New State Dept. bureau will handle international cybersecurity issues

The State Department has been working to establish a new cybersecurity bureau to work with other agencies. Only it hasn't exactly told them what it's up to and ...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The State Department since last year has been working to establish a new bureau. One focused on international cybersecurity issues. Its plan includes working with several other agencies. Only it hasn’t exactly told them what it’s up to and that could lead to all sorts of problems. With more, the director of international affairs and trade issues at the Government Accountability Office, Brian Mazanec, joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Let’s begin at the beginning. What is the purpose of this agency in the first place?

Brian Mazanec: The new bureau that State has proposed creating, which is officially named the Bureau of Cyberspace Security and Emerging Technologies or CSET. It would focus on cyberspace security and security aspects of other emerging technologies — really consolidating many but not all of those cyber policy issues that are currently diffuse within the State Department. So it will consolidate those functions. And one of the key rationales that the State Department has for creating this new Bureau is to improve that coordination, both internally and externally with other agencies working on cyber related national security issues, because as I’m sure your listeners are aware, there is an expanding array of foreign cyber threats and challenges out there and the State Department plays a leading role in addressing them.

Tom Temin: Sure. And is this something that was statutory? Or is this the brainchild of Secretary Pompeo?

Brian Mazanec: So this proposal is not statutory. This is something that department developed on its own. And of course, with the Secretary’s approval. In June 2019, they notified Congress of their intent to establish the bureau. There is a piece of legislation that has not been passed, the Cyber Diplomacy Act of 2019 that has similar aims that would establish a new office for dealing with these issues. But there are some key differences. And in fact, right now, members of Congress have raised objections to State’s plan, which has not been implemented as of August of this year because of some of those differences. So there is a sort of a competing proposal that the Hill has considered but has not ultimately passed yet.

Tom Temin: Alright, and the issue that the GAO looked at though in the planning of this new CSET Bureau was the interaction that state would have with other agencies outside of State and there were six of them. So which six would be involved and what does it look like from their point of view?

Brian Mazanec: Great question. The six agencies that we focused on were the Department of Commerce, Defense, Energy, Homeland Security, Justice, and the Treasury Department. We selected them in part because of the key role they play partnering with State in addressing some of these issues. And in fact, they all work together within the National Security Council in a new cyber response group that was established by a presidential directive in July of 2016. So these are some of the key players and that’s why we selected them. There are certainly other federal entities that also would coordinate with this new Bureau and work with State on cyber issues. But these were the big players. And we did meet with all of them and talk about them, their role in State’s plans here. And what we found was that State did not involve any of these key partners in the development of its plans. And in fact, they told us that they were not even aware in some instances that there was a plan to create this new bureau. So that’s where we came up with our recommendation, in part based on our prior work on government reorganization that emphasizes the importance of including key agency stakeholders, as well as effective state’s own rationale for creating the new Bureau was to improve this internal and external coordination. So we ultimately, because of that recommended that State involve key federal agencies, the six we looked at, and perhaps others to obtain their views, identify any risks, suggestions for how to best set up this new bureau before they move forward.

Tom Temin: Just to play devil’s advocate since State Department people were already cooperating with their counterparts from whatever perch they were sitting at. If the State Department people move to a new bureau, would it functionally make that much difference to the external people, all they could say is, hey it’s still me at State, but now I’m at this new bureau instead of where I was before?

Brian Mazanec: That’s a fair point. Ultimately, it’s unclear until it unless they engage with the agencies externally to really work through that, whether or not and how it would make a difference in how they interact. And that was, again, why we felt it was important that they do so. And State’s response, which unfortunately, they did not agree with our recommendation we did not find particularly compelling because they didn’t raise that issue that you just mentioned. But there objections to our recommendation was that other agencies were not really stakeholders in an internal reform, which we disagree with, and also that they were unaware that these agencies that actually consulted with them when they had done similar reorganizations, which we did, again, not find particularly compelling. We didn’t really look at whether or not these other agencies have done this when they reorganized, but we believe states should have done so.

Tom Temin: And we’ve sort of backed into it, but what is the major recommendation?

Brian Mazanec: Yeah, so we recommended that State involve federal agencies that contribute to cyber diplomacy to obtain their views and identify risks such as potential fragmentation, overlap duplication of effort, as State implements its plans for the new Bureau.

Tom Temin: Looking at the bigger picture and reading some of the latest cybersecurity hacks of school districts, and some of them have paid Bitcoin ransom some have not. We’ve heard of other radio stations that tried to reconstruct their operations using staff members own computers, not us, by the way. But when you have commerce, defense, energy, DHS, Department of Justice, and Treasury all involved in essentially the same mission — you wonder how the United States can get its shoes on before, to misquote Mark Twain, the cyber security criminals have been around the world 10 times.

Brian Mazanec: Right. No, and that’s one of the reasons why again, State is undertaking this proposed reorganization is to improve the effectiveness of their coordination with other agencies, which again, it’s ironic that they didn’t coordinate with set agencies and establishing their plan for the bureau. But it’s definitely very important. These are complex, interagency challenges involving issues such as supply chain security, fifth generation, wireless technology, TikTok, etc — issues that you see in the news every day. And all of these agencies play some role in addressing these challenges. And it’s important that they have the most efficient and effective way to coordinate going forward.

Tom Temin: Does it seem a little curious that state would reject that recommendation? It’s not as if you’re asking them to have the other agencies dictate how they reorganize. But I would think that just having some input on the best ways to have the external stakeholders notified or involve would be something State would welcome.

Brian Mazanec: That’s our view as well. And we were disappointed they didn’t concur with our recommendation. But we’ve obviously moved forward and making it and we still think it makes sense, given the key role of these stakeholders play and the fact that they work closely with State on a range of cyber diplomacy efforts. Really, without doing this step and sort of embracing this key practice of any government reorganization and involving stakeholders, they lack really the assurances, they being State, that they’re going to most effectively achieve their goals for this new bureau.

Tom Temin: Now, if that Cyber Diplomacy Act passes, what would that impose on State Department?

Brian Mazanec: So again, I think the aims are somewhat similar to what State is trying to achieve with its own reorganization here. But the key difference would be the bureau that would be established by the Cyber Diplomacy Act would fully consolidate all the function, the related functions within State. The proposal that’s for CSET, that state has put forward leaves some cyber related issues in existing bureaus. For example, the Bureau of Economic and Business Affairs would continue to have responsibility for promoting international engagement on issues like internet governance, digital trade. The State Department’s confident that they can still coordinate effectively with these other bureaus with the CSET that they’re proposing, we didn’t as part of this review, really look at that question of which of the two models is the right one. But our focus was more on the importance of this review of engaging with their key partners externally and getting their views on whatever approach ultimately they take. I should mention too, we have ongoing work on this topic that’s focused more internally on State’s overall planning process for establishing the new bureau that will hopefully come out in either later this year or early 2021. And we’ll offer it as part of that work — some additional views on States plans, objectives, timeframes for establishing the new bureau and whether or not they addressed other key practices for effective agency reorganization.

Tom Temin: We’ll have you back when that comes out. Brian Mazanec is director of International Affairs and Trade Issues at the Government Accountability Office. Thanks so much.

Brian Mazanec: Thanks, Tom.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/nantonov

    CISA’s still overcoming challenges 5 years after Cybersecurity Information Sharing Act became law

    Read more
    Amelia Brust/Federal News NetworkCDM

    DoD’s interim rule adds a new twist to implementing cyber maturity model

    Read more