TR Daily GAO Finds Gaps in Administration’s 5G Security Strategy
Wednesday, October 7, 2020

GAO Finds Gaps in Administration’s 5G Security Strategy

The Government Accountability Office today identified significant gaps in the Trump administration’s strategy for the secure deployment of 5G networks in the U.S. and said those deficiencies could undermine the successful implementation of the strategy.

GAO measured the administration’s National Strategy to Secure 5G of the United States of America against an existing metric used by GAO to evaluate similar national strategies. To be successful, national strategies should include "six desirable characteristics," but the administration’s 5G strategy includes parts of only five of those characteristics, GAO said.

It falls short of the "purpose, scope, and methodology" characteristic because it doesn’t "address its methodology, including which principles or theories were used to guide its development, what organizations or offices drafted the document, or which parties were consulted in its development," GAO said.

"A national strategy without a complete description of its purpose, scope, and methodology is less useful to the entities it is intended to guide and to oversight organizations such as Congress," it said.

For the "problem definition and risk assessment" characteristic, the strategy fails to offer a complete description of all of the risks associated with 5G deployment, GAO said. "The strategy narrowly focuses on cybersecurity and supply chain risks to 5G infrastructure and does not include the full breadth of 5G risks," it said. "National strategies that do not have an analysis of threats and vulnerabilities as part of a broader risk assessment cannot adequately inform management decisions about resource allocations required to minimize risks and maximize returns on resources expended."

The strategy also only partially meets the GAO’s standards for a third desirable characteristic that GAO calls "goals, subordinate objectives, activities, and performance measures" because it "does not identify or discuss the importance of establishing priorities, milestones, performance measures with measurable targets, or a process for monitoring and reporting on progress."

"If the strategy does not identify clear desired results and priorities, specific milestones, and outcome-related performance measures, entities may not understand what they should try to achieve or what steps are required to achieve the desired results," GAO said.

The strategy partially addresses the "organizational roles, responsibilities, and coordination" and "integration and implementation" characteristics but fails to include any guidance on the "results, investments, and risk management" characteristic, GAO said. "Specifically, the strategy does not explicitly discuss what it will cost and does not include any cost estimates either for achieving individual goals or for implementing the strategy as a whole."

"Additionally, the strategy does not include information on the sources and types of resources required, such as federal, state, local, or private resources. This is of particular concern because 5G deployment will occur across all levels of the government and the private sector, and addressing 5G risks and challenges will be a shared fiscal responsibility," GAO said.

"Without a strategy that provides guidance on resource, investment, and risk management, implementing entities will not be able to allocate resources and investments according to priorities and constraints, track costs and performance, and shift such investments and resources as appropriate," it added.

GAO noted that the executive branch agencies responsible for the strategy—the National Security Council (NSC), the National Economic Council (NEC), the White House Office of Science and Technology Policy (OSTP), and the National Telecommunications and Information Administration (NTIA)—did not submit written comments on its report. GAO analysts were able to interview officials from OSTP and NTIA to gather data for the report, but NSC officials would not meet with GAO personnel, the report said.

Officials from NTIA and OSTP told the GAO the 5G strategy was "intentionally written to be at a high level and as a result, it may not include all elements of our six desirable characteristics of national strategies," GAO noted. GAO was told that an implementation plan for the strategy would be more likely to meet GAO’s standards, the report said.

"However, the officials we spoke to were unable to provide details on the final content of the implementation plan such as whether the plan would include all elements of our six desirable characteristics of national strategies given that it was not final. National strategies and their implementation plans should include all elements of the six desirable characteristics to enhance their usefulness as guidance and to ensure accountability and coordinate investments," GAO said.

"Until the administration ensures that the implementation plan includes all elements of the six desirable characteristics, the guidance the plan provides decision-makers in allocating resources to address 5G risks and challenges will likely be limited," it added.

The report was prepared for the House and Senate committees on Armed Services and Intelligence and the House Science, Space, and Technology Committee. —Tom Leithauser, [email protected]

MainStory: Cybersecurity WirelessDeployment Congress FederalNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More