From the U.S. Government Accountability Office, www.gao.gov Transcript for: Watchdog Report #6: Implementation of the Comprehensive National Cybersecurity Initiative Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology March 5, 2010 [ Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the Government Accountability Office. It's March 5th, 2010. Ongoing threats of cyber attacks on federal systems and operations prompted the President to establish the Comprehensive National Cybersecurity Initiative in 2008. A group led by Greg Wilshusen, a director in GAO's Information Technology team, has examined the progress that agencies and stakeholders have made in implementing this cyber security initiative. GAO analyst Jeremy Cluchey sat down with Greg to learn more. [ Jeremy Cluchey: ] What prompted the Comprehensive National Cybersecurity Initiative and what are the initiative's objectives? [ Greg Wilshusen: ] I think the key drivers to this particular initiative was a recognition on the increasing reliance of the federal government on its computer systems and networks to conduct its operations and deliver services-- without which, government would not be able to effectively function. And, perhaps more importantly, is a recognition of the evolving and growing nature of the threat to those systems and networks--and the potentially devastating consequences that could occur should a successful attack happen. Over the past 3 or 4 years, the number of reported security incidents and attacks on federal systems has risen dramatically. And those attacks are becoming increasingly sophisticated. So in January 2008, President Bush signed two presidential directives establishing the Comprehensive National Cybersecurity Initiative or CNCI, which is a set of 12 distinct projects. The objective of the initiative is to safeguard federal information systems by reducing potential vulnerabilities, protecting against intrusion attempts, and anticipating future threats. [ Jeremy Cluchey: ] To what extent did GAO find that federal agencies have made progress in achieving CNCI's goals? [ Greg Wilshusen: ] The White House and federal agencies have established interagency working groups to plan and coordinate CNCI activities, lead agencies have been designated for each of the 12 projects, and agencies have commenced implementation activities on the individual projects. However, much work remains and CNCI faces a number of challenges to meet its objective. [ Jeremy Cluchey: ] Can you talk about some of those challenges that CNCI faces as it seeks to secure federal information systems? [ Greg Wilshusen: ] Sure. These challenges include, one, defining agency roles and responsibilities. Currently, agencies have overlapping and uncoordinated responsibilities for cyber security activities that have not yet been clarified by the initiative. A second challenge is establishing performance metrics. Although certain metrics have been developed, metrics that measure the effectiveness of CNCI projects in actually improving security of federal systems have not yet been developed. A third challenge is establishing an appropriate level of transparency. Much of CNCI-related information is classified and may hinder the effectiveness of the initiative, particularly with respect to coordinating activities with the private sector and ensuring accountability to Congress and the public. A fourth challenge is reaching agreement on the scope of cyber security education activities. Stakeholders have not yet reached agreement on whether the initiative should focus on training the current federal workforce or include K-12, college, and graduate-level programs. [ Jeremy Cluchey: ] What does GAO recommend to improve the implementation of the CNCI? [ Greg Wilshusen: ] Well, we recommended that the director of OMB, among other things, take the following four steps: Better define roles and responsibilities of all key CNCI participants to ensure that essential government-wide cyber security activities are fully coordinated. To establish measures to determine the effectiveness of CNCI projects in making federal information systems more secure and track progress against those measures. The third recommendation is establish an effective and appropriate level of transparency about CNCI by clarifying the rationale for classifying information, and ensuring that as much information as possible and as is appropriate is made public. And to reach agreement on the scope of CNCI's education project, to ensure that an adequate cadre of skilled personnel is developed to protect federal information security systems. We believe that implementing these recommendations will help address the challenges that CNCI faces in protecting its federal information systems. [ Music ] [ Narrator: ] To learn more, visit GAO's Web site at GAO.gov and be sure to tune in to the next edition of GAO's Watchdog Report for more from the congressional watchdog, the Government Accountability Office.