GAO Calls for New Cybersecurity Strategy

White House: No Need for Yet Another Strategy

By , February 14, 2013.
GAO Calls for New Cybersecurity Strategy

With cyber-incidents reported by the U.S. federal government agencies soaring by 782 percent over seven years, the Government Accountability Office is calling on the White House to develop an overarching federal cybersecurity strategy that would provide a more effective framework to assure the security of government IT data and systems.

See Also: Fighting Financial Fraud: Mitigation for Malware, Phishing & DDoS Attacks

In the 112-page report, issued Feb. 14, GAO contends the federal government has not developed a comprehensive cybersecurity strategy that articulates priority actions, assigns responsibilities for performing them and sets timeframes for their completion.

GAO says existing cybersecurity strategy documents have included selected elements of these desirable characteristics, such as setting goals and subordinate objectives, but have generally lacked other key elements. Among the missing elements: milestones and performance measures, costs and resources, roles and responsibilities and linkage with other key strategy documents.

"Until an overarching national cybersecurity strategy is developed that addresses all key elements of desirable characteristics, overall progress in achieving the government's objectives is likely to remain limited," write the report's authors: Gregory Wilshusen, director of information security issues, and Nabajyoti Barkakati, chief technologist and director of the Center for Science, Technology and Engineer.

The White House national security staff doesn't see the need for a new, comprehensive cybersecurity strategy, according to an e-mail sent to GAO from Rachael Leonard, general counsel of the White House Office of Science and Technology Policy. Remaining flexible and focusing on achieving measurable improvements in cybersecurity would be more beneficial than developing "yet another strategy on top of existing strategies," the Leonard e-mail says, as quoted in the GAO report.

Story continues after chart

The report - entitled Cybersecurity: National Strategy, Roles and Responsibilities Need to Be Better Defined and More Effectively Implemented - says the dramatic increase in security incidents, the ease of obtaining and using hacking tools and steady advances in the sophistication and effectiveness of attack technology increase risk to federal systems. Over seven years, from fiscal years 2006 through 2012, the number of incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team has skyrocketed from 5,503 to 48,562, a 782 percent increase. These incidents include the installation of malware, improper use of computing resources and unauthorized access to systems.

Story continues after chart

Of the incidents occurring in 2012, the GAO says improper use of malicious code and unauthorized access were the most widely reported types across the federal government. Improper usage accounted for 20 percent of total incidents reported by agencies. Reports of cyber-incidents affecting national security, intellectual property and individuals have been widespread and involve data loss or theft, economic loss, computer intrusions and privacy breaches.

The report also provides a comprehensive history of how the government has approached cybersecurity over the years and reviews various strategies and initiatives involving the securing of federal systems and data.

GAO identifies five aspects of cybersecurity that the government has addressed, but which remain a challenge:

  • Designing and implementing risk-based federal and critical infrastructure programs;
  • Detecting, responding to and mitigating cyber-incidents;
  • Promoting education, awareness and workforce planning;
  • Promoting research and development;
  • Addressing international cybersecurity challenges.

Need to Clarify Responsibilities

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Agency Takes Responsibility for Breach

Weeks after confirming its review of a data breach that occurred during a routine regulatory exam,...

Latest Tweets and Mentions

ARTICLE Agency Takes Responsibility for Breach

Weeks after confirming its review of a data breach that occurred during a routine regulatory exam,...

The ISMG Network