecurity Solarium Commission in Congress has presented, to establish a Senate-confirmed National Cyber Director (NCD) within the Executive Office of the President. In fact, Rep. James Langevin, one of the commission’s co-chairs, introduced a bill in June to create the position.
Regardless of whether or not Congress creates a NCD or the White House re-establishes a more formal leadership position, the GAO review signals that there is still progress to be made in maturing federal cybersecurity policy and implementation.