The following op-ed was co-authored by Daniel Oglesby, a research associate with the R Street Institute.

Despite work by Congress to pass more than 50 laws to address cybersecurity, the federal government’s track record in securing its own information-technology systems is far from sterling. This could be seen most obviously in the hack of the Office of Personnel Management that compromised 21.5 million government records and in the 2015 hack of the Internal Revenue Service, which exposed the information of at least 724,000 taxpayers to bad actors.

In fact, there are a few dozen smaller cyber-attacks on the federal government each year, most of which go unnoticed by the public. These cases where the government failed to defend both itself and citizens who trusted their data would be secure continue to proliferate, even though the government spends roughly $75 billion on IT each year, much of it specifically dedicated to cybersecurity improvements. There’s little evidence the improvements are working. In 2015, many federal agencies lost points on the annual cybersecurity report card issued by the White House Office of Management and Budget, even though most were already failing.

As the Trump administration prepares to roll out a major cybersecurity executive order, we should consider whether further executive mandates will clarify and focus what long have been muddled agency responsibilities, or whether they will serve to confuse them further.

Indeed, our byzantine federal cybersecurity strategy is a direct result of dozens of legislative initiatives, agency rules and executive orders handed down since the mid-1980s, resulting in a set of overlapping rules that assign the same responsibilities to different agencies. At least 62 federal offices have missions related to cybersecurity, including the departments of Homeland Security, Commerce, Justice, Defense, Energy and the Treasury, not to mention the Office of the Director of National Intelligence and dozens of other offices and sub-departments.

To take one example, 10 separate offices are responsible for implementing parts of the Federal Information Security Modernization Act, passed in 2002 to require federal agencies to ensure the confidentiality, integrity and availability of system-related information. A decade after FISMA’s passage, an audit conducted from April 2012 to February 2013 by the Government Accountability Office found that only eight of 22 major agencies complied with the law’s risk requirements.

That’s just one instance in which the GAO has found federal cybersecurity strategy to be extemporaneous and unclear, contributing to inadequate agency compliance. A 2004 directive from then-President George W. Bush mandated that smart cards be used for personal identity verification to access federal facilities and systems government-wide. A decade later, the GAO reported only 41 percent of user accounts complied with the rule. At the Office of Personnel Management, it was just 1 percent of user accounts.

A 2015 GAO report found a majority of 24 federal agencies the office examined had persistent cybersecurity weaknesses, which ranged from broad access controls to poor contingency planning. In another report published earlier this month, the GAO found that agencies have ignored 1,000 out of 2,500 recommendations to improve the security of federal systems.

The overlapping missions and lack of clear division of responsibilities can lead to confusion and duplication of tasks, even among those agencies charged with providing guidance. In both 2011 and 2012, both the OMB and the Department of Homeland Security each published a set of cybersecurity guidelines with identical titles, but different requirements for how to handle suspicious activity. It turned out that, under a 2014 update of FISMA, both DHS and OMB believed they had authority to issue orders to other agencies.

Spending more taxpayer dollars and layering further rules on top of those that already exist won’t fix what’s wrong with cybersecurity policy. Until Congress and the White House find a way to clarify agency roles and priorities, without injecting regulatory uncertainty or creating redundancies, the federal government’s track record in securing both federal IT systems and Americans’ private data will remain dreadful.

Image by BeeBright

Featured Publications