GAO Calls for New Cybersecurity StrategyWhite House: No Need for Yet Another Strategy
With cyber-incidents reported by the U.S. federal government agencies soaring by 782 percent over seven years, the Government Accountability Office is calling on the White House to develop an overarching federal cybersecurity strategy that would provide a more effective framework to assure the security of government IT data and systems.
In the 112-page report, issued Feb. 14, GAO contends the federal government has not developed a comprehensive cybersecurity strategy that articulates priority actions, assigns responsibilities for performing them and sets timeframes for their completion.
GAO says existing cybersecurity strategy documents have included selected elements of these desirable characteristics, such as setting goals and subordinate objectives, but have generally lacked other key elements. Among the missing elements: milestones and performance measures, costs and resources, roles and responsibilities and linkage with other key strategy documents.
"Until an overarching national cybersecurity strategy is developed that addresses all key elements of desirable characteristics, overall progress in achieving the government's objectives is likely to remain limited," write the report's authors: Gregory Wilshusen, director of information security issues, and Nabajyoti Barkakati, chief technologist and director of the Center for Science, Technology and Engineer.
The White House national security staff doesn't see the need for a new, comprehensive cybersecurity strategy, according to an e-mail sent to GAO from Rachael Leonard, general counsel of the White House Office of Science and Technology Policy. Remaining flexible and focusing on achieving measurable improvements in cybersecurity would be more beneficial than developing "yet another strategy on top of existing strategies," the Leonard e-mail says, as quoted in the GAO report.
Story continues after chart
The report - entitled Cybersecurity: National Strategy, Roles and Responsibilities Need to Be Better Defined and More Effectively Implemented - says the dramatic increase in security incidents, the ease of obtaining and using hacking tools and steady advances in the sophistication and effectiveness of attack technology increase risk to federal systems. Over seven years, from fiscal years 2006 through 2012, the number of incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team has skyrocketed from 5,503 to 48,562, a 782 percent increase. These incidents include the installation of malware, improper use of computing resources and unauthorized access to systems.
Story continues after chart
Of the incidents occurring in 2012, the GAO says improper use of malicious code and unauthorized access were the most widely reported types across the federal government. Improper usage accounted for 20 percent of total incidents reported by agencies. Reports of cyber-incidents affecting national security, intellectual property and individuals have been widespread and involve data loss or theft, economic loss, computer intrusions and privacy breaches.
The report also provides a comprehensive history of how the government has approached cybersecurity over the years and reviews various strategies and initiatives involving the securing of federal systems and data.
GAO identifies five aspects of cybersecurity that the government has addressed, but which remain a challenge:
- Designing and implementing risk-based federal and critical infrastructure programs;
- Detecting, responding to and mitigating cyber-incidents;
- Promoting education, awareness and workforce planning;
- Promoting research and development;
- Addressing international cybersecurity challenges.
Need to Clarify Responsibilities
In July 2010, the Obama administration gave the Department of Homeland Security operational responsibilities to oversee civilian agencies in implementing IT security programs, including compliance with the Federal Information Security Management Act, the law that governs federal government IT security, tasks previously performed by the White House Office of Management and Budget. OMB told GAO auditors it retained general oversight responsibilities as stipulated by FISMA.
Still, GAO questioned the legality of assigning DHS those undertakings. "While OMB's decision to transfer several of its responsibilities to DHS may have had beneficial practical results," GAO writes, "such as leveraging the resources of DHS, it is not consistent with FISMA, which assigns all of these responsibilities to OMB."
With responsibilities divided between DHS and OMB, GAO says it's unclear how those two organizations are to share the IT security oversight of individual departments and agencies. DHS and OMB have individually issued annual FISMA reporting instructions to agencies, which GAO says could create confusion among agency officials.
GAO says a new strategy could clarify how OMB will oversee agency implementation of requirements for effective risk management processes and establish a roadmap for making significant improvements in cybersecurity challenge areas where previous recommendations have not been fully addressed.
GAO recommends that Congress consider enacting legislation to better define roles and responsibilities for implementing and overseeing federal IT security programs and for protecting the nation's critical cyber-assets.