A new Government Accountability Office report emphasizes a need for well-defined cyber leadership and identifies areas where the Administration has not yet implemented its own National Cyber Strategy from 2018. Ari Schwartz, Managing Director for Cybersecurity Services at Venable, said he hopes the new report will encourage coordination on cybersecurity efforts across the government.
“We’ve been hearing from a lot of people that more leadership is necessary, but now hearing GAO say that it’s an urgent issue, I think it’s really, hopefully, going to change a lot of people’s opinions and move this to the top of the list of things that need to get done,” he said.
Others have pushed for coordination of the 23 federal entities that currently work to develop and implement cyber policies. Members of the Cyberspace Solarium Commission have added amendments to the National Defense Authorization Act that could create a new National Cyber Director role in the White House. Schwartz says this new office could function like the U.S. Trade Representative.
“You’d have all of those 20+ agencies that do cybersecurity reporting in to the cyber directorate and have detailees from those different agencies that can then be part of the staff of the director,” Schwartz said.
The GAO report recommends the creation of a role that would have the authority to “implement and encourage action in support of the nation’s cyber critical infrastructure including the implementation of the National Cyber Strategy.” The report also calls for updates to the cyber strategy itself, and recommends adding goals, performance measures and resource information.
“I think they’re saying for the first time that the Administration is not making progress on its own cybersecurity plan,” Schwartz said.
He said the lack of metrics also hurts accountability. Until legislation is passed to create a new role or office, Schwartz said the Administration can focus on ironing out metrics and setting deadlines.
“I do think what the White House can do now is bring together all of the different agencies and come up with the plan and really start to hit deadlines,” he said. “Cybersecurity remains an existential threat to the U.S. and not being able to address it is a major concern.”