Cybersecurity:

Key Challenges Need to Be Addressed to Improve Research and Development

GAO-10-466: Published: Jun 3, 2010. Publicly Released: Jul 6, 2010.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Computer networks and infrastructures, on which the United States and much of the world rely to communicate and conduct business, contain vulnerabilities that can leave them susceptible to unauthorized access, disruption, or attack. Investing in research and development (R&D) is essential to protect critical systems and to enhance the cybersecurity of both the government and the private sector. Federal law has called for improvements in cybersecurity R&D, and, recently, President Obama has stated that advancing R&D is one of his administration's top priorities for improving cybersecurity. GAO was asked to determine the key challenges in enhancing national-level cybersecurity R&D efforts among the federal government and private companies. To do this, GAO consulted with officials from relevant federal agencies and experts from private sector companies and academic institutions as well as analyzed key documents, such as agencies' research plans.

Several major challenges impede efforts to improve cybersecurity R&D. Among the most critical challenges are the following: 1) Establishing a prioritized national R&D agenda. While R&D that is in support of specific agencies' missions is important, it is also essential that national research efforts be strategically guided by an ordered set of national-level R&D goals. Additionally, it is critical that cyberspace security research efforts are prioritized across all sectors to ensure that national goals are addressed. Accordingly, the National Strategy to Secure Cyberspace recommended that the Office of Science and Technology Policy (OSTP) coordinate the development of an annual cybersecurity research agenda that includes near-term (1-3 years), mid-term (3-5 years), and long-term (5 years or longer) goals. Although OSTP has taken initial steps toward developing such an agenda, one does not currently exist. OSTP and Office of Management and Budget officials stated that they believe an agenda is contained in existing documents; however, these documents are either outdated or lack appropriate detail. Without a current national cybersecurity R&D agenda, the nation is at risk that agencies and private sector companies may focus on their individual priorities, which may not be the most important national research priorities. 2) Strengthening leadership. While officials within OSTP's Subcommittee on Networking and Information Technology Research and Development (NITRD)--a multiagency coordination body that is primarily responsible for providing leadership in coordinating cybersecurity R&D--have played a facilitator role in coordinating cybersecurity R&D efforts within the federal government, they have not led agencies in a strategic direction. NITRD's lack of leadership has been noted by many experts as well as by a presidential advisory committee that reported that federal cybersecurity R&D efforts should be focused, coordinated, and overseen by a central body. Until NITRD exercises its leadership responsibilities, federal agencies will lack overall direction for cybersecurity R&D. 3) Tracking R&D fundingand establishing processes for the public and private sectors to share key R&D information. Despite a congressional mandate to develop a governmentwide repository that tracks federally funded R&D, including R&D related to cybersecurity, such a repository is not currently in place. Additionally, the government does not have a process to foster the kinds of relationships necessary for coordination between the public and private sectors. While NITRD hosted a major conference last year that brought together public, private, and academic experts, this was a one-time event, and, according to experts, next steps remain unclear. Without a mechanism to track all active and completed cybersecurity R&D initiatives, federal researchers and developers as well as private companies lack essential information about ongoing and completed R&D. Moreover, without a process for industry and government to share cybersecurity R&D information, the nation is at risk of having unforeseen gaps. GAO is recommending that the Director of OSTP direct NITRD to exercise its leadership responsibilities by taking several actions, including developing a national agenda, and establishing and utilizing a mechanism to keep track of federal cybersecurity R&D funding. OSTP agreed with GAO's recommendation and provided details on planned actions. GAO recommends that TSA establish milestones for a staffing study, verify the accuracy of all reported screening data, develop a contingency plan for screening domestic cargo, and develop plans for meeting the mandate as it applies to inbound cargo. TSA partially concurred with verifying screening data and did not concur with developing a contingency plan because it did not believe such actions were feasible. GAO believes these recommendations remain valid, as discussed in this report. TSA agreed with all other recommendations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and establish a mechanism, in working with the Office of Management and Budget and consistent with existing law, to keep track of all ongoing and completed federal cybersecurity R&D projects and associated funding, to the maximum extent possible without jeopardizing national security.

    Agency Affected: Executive Office of the President: Office of Science and Technology Policy

    Status: Open

    Comments: On February 16, 2011 the Assistant Director for Information Technology R&D at the Office of Science and Technology Policy provided an update on the status of this recommendation. The office stated that in February NITRD launched a beta version of a new online tool that allows the public to track U.S. progression in innovation, including cybersecurity research and development. Further the office stated that information available on this site includes research abstracts, information on which research institutions have successfully won NSF and NIH awards, and details on patents or patent applications resulting from federal research and development. The beta version was in the process of being expanded to cover a broader range of Federal agencies and research areas.

    Recommendation: To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and identify and report shortages in researchers in the cybersecurity field to the national Cybersecurity Coordinator, which should be used to update the national cybersecurity strategy with the appropriate plans for addressing human capital weaknesses.

    Agency Affected: Executive Office of the President: Office of Science and Technology Policy

    Status: Open

    Comments: On February 16, 2011 the Assistant Director for Information Technology R&D at the Office of Science and Technology Policy provided an update on the status of this recommendation. The office stated that in September 2010 the U.S. Office of Personnel Management launched a government-wide cybersecurity survey to employees and supervisors who handle cybersecurity as part of their daily job responsibilities. The results of the survey were in the process of being analyzed. Further, the office stated that the survey focused on critical competencies for various positions related to information technology. The identified competencies would then be used to inform strategies for workforce planning, training and development, performance management, and recruitment and selection under the National Initiative for Cybersecurity Education (NICE).

    Recommendation: To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and establish a comprehensive national R&D agenda by expanding on the CSIA IWG framework and ensure that it 1) contains priorities for short-term, mid-term, and long-term complex cybersecurity R&D; 2) includes input from the private sector and academia; and 3) is consistent with the updated national cybersecurity strategy (when available).

    Agency Affected: Executive Office of the President: Office of Science and Technology Policy

    Status: Open

    Comments: On September 16, 2011 the National Science and Technology Council drafted the Trustworthy Cyberspace: Strategic Plan for Federal Cybersecurity Research and Development Program, which is to be issued in October 2011. While the development of this strategy included input from the private sector and academia, the timeframes for complex cybersecurity R&D priorities were unclear. Further, we were not able to determine if the strategy is consistent with the updated national cybersecurity strategy.

    Recommendation: To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and utilize the newly established tracking mechanism to develop an ongoing process to make federal R&D information available to federal agencies and the private sector.

    Agency Affected: Executive Office of the President: Office of Science and Technology Policy

    Status: Open

    Comments: On February 16, 2011 the Assistant Director for Information Technology R&D at the Office of Science and Technology Policy provided an update on the status of this recommendation. The office stated that in February NITRD launched a beta version of a new online tool that allows the public to track U.S. progression in innovation, including cybersecurity research and development. Further the office stated that information available on this site includes research abstracts, information on which research institutions have successfully won NSF and NIH awards, and details on patents or patent applications resulting from federal research and development. The beta version was in the process of being expanded to cover a broader range of Federal agencies and research areas.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here