Cyberspace:

United States Faces Challenges in Addressing Global Cybersecurity and Governance

GAO-10-606: Published: Jul 2, 2010. Publicly Released: Aug 2, 2010.

Additional Materials:

Contact:

David A. Powner
(202) 512-9286
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Recent foreign-based intrusions on the computer systems of U.S. federal agencies and commercial companies highlight the vulnerabilities of the interconnected networks that comprise the Internet, as well as the need to adequately address the global security and governance of cyberspace. Federal law and policy give a number of federal entities responsibilities for representing U.S. cyberspace interests abroad, in collaboration with the private sector. More recently, the President appointed a national Cybersecurity Coordinator charged with improving the nation's cybersecurity leadership. GAO was asked to identify (1) significant entities and efforts addressing global cyberspace security and governance issues, (2) U.S. entities responsible for addressing these issues and the extent of their involvement at the international level, and (3) challenges to effective U.S. involvement in global cyberspace security and governance efforts. To do this, GAO analyzed policies, reports, and other documents and interviewed U.S. government and international officials and experts from over 30 organizations.

There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. For example, the International Organization for Standardization is a nongovernmental organization that develops and publishes international standards, including those related to cybersecurity, through a consensus-based process involving a network of the national standards bodies of 162 countries. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings. The global aspects of cyberspace present key challenges to U.S. policy. Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace. GAO recommends that the national Cybersecurity Coordinator address challenges including developing a comprehensive national global cyberspace strategy. The national Cybersecurity Coordinator and his staff generally concurred with the recommendations and stated that actions are already being taken.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should establish, with DHS, the Department of State, and other key U.S. and international governmental and nongovernmental entities, protocols for working on cyber incident response globally in a manner that is consistent with our national security interests.

    Agency Affected: Executive Office of the President: Office of the Chief of Staff: Office of the National Security Advisor: Office of the Chief of Staff: Cybersecurity

    Status: Open

    Comments: The Executive Office of the President (EOP) agreed with our recommendation and stated that the National Cyber Incident Response Plan is being revised based upon lessons learned from both the 2012 Cyber Storm IV exercise and the National Level Exercise. The response plan assigns roles and responsibilities for incident response, including international cooperation. We will continue to follow-up with EOP and gather additional evidence concerning their efforts to establish protocols for global cyber incident response.

    Recommendation: To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should enhance the interagency coordination mechanisms, including the Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC), by ensuring relevant federal entities are engaged and that their efforts, taken together, support U.S. interests in a coherent and consistent fashion.

    Agency Affected: Executive Office of the President: Office of the Chief of Staff: Office of the National Security Advisor: Office of the Chief of Staff: Cybersecurity

    Status: Open

    Comments: The Executive Office of the President (EOP) agreed with our recommendation and stated that the National Security Staff operates Interagency Policy Committees (IPC) to provide the principal forums for consideration of national and homeland security policy issues. Under this structure, the Cybersecurity IPC (formerly the ICI-IPC) is to provide the main day-to-day forum for interagency coordination and the management of the development and implementation of national cybersecurity policy. EOP also reported that agencies are invited to the Cybersecurity IPC if they have a significant role or equity on a given issue. However, EOP did not indicate how it had enhanced coordination mechanisms or how it had engaged additional relevant federal entities. We will continue to follow-up with EOP and gather additional evidence about actions taken.

    Recommendation: To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should Develop with the Departments of Commerce, Defense, Homeland Security, Justice, and State and other relevant federal and nonfederal entities, a comprehensive U.S. global cyberspace strategy that (1) articulates overarching goals, subordinate objectives, specific activities, performance metrics, and reasonable time frames to achieve results; (2) addresses technical standards and policies while taking into consideration U.S. trade; and (3) identifies methods for addressing the enforcement of U.S. civil and criminal law.

    Agency Affected: Executive Office of the President: Office of the Chief of Staff: Office of the National Security Advisor: Office of the Chief of Staff: Cybersecurity

    Status: Open

    Comments: The Executive Office of the President (EOP) agreed with our recommendation and published the International Strategy for Cyberspace in May 2011. The strategy outlines a strategic approach that includes an overarching goal and subordinate objectives by providing principles for foreign policy related to the future of the Internet and cyberspace policy. For example, the strategy states that the goal of the United States will be to work internationally to promote an open and interoperable, secure and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation. In addition, the strategy addresses international standards, privacy and internet freedom, and law enforcement issues, such as harmonizing cybercrime laws internationally. However, the strategy does not establish specific activities, performance metrics, or time frames for achieving results. We will continue to work with EOP to determine if specific activities, performance metrics, and time frames are established using other implementing mechanisms.

    Recommendation: To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should make recommendations to appropriate agencies and interagency coordination committees regarding any necessary changes to more effectively coordinate and forge a coherent national approach to cyberspace policy

    Agency Affected: Executive Office of the President: Office of the Chief of Staff: Office of the National Security Advisor: Office of the Chief of Staff: Cybersecurity

    Status: Open

    Comments: The Executive Office of the President (EOP) agreed with our recommendation and stated that Presidential Policy Directive 1 gave the President's National Security Staff the authority to operate and coordinate the Interagency Policy Committees to provide the principal forums for developing national cybersecurity policy. To coordinate and forge a coherent national approach to cyberspace policy, the EOP released the 'International Strategy for Cyberspace.' The strategy includes a broad range of cyberspace policy aimed at building interoperable, secure and reliable networks in the U.S. and abroad. Among the U.S. cyberspace policy priorities identified in the strategy are promoting international cybersecurity standards, participating fully in international cybercrime policy development, enhancing existing military alliances to confront potential threats in cyberspace, and promoting Internet governance structures to serve the needs of all Internet users. However, the strategy did not recommend or specify actions to be taken by appropriate agencies or committees to implement the policy and related prioriities. We will continue to follow-up with EOP and gather additional information.

    Recommendation: To address the challenges identified, the Special Assistant to the President and Cybersecurity Coordinator, in collaboration with other federal entities and the private sector, should determine, in conjunction with the Departments of Defense and State and other relevant federal entities, which, if any, cyberspace norms should be defined to support U.S. interests in cyberspace and methods for fostering such norms internationally.

    Agency Affected: Executive Office of the President: Office of the Chief of Staff: Office of the National Security Advisor: Office of the Chief of Staff: Cybersecurity

    Status: Open

    Comments: The Executive Office of the President (EOP) agreed with our recommendation and state that the May 2011 'International Strategy for Cyberspace' articulated a number of key cyberspace norms. The strategy outlines, among others, global interoperability, network stability, and reliable access, as areas requiring agreement on norms. In addition, the EOP stated that the Cybersecurity Interagency Policy Committee is coordinating a process to provide additional guidance to departments and agencies to bolster U.S. leadership in protecting and promoting the Internet as an open, interoperable, secure and reliable information environment to include fostering norms globally. However, we do not have sufficient evidence of the methods to foster norms internationally. We will continue to follow-up with EOP and gather additional evidence.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here