Months prior to the 2015 public disclosure of a data breach at the U.S. government’s Office of Personnel and Management (OPM), the Office of the Inspector General for OPM issued a report that identified significant deficiencies and material weaknesses in a number of the agency’s information systems and IT security programs. In response to the 2020 SolarWinds supply chain hack, attributed to Russia, calls are underway for inspectors general to conduct audits and inspections and to review prior inspector general assessments of information systems and vulnerabilities at federal agencies. The use of inspectors general to assess information system vulnerabilities and to conduct post-breach evaluations, as illustrated by the OPM and SolarWinds cyber incidents, reflect a shift in the work undertaken by inspectors general and hint at their ability to fill an important role in efforts to reform the U.S. government’s cybersecurity architecture. This article examines the unheralded and unrecognized work of inspectors general and the special role they are poised to play in the U.S. government’s cybersecurity-related work in the coming years. Inspectors general serve critical but little-understood functions in our constitutional system, both as internal checks on executive power within the administrative state and as conduits of the information necessary to the congressional oversight task. In light of continuing calls for reform of the U.S. government’s cybersecurity architecture, this article examines the consequential position of the inspector general from a new perspective and considers the unique contributions of inspectors general to these reform efforts.
Part I identifies flaws in the current organization of the U.S. government’s cybersecurity efforts. It describes the current fractured structure as reflected by more than twenty-three executive branch entities responsible for cybersecurity-related tasks, a disjointed congressional committee structure, and inadequate coordination with private sector partners. Part II explores the common solutions offered to remedy the government’s cybersecurity organizational challenges. These include calls for revising the national cyber strategy, establishing a new cyber director, strengthening the Cybersecurity and Infrastructure Security Agency and increasing its funding, revamping the congressional committee structure, and building a cyber workforce. Notably absent from these calls is recognition that inspectors general have been examining these very issues and offering recommendations. Part III calls attention to the oft-ignored contributions of inspectors general, and examines why inspectors general across the U.S. government are uniquely prepared to support a re-alignment of the government’s cybersecurity-related programs and entities. Part IV catalogs examples of inspectors general already engaged in the work of identifying and evaluating cybersecurity challenges. In conclusion, Part V considers how to effectively engage inspectors general in future reorganizational efforts and suggests avenues for further research.
Belmont Law Reveiw
Amy Gaudion, Recognizing the Role of Inspectors General in the U.S. Government's Cybersecurity Restructuring Task, 9 Belmont L. Rev. 180 (2021).