GAO to White House: Do More on R&DOffice of Science and Technology Policy Needs to Set Priorities
In a 36-page report issued Tuesday, the GAO said the White House Office of Science and Technology Policy must do a better job in setting a prioritized national cybersecurity R&D agenda, providing stronger leadership and establishing ways for the public and private sectors to share key R&D information.
According to GAO, the National Strategy to Secure Cyberspace recommended that the White House Office of Science and Technology Policy coordinate the development of an annual cybersecurity research agenda that includes near-term (1 to 3 years), mid-term (3 to 5 years), and long-term (5 years or longer) goals. Though OSTP has taken initial steps toward developing such an agenda, GAO said, one does not now exist. "Without a current national cybersecurity R&D agenda," GAO said, "the nation is at risk that agencies and private sector companies may focus on their individual priorities, which may not be the most important national research priorities."
The Office of Science and Technology Policy, in a letter to GAO, said it could not concur with certain findings, and said its 5-year R&D plan can be found online. Nonetheless, OSTP said its current actions and plans coincide with GAO's recommendations. Still, GAO said the documents are either outdated or lack appropriate detail.
GAO also said that OSTP's Subcommittee on Networking and Information Technology Research and Development, a multiagency coordination body that's charged with furnishing leadership in coordinating cybersecurity R&D, has played a facilitator role in coordinating cybersecurity R&D efforts within the federal government, but hasn't led agencies in a strategic direction. That lack of leadership, GAO said, has been noted by many experts and by a presidential advisory committee that reported that federal cybersecurity R&D efforts should be focused, coordinated and overseen by a central body. "Until NITRD exercises its leadership responsibilities," GAO said, "federal agencies will lack overall direction for cybersecurity R&D."
But the director of the National Institute of Standards and Technology, Patrick Gallagher, in a letter to GAO, defended OSTP and NITRD. "This report creates the impression that there is little leadership, coordination and planning in the federal government for cybersecurity research and development," Gallagher wrote. "We believe that OSTP and NITRD are coordinating research activities and work with the federal government research community to identify a research strategy that meets the critical future needs in cyberspace."
Congress has required the executive branch to develop a governmentwide repository to track federally funded R&D initiatives, including those related to cybersecurity, but GAO said such as repository is not in place. The government also lacks the processes to promote relationships with the private sector to foster cybersecurity R&D, GAO said. "While NITRD hosted a major conference last year that brought together public, private, and academic experts, this was a one-time event, and, according to experts, next steps remain unclear," GAO said. "Without a mechanism to track all active and completed cybersecurity R&D initiatives, federal researchers and developers as well as private companies lack essential information about ongoing and completed R&D. Moreover, without a process for industry and government to share cybersecurity R&D information, the nation is at risk of having unforeseen gaps."