GAO slams White House for failing to lead on cybersecurity

Lack of a cybersecurity R&D agenda puts nation at risk, report says

The White House Office of Science and Technology Policy has so far failed to live up to its responsibility to coordinate a national cybersecurity R&D agenda, the Government Accountability Office (GAO) said in a report released this week.

As a result, the U.S risks falling behind other countries on cybersecurity matters, and being unable to adequately protect its interests in cyberspace, the 36-page report (PDF document) warned.

The GAO report was prepared at the behest of the House Committee on Homeland Security, and called on the OSTP to show more leadership in pulling together a focused and prioritized short, medium- and long-term R&D strategy for cybersecurity.

The report noted that the White House's National Strategy to Secure Cyberspace from 2003 tasks the OSTP with coordinating the development of such a strategy and for updating it on an annual basis.

Over the years, the OSTP has taken "initial steps toward developing such an agenda," the GAO report said. However, "one does not currently exist" even today, the report said.

Although the OSTP and the White House Office of Management and Budget (OMB) have said that such an agenda is indeed contained in "existing documents," the documents are either outdated or lack sufficient detail, the GAO noted.

Currently, five federal agencies including the National Science Foundation, the U.S Department of Homeland Security, and the National Institutes of Science and Technology fund and carry out most of the government's cybersecurity R&D work. Several private sector companies also carry out either federally-funded or self-funded cybersecurity R&D projects for the government.

Over the years, there have been numerous calls for more centralized oversight and coordination of these various R&D efforts to ensure that the projects are meeting a focused national cybersecurity.

Among those who have called for such coordination are the President's Council of Advisors on Science and Technology in 2007, the President's Information Technology Advisory Committee in 2005 and the Center for Strategic and International Studies (CSIS) in 2008, the GAO said.

In addition, the GAO itself has in the past noted the absence of a federal, cybersecurity research agenda and had called on the director of the OSTP to establish firm timelines for setting up one, the report noted.

Despite such recommendations and despite its legal responsibility, the OSTP subcommittee on Networking and Information Technology Research and Development (NITRD), which is specifically responsible for coordinating federal cybersecurity R&D, has failed to lead, the GAO said.

Up to now, NITRD has failed to create a national R&D agenda, has not established any goals or priorities for cybersecurity R&D and has no mechanism for tracking federal cybersecurity R&D funding and spending.

The GAO report references -- and then dismisses -- various documents that officials from the OSTP and OMB have claimed comprise a national R&D agenda. "These documents do not constitute, whether taken collectively or separately, a prioritized national agenda," because they are outdated or lack detail, the GAO said.

In a letter responding to the GAO report, Patrick Gallagher, director of NIST, concurred with the call for the OSTP to do more to get federal R&D cybersecurity moving along. But the letter challenged the report's conclusion that there was a lack of leadership by the OSTP.

"This report creates the impression that there is little leadership, coordination and planning in the Federal government," for cybersecurity R&D, Gallagher wrote. "We believe that OSTP and NITRD are coordinating research activities and working with the federal government research community to identify a research strategy."

Meanwhile, in a separate letter the OSTP insisted that it could not concur with some of the GAO's findings, and insisted that it already has a five-year plan for cybersecurity research, which is available online (PDF document) and which will soon be updated.

The NITRD is also working on a "game-change R&D strategy that responds to the leap-ahead goals" of the multi-billion Comprehensive National Cybersecurity Initiative , launched during the Bush Administration, the OSTP letter noted. Details of this work will be available to the public in the next few days, the letter promised.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

This story, "GAO slams White House for failing to lead on cybersecurity" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)