The Government Accountability Office is preparing a comprehensive analysis of the nation's cybersecurity strategy to determine its effectiveness in securing government IT and critical information infrastructures.
Gregory Wilshusen, GAO's director of information security issues, says the report, which should be issued in late January, will contain recommendations to Congress and the Obama administration on how to improve IT security.
"Because there have been so many issues with federal information security and the protection of cyber critical infrastructure, we wanted to take a broad-based look at what we have reported in the past, look at the strategies that have been developed through the years by the federal government and look to see if there are some opportunities to improve them," Wilshusen says.
What makes this examination different from others conducted by GAO, the investigative arm of Congress, is that it was commissioned by U.S. Comptroller General Gene Dodaro, who heads the GAO. It's rare for the comptroller general to instigate such a study. In nearly all other circumstances, requests from senators and representatives trigger a GAO review, or a review is required by law, such as the Federal Information Security Management Act, which requires biannual GAO IT security audits of 24 agencies.
Federal IT Security Classified as at High Risk
In 1997, the GAO identified federal information security as a high-risk area. In 2003, the GAO extended that high-risk classification to the nation's cyber-related critical infrastructure, most of which is owned by private companies.
Wilshusen says GAO examiners have been scrutinizing numerous IT security strategy documents issued by the current and previous administrations and comparing them with earlier IT security reports issued by the GAO. Investigators also have been comparing the strategy documents to what Wilshusen characterizes as "desirable characteristics that effective national strategies should have." The GAO specified those characteristics in 2004.
To help identify cybersecurity challenges for its new report, Wilshusen says the GAO surveyed non-government IT security experts and the chief information officers of the federal government's 24 largest agencies. According to federal law, CIOs are responsible for the information security of their respective agencies.
Wilshusen hopes the federal government will heed GAO's recommendations. "We hope the appropriate agencies and individuals act on our recommendation, and maybe that will cause them to act on other things well," he says.