U.S. shuts down its cyber policy office

May 16, 2018

Faced with “the most significant foreign intelligence threat it has ever encountered,” the Defense Security Service (DSS) within the U.S. Department of Defense (DOD) must up its game as it tries to manage classified information accessible to more than 12,000 contractors.

That description of the threat is courtesy of the Government Accountability Office (GAO), headquartered in Quantico, Virginia, which also pointed out in a report that the DOD faces “new challenges as adversaries try to steal national security information and technology at unprecedented rates.”

The report’s May 15 publication coincided with confirmation that President Donald Trump’s administration had eliminated the White House’ senior cyber policy office, which had been set up by the former administration in a bid to harmonize the government’s approach to cybersecurity policy and digital warfare.

John Bolton, Trump’s new National Security Advisor, reportedly had been pushing for the position to be eliminated despite widespread criticism that it would be a retrograde step for cybersecurity policy. A former career diplomat, Bolton had taken up his new role only five weeks earlier.

“The role of cyber coordinator will end,” Bolton aide Christine Samuelian confirmed in an email to National Security Council staff. Noting that the council’s cybersecurity team has two senior directors, she stated that “cyber coordination is already a core capability.”

Not so, evidently, at the DSS, which has been working on improving its oversight responsibilities for more than a year, including meetings with industry as well as representatives of 32 federal department and agencies to which it provides industrial security services.

The GAO said the process is hampered by staffing shortages and an inability to keep current with emerging and shifting threats. In its most recent report to Congress, the DSS admitted that it had been unable to conduct security reviews at about 60 percent of cleared facilities in 2016. That prompted plans for a new monitoring approach but the GAO said the DSS still had not addressed immediate challenges.

“It is unclear how DSS will determine what resources it needs as it has not identified roles and responsibilities,” it said. “Moreover, DSS has not established how it will collaborate with stakeholders—government contracting activities, the government intelligence community, other government agencies, and contractors. . . . Until DSS identifies roles and responsibilities and determines how it will collaborate with stakeholders . . . it will be difficult to assess whether the new approach is effective in protecting classified information.”

In a covering letter to members of the House of Representatives who had requested the audit, the GAO’s director of contracting and national security acquisition, Marie Mak, stressed the importance of protecting classified information. It was “essential” for the government “to maintain its technological advantage over potential adversaries.”

She said that “high profile” leaks of classified information by contractors in recent years had heightened concern about adversaries’ ability to access classified information and evade detection. Contractors with overseas links were a concern, particularly if a foreign interest owned, controlled or could influence a contractor doing business with the U.S.

“Facilities can . . . include manufacturing plants, laboratories, and universities,” the GAO said. “They can also include contractor personnel who travel to U.S. government sites to access classified information but do not store any classified information at their facility. . . .

“A factory may produce parts for a major weapons system using a production process that is classified, or a contractor may have employees who deliver their technical expertise in a classified environment at a military installation.”