State Department can't justify opening cyber office, GAO finds

A government watchdog says the State Department set up its new bureau focused on cyberspace and emerging technology without sufficiently justifying its decisions with data or evidence.

"State, however, has not demonstrated that it used data and evidence to support its proposal, particularly for the bureau's focus and organizational placement," according to a new Government Accountability Office report published Jan. 28.

"Without developing evidence to support its proposal for the new bureau, State lacks needed assurance that the proposal will effectively set priorities and allocate appropriate resources for the bureau to achieve its intended goals," the report continues.

The report, requested by the chairman and ranking member of the House Foreign Affairs Committee, is part of a back-and-forth struggle between Congress and State over the establishment of the Bureau of Cyberspace Security and Emerging Technologies.

Lawmakers in January 2019 introduced legislation that would have established an office to lead international cyberspace efforts. That office, as proposed, would "lead diplomatic efforts on issues relating to international cybersecurity, Internet access and freedom, and international cyber threats," according to a summary of the legislation

Former Secretary of State Mike Pompeo attempted to stand up the new CSET office last year but was met with resistance from lawmakers who said the office, as State had proposed, would have been too narrow in focus and would not meet the intent of the proposed legislation.

In the last days of the Trump administration, Pompeo announced he had approved the new office's establishment and directed staff to move forward.

Auditors describe a variety of briefing slides and memos the State Department provided them in response to questions about how it justified the new office's work and organizational placement. GAO wrote those documents failed to address numerous issues on how the office would function, including coordination among existing offices.

"The memo did not address how State would coordinate internally on cyber security aspects of digital economy issues, with cyber diplomacy functions split between CSET" and the Bureau of Economic and Business Affairs, according to the report. "The memo also did not specify how State would address the challenge of developing consolidated positions and setting priorities for State's international cyberspace efforts, given the separation of these issues under two different undersecretaries," GAO wrote.

Responding for the State Department, Jeffrey Mounts, the agency's comptroller, said the GAO report did not consider any of the alternative options the agency had presented to auditors. "The draft report does not examine these options in detail but rather focuses on the option choice chosen to create CSET," he wrote.

He also said the department's office of the cyber coordinator since 2011 has informally reported to the undersecretary for arms control and international security and did not experience the challenges GAO described from reporting to two different senior officials.

"While the department disagrees with the GAO characterization of this issue, it does agree that reviewing relevant data and evidence, when available, to evaluate how effectively programs perform can be useful," Mounts said.

This article first appeared on FCW, a Defense Systems partner site.