Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance
Highlights
Recent foreign-based intrusions on the computer systems of U.S. federal agencies and commercial companies highlight the vulnerabilities of the interconnected networks that comprise the Internet, as well as the need to adequately address the global security and governance of cyberspace. Federal law and policy give a number of federal entities responsibilities for representing U.S. cyberspace interests abroad, in collaboration with the private sector. More recently, the President appointed a national Cybersecurity Coordinator charged with improving the nation's cybersecurity leadership. GAO was asked to identify (1) significant entities and efforts addressing global cyberspace security and governance issues, (2) U.S. entities responsible for addressing these issues and the extent of their involvement at the international level, and (3) challenges to effective U.S. involvement in global cyberspace security and governance efforts. To do this, GAO analyzed policies, reports, and other documents and interviewed U.S. government and international officials and experts from over 30 organizations.
There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. For example, the International Organization for Standardization is a nongovernmental organization that develops and publishes international standards, including those related to cybersecurity, through a consensus-based process involving a network of the national standards bodies of 162 countries. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings. The global aspects of cyberspace present key challenges to U.S. policy. Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace. GAO recommends that the national Cybersecurity Coordinator address challenges including developing a comprehensive national global cyberspace strategy. The national Cybersecurity Coordinator and his staff generally concurred with the recommendations and stated that actions are already being taken.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Cybersecurity | To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should make recommendations to appropriate agencies and interagency coordination committees regarding any necessary changes to more effectively coordinate and forge a coherent national approach to cyberspace policy |
To coordinate and forge a coherent national approach to cyberspace policy, the EOP released the 'International Strategy for Cyberspace' in May 2011. The strategy includes a broad range of cyberspace policy aimed at building interoperable, secure and reliable networks in the U.S. and abroad. Among the U.S. cyberspace policy priorities identified in the strategy are promoting international cybersecurity standards, participating fully in international cybercrime policy development, enhancing existing military alliances to confront potential threats in cyberspace, and promoting Internet governance structures to serve the needs of all Internet users. While the strategy did not recommend or specify actions to be taken by appropriate agencies or committees to implement the policy and related priorities, the administration has released other critical infrastructure related guidance. Presidential Policy Directive 21 released in 2013 reflects the administration's current cybersecurity focus of protecting the domestic critical infrastructure and lays out the critical infrastructure security and resilience roles and responsibilities for federal agencies. In particular, the policy directs that the Department of State, in coordination with DHS and other Federal departments and agencies, is responsible for engaging foreign governments and international organizations to strengthen the security and resilience of critical infrastructure located outside the United States and facilitate the overall exchange of best practices and lessons learned for promoting the security and resilience of the nation's critical infrastructure.
|
Cybersecurity | To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should Develop with the Departments of Commerce, Defense, Homeland Security, Justice, and State and other relevant federal and nonfederal entities, a comprehensive U.S. global cyberspace strategy that (1) articulates overarching goals, subordinate objectives, specific activities, performance metrics, and reasonable time frames to achieve results; (2) addresses technical standards and policies while taking into consideration U.S. trade; and (3) identifies methods for addressing the enforcement of U.S. civil and criminal law. |
The Executive Office of the President (EOP) agreed with our recommendation and published the International Strategy for Cyberspace in May 2011. The strategy outlines a strategic approach that includes an overarching goal and subordinate objectives by providing principles for foreign policy related to the future of the Internet and cyberspace policy. For example, the strategy states that the goal of the United States will be to work internationally to promote an open and interoperable, secure and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation. In addition, the strategy addresses international standards, privacy and internet freedom, and law enforcement issues, such as harmonizing cybercrime laws internationally. However, the strategy does not establish specific activities, performance metrics, or time frames for achieving results. In August 2014, the Cybersecurity Coordinator stated that performance metrics remain a challenge. No reports of performance metrics were available as evidence of the implementation of formal metrics.
|
Cybersecurity | To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should enhance the interagency coordination mechanisms, including the Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC), by ensuring relevant federal entities are engaged and that their efforts, taken together, support U.S. interests in a coherent and consistent fashion. |
The Executive Office of the President (EOP) agreed with our recommendation and stated that the National Security Staff operates Interagency Policy Committees (IPC) to provide the principal forums for consideration of national and homeland security policy issues. Under this structure, the Cybersecurity IPC (formerly the ICI-IPC) is to provide the main day-to-day forum for interagency coordination and the management of the development and implementation of national cybersecurity policy. EOP also reported that agencies are invited to the Cybersecurity IPC if they have a significant role or equity on a given issue. The February 2013 release of Presidential Policy Directive 21 and Executive Order 13636, Improving Critical Infrastructure Cybersecurity, laid out federal agencies' roles and responsibilities to include collaborative efforts to strengthen critical infrastructure protection, improve information sharing with the private sector and external partners, and share cyber best practices and standards. For example, the Department of State, in coordination with DHS and other federal departments and agencies, is responsible for engaging foreign governments and international organizations to strengthen the security and resilience of critical infrastructure located outside the United States and to facilitate the overall exchange of best practices and lessons learned for promoting the security and resilience of the nation's critical infrastructure. Further, the Department of Homeland Security has established the Critical Infrastructure Partnership Advisory Council (CIPAC), to facilitate effective coordination between federal infrastructure protection programs with the infrastructure protection activities of the private sector and of state, local, territorial, and tribal governments.
|
Cybersecurity | To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should establish, with DHS, the Department of State, and other key U.S. and international governmental and nongovernmental entities, protocols for working on cyber incident response globally in a manner that is consistent with our national security interests. |
The Executive Office of the President (EOP) agreed with our recommendation and stated that lessons learned from both the 2012 Cyber Storm IV exercise and the National Level Exercise will be used to revise the National Cyber Incident Response Plan. The response plan assigns roles and responsibilities for incident response, including international cooperation. In addition the Department of Homeland Security established the National Cybersecurity and Communication Integration Center (NCCIC) to bring together federal, state, local, private sector and international entities to perform cyber incident analysis and share actionable information for response, mitigation and recovery efforts. The NCCIC is to also support the development, organization, and execution of the exercises and encourage international cybersecurity cooperation. The NCCIC's protocols for handling incident response are implemented through the US-CERT, the 24x7 operational incident response center, and the Industrial Control Systems-CERT that collaborates with international and private sector Computer Emergency Response Teams to share control systems-related security incidents and mitigation measures. In 2013, the NCCIC sponsored the International Watch and Warning Network (IWWN) exercise that involved 11 nations in an exercise to facilitate global incident response capabilities. The IWWN exercise was also an opportunity to apply lessons learned from the Cyberstorm III exercise conducted in September 2010. In August 2014, the Cybersecurity Coordinator acknowledged the value of cyber exercises and added that more private sector participation should be considered.
|
Cybersecurity | To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should determine, in conjunction with the Departments of Defense and State and other relevant federal entities, which, if any, cyberspace norms should be defined to support U.S. interests in cyberspace and methods for fostering such norms internationally. |
The Executive Office of the President (EOP) agreed with our recommendation and stated that the May 2011 International Strategy for Cyberspace articulated a number of key cyberspace norms. The strategy outlines, among others, global interoperability, network stability, and reliable access, as areas requiring agreement on norms. In addition, the EOP stated that the Cybersecurity Interagency Policy Committee coordinates a process to provide additional guidance to departments and agencies to bolster U.S. leadership in protecting and promoting the Internet as an open, interoperable, secure and reliable information environment to include fostering norms globally. In August 2014, the Cybersecurity Coordinator stated that developing cyberspace norms is an on-going, long term endeavor. NIST's cybersecurity framework is an example of an effort to create norms. The framework provides a common taxonomy of standards, guidelines, and practices that is not country-specific. Organizations outside the United States may also use the framework to strengthen their own cybersecurity efforts, and the framework can contribute to developing a common language for international cooperation on critical infrastructure cybersecurity.
|