There’s been a lot of light and heat in the last week when it comes to the U.S. government and cyber security. After all, President Obama just released his Executive Order on cyber security, which puts an emphasis on identifying and protecting critical infrastructure and, just maybe, pushes the sprawling federal bureaucracy towards better security practices.
But a just-released report from the Government Accountability Office (GAO) makes clear that, in the big scheme of things, the Executive Order is just window dressing on the mess that is the Federal Government’s handling of cyber security.
The report, GAO-13-187 (PDF), is a round-up and updating of previous reports that studied aspects of federal cyber security as they affect a wide range of federal agencies. The GAO’s conclusion? Uncle Sam has made negligible progress towards improving the security of its information systems, and has little to show in key areas such as responding to cyber incidents, promoting R&D on cyber security tools and technology and educating its workforce about cyber security, or responding to international cyber threats. In short, Uncle Sam needs a plan, GAO found.
“No overarching cybersecurity strategy has been developed that articulates priority actions, assigns responsibilities for performing them, and sets timeframes for their completion. In 2004, GAO developed a set of desirable characteristics that can enhance the usefulness of national strategies in allocating resources, defining policies, and helping to ensure accountability,” GAO concludes.
Instead, the federal government has adopted a piecemeal approach: issuing “a variety of strategy-related documents over the last decade, many of which address … priorities for enhancing cybersecurity within the federal government as well as for encouraging improvements in the cybersecurity of critical infrastructure within the private sector.” GAO counts 10 separate cyber security plans, initiatives and cyber infrastructure protection plans issued by the government between 2000 and 2012.
This, amid increasing incidents of malicious or suspicious intrusions into government-operated networks. Reports to the U.S. Department of Homeland Security’s U.S. CERT increased 782 percent between 2006 and 2012, with more than 48,000 incident reports in 2012 from a variety of federal agencies.
The GAO has been a reliable critic of federal government cybersecurity efforts for much of the last decade. In recent years, the Office dinged agencies like the Department of Defense and Internal Revenue Service (IRS) for lax security, while warning about the threat of cyber espionage, vulnerable medical devices and gullible federal workers. The Office also called on the federal government to do a better job protecting the public from insecure mobile devices and applications.
Still, with lawmakers on Capitol Hill unable to agree on comprehensive, new legislation that would contain reforms, the federal government has mostly been left to institute small changes around the edges of existing programs, rather than tackle bold, new initiatives. GAO said that a true, national cybersecurity strategy is sorely needed. Such a plan would set milestones and performance measures for key cybersecurity initiatives, clarify roles and roles and responsibilities, attempt to contain costs and bridge existing strategy documents.
With the ink barely dry on President Obama’s Executive Order, GAO recommends that the White House re-engage with the issue, directing the Executive branch’s Cybersecurity Coordinator to develop an overarching federal cybersecurity strategy that includes all key elements of the desirable characteristics of a national strategy that actually holds federal agencies responsible for improving their cybersecurity posture.
Furthermore, Congress should consider legislation to better define roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation’s critical cyber assets, the GAO said.