This is the accessible text file for GAO report number GAO-10-466 
entitled 'Cybersecurity: Key Challenges Need to Be Addressed to 
Improve Research and Development' which was released on July 6, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

June 2010: 

Cybersecurity: 

Key Challenges Need to Be Addressed to Improve Research and 
Development: 

GAO-10-466: 

GAO Highlights: 

Highlights of GAO-10-466, a report to congressional requesters. 

Why GAO Did This Study: 

Computer networks and infrastructures, on which the United States and 
much of the world rely to communicate and conduct business, contain 
vulnerabilities that can leave them susceptible to unauthorized 
access, disruption, or attack. Investing in research and development 
(R&D) is essential to protect critical systems and to enhance the 
cybersecurity of both the government and the private sector. Federal 
law has called for improvements in cybersecurity R&D, and, recently, 
President Obama has stated that advancing R&D is one of his 
administration’s top priorities for improving cybersecurity. 

GAO was asked to determine the key challenges in enhancing national-
level cybersecurity R&D efforts among the federal government and 
private companies. To do this, GAO consulted with officials from 
relevant federal agencies and experts from private sector companies 
and academic institutions as well as analyzed key documents, such as 
agencies’ research plans. 

What GAO Found: 

Several major challenges impede efforts to improve cybersecurity R&D. 
Among the most critical challenges are the following: 

Establishing a prioritized national R&D agenda. While R&D that is in 
support of specific agencies’ missions is important, it is also 
essential that national research efforts be strategically guided by an 
ordered set of national-level R&D goals. Additionally, it is critical 
that cyberspace security research efforts are prioritized across all 
sectors to ensure that national goals are addressed. Accordingly, the 
National Strategy to Secure Cyberspace recommended that the Office of 
Science and Technology Policy (OSTP) coordinate the development of an 
annual cybersecurity research agenda that includes near-term (1-3 
years), mid-term (3-5 years), and long-term (5 years or longer) goals. 
Although OSTP has taken initial steps toward developing such an 
agenda, one does not currently exist. OSTP and Office of Management 
and Budget officials stated that they believe an agenda is contained 
in existing documents; however, these documents are either outdated or 
lack appropriate detail. Without a current national cybersecurity R&D 
agenda, the nation is at risk that agencies and private sector 
companies may focus on their individual priorities, which may not be 
the most important national research priorities. 

Strengthening leadership. While officials within OSTP’s Subcommittee 
on Networking and Information Technology Research and Development 
(NITRD)—a multiagency coordination body that is primarily responsible 
for providing leadership in coordinating cybersecurity R&D—have played 
a facilitator role in coordinating cybersecurity R&D efforts within 
the federal government, they have not led agencies in a strategic 
direction. NITRD’s lack of leadership has been noted by many experts 
as well as by a presidential advisory committee that reported that 
federal cybersecurity R&D efforts should be focused, coordinated, and 
overseen by a central body. Until NITRD exercises its leadership 
responsibilities, federal agencies will lack overall direction for 
cybersecurity R&D. 

Tracking R&D funding and establishing processes for the public and 
private sectors to share key R&D information. Despite a congressional 
mandate to develop a governmentwide repository that tracks federally 
funded R&D, including R&D related to cybersecurity, such a repository 
is not currently in place. Additionally, the government does not have 
a process to foster the kinds of relationships necessary for 
coordination between the public and private sectors. While NITRD 
hosted a major conference last year that brought together public, 
private, and academic experts, this was a one-time event, and, 
according to experts, next steps remain unclear. Without a mechanism 
to track all active and completed cybersecurity R&D initiatives, 
federal researchers and developers as well as private companies lack 
essential information about ongoing and completed R&D. Moreover, 
without a process for industry and government to share cybersecurity 
R&D information, the nation is at risk of having unforeseen gaps. 

What GAO Recommends: 

GAO is recommending that the Director of OSTP direct NITRD to exercise 
its leadership responsibilities by taking several actions, including 
developing a national agenda, and establishing and utilizing a 
mechanism to keep track of federal cybersecurity R&D funding. OSTP 
agreed with GAO’s recommendation and provided details on planned 
actions. 

View [hyperlink, http://www.gao.gov/products/GAO-10-466] or key 
components. For more information, contact David A. Powner at (202) 512-
9286 or pownerd@gao.gov, or Gregory C. Wilshusen at (202) 512-6244 or 
wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Key Challenges to Improving National Cybersecurity R&D Efforts: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Office of Science and Technology Policy: 

Appendix III: Comments from the National Institute of Standards and 
Technology: 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

Table: 

Table 1: Federal Organizations Involved in the Oversight and 
Coordination of Cybersecurity Research: 

Abbreviations: 

CNCI: Comprehensive National Cybersecurity Initiative: 

CSIA IWG: Cyber Security and Information Assurance Interagency Working 
Group: 

CSIS: Center for Strategic and International Studies: 

DARPA: Defense Advanced Research Projects Agency: 

DHS: Department of Homeland Security: 

DOD: Department of Defense: 

DOE: Department of Energy: 

IT: information technology: 

IT-SCC: Information Technology Sector Coordinating Council: 

NIST: National Institute of Standards and Technology: 

NITRD: Subcommittee on Networking and Information Technology Research 
and Development: 

NSA: National Security Agency: 

NSF: National Science Foundation: 

NSTC: National Science and Technology Council: 

OMB: Office of Management and Budget: 

OSTP: Office of Science and Technology Policy: 

PCAST: President's Council of Advisors on Science and Technology: 

PITAC: President's Information Technology Advisory Committee: 

R&D: research and development: 

RaDiUS: Research and Development in the U.S. (database): 

SCORE: Special Cyber Operations Research and Engineering: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

June 3, 2010: 

The Honorable Bennie G. Thompson: 
Chairman: 
Committee on Homeland: 
Security House of Representatives: 

The Honorable Yvette D. Clarke: 
Chairwoman: 
Subcommittee on Emerging Threats, Cybersecurity, and Science and 
Technology: Committee on Homeland Security: 
House of Representatives: 

Dramatic increases in computer interconnectivity, especially in the 
use of the Internet, continue to revolutionize the way that our 
government, our nation, and much of the world communicate and conduct 
business. However, computers, networks, and their infrastructures are 
not always designed with security in mind. As a result, public and 
private systems that support critical operations and infrastructures 
of the federal government can have significant vulnerabilities 
[Footnote 1] that can be exploited by malicious users to gain 
unauthorized access to systems and obtain sensitive information, 
commit fraud, disrupt operations, or launch attacks against Web sites. 

Because of concerns about these malicious attacks from individuals and 
groups, it is essential that the United States protect its existing 
critical systems and at the same time work to get ahead of its 
adversaries by ensuring that future generations of technology will 
position the United States to better protect its critical systems from 
attack. As such, we have designated protecting the federal 
government's information systems as a high-risk area.[Footnote 2] 
Research in cybersecurity[Footnote 3] technology is essential to 
creating a broader range of choices and more robust tools for building 
secure, networked computer systems in the federal government and in 
the private sector. Furthermore, over the past two decades, federal 
law and policy have called for improvements in the research and 
development (R&D) of cybersecurity tools and techniques. In May 2009, 
President Obama announced that advancing R&D is one of his 
administration's top five priorities for improving cybersecurity. 

This report responds to your request that we conduct a review of the 
nation's current cybersecurity-related R&D efforts. Specifically, our 
objective was to determine the key challenges to enhancing national- 
level cybersecurity R&D efforts among the federal government and 
private companies. 

To address this objective, we identified experts from the public and 
private sectors that conduct or coordinate cybersecurity R&D, 
including 7 government agencies/entities--the Departments of Defense 
(DOD), Homeland Security (DHS), and Energy (DOE) and the National 
Science Foundation (NSF), the National Institute of Standards and 
Technology (NIST), the Office of Management and Budget (OMB), and the 
Office of Science and Technology Policy (OSTP); 24 private sector 
entities; and 3 academic institutions (see app. I for the complete 
list). To obtain information on the key R&D challenges that these 
entities face, we analyzed documentation, such as agencies' research 
plans and cybersecurity reports, and interviewed federal and industry 
experts. We then aggregated the identified challenges and validated 
the top challenges by asking the experts to rank the challenges in 
order of importance. Appendix I contains further details of our 
objective, scope, and methodology. 

We conducted this performance audit from June 2009 to June 2010, in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objective. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objective. 

Background: 

The speed, functionality, and accessibility that create the enormous 
benefits of the computer age can, if not properly controlled, allow 
individuals and organizations to easily eavesdrop on or interfere with 
computer operations from remote locations for mischievous or malicious 
purposes, including fraud or sabotage. As public and private 
organizations use computer systems to transfer more and greater 
amounts of money, sensitive economic and commercial information, and 
critical defense and intelligence information, the likelihood 
increases that malicious individuals will attempt to penetrate current 
security technologies, disrupt or disable our nation's critical 
infrastructures, and use sensitive and critical information for 
malicious purposes. 

Because the threats have persisted and grown, in January 2008, the 
President began implementing a series of initiatives--commonly 
referred to as the Comprehensive National Cybersecurity Initiative 
(CNCI)--aimed primarily at improving DHS and other federal agencies' 
efforts to protect against intrusion attempts and anticipate future 
threats.[Footnote 4] Two of these initiatives are related to improving 
cybersecurity R&D--one is aimed at improving the coordination of 
federal cybersecurity R&D, and the other is aimed at developing a plan 
for advancing the United States' R&D in high-risk, high-return areas. 
We recently reported that CNCI faces significant challenges, including 
defining roles and responsibilities and coordinating efforts.[Footnote 
5] 

Numerous Entities Are Involved in the Cybersecurity Research and 
Development Arena: 

Several federal entities oversee and aim to coordinate federal 
cybersecurity research; private entities have structures in place 
aimed at coordinating research; and numerous federal agencies and 
private companies fund or conduct this research. 

Federal Oversight and Coordination of Cybersecurity R&D: 

OSTP and OMB, both in the Executive Office of the President, are 
responsible for providing high-level oversight of federal R&D, 
including cybersecurity. OSTP promotes the work of the National 
Science and Technology Council, which prepares R&D strategies that are 
intended to be coordinated across federal agencies. The council 
operates through its committees, subcommittees, and interagency 
working groups, which coordinate activities related to specific 
science and technology disciplines. 

Table 1 contains a brief description of the roles and responsibilities 
of the federal organizations and groups involved in the oversight and 
coordination of cybersecurity research. 

Table 1: Federal Organizations Involved in the Oversight and 
Coordination of Cybersecurity Research: 

Organization: President's Council of Advisors on Science and 
Technology (PCAST); 
Description: Executive Order 13226 established PCAST in September 
2001. Under this order, PCAST was established to advise the President 
on matters involving science and technology policy and assist the 
National Science and Technology Council in securing private sector 
involvement in its activities. The council's members are appointed by 
the President and originate from industry, education, and research 
institutions and other nongovernmental organizations. The Director of 
OSTP serves as a co-chair for the council. 

Organization: President's Information Technology Advisory Committee 
(PITAC); 
Description: PITAC is made up of industry and academic experts 
appointed by the President to provide independent expert advice to the 
President, Congress, and federal agencies on networking and 
information technology R&D. In September 2005, Executive Order 13385 
reassigned the roles and responsibilities of PITAC to PCAST. 

Organization: National Security Council; 
Description: The council is the President's principal forum for 
considering national security and foreign policy matters with his 
senior national security advisors and cabinet officials. The council 
is chaired by the President. The Cybersecurity Coordinator and 
Director of National Intelligence both work with the council. 

Organization: Cybersecurity Office/U.S. Cybersecurity Coordinator; 
Description: In December 2009, the President created the Cybersecurity 
Office within the National Security Council and appointed a U.S. 
Cybersecurity Coordinator. The coordinator is intended to work closely 
with the federal Chief Information Officer, the federal Chief 
Technology Officer, and the National Economic Council. 

Organization: Office of the Director of National Intelligence; 
Description: The Office of the Director of National Intelligence was 
established in April 2005. The head of this office serves as the 
President's principal intelligence advisor and is intended to 
establish the intelligence community's priorities with clear and 
measurable goals and objectives as well as provide leadership on cross-
cutting intelligence community issues. According to OSTP officials, 
this office provides technical and administrative support to the 
Special Cyber Operations Research and Engineering Interagency Working 
Group. 

Organization: Office of Management and Budget (OMB); 
Description: The E-Government Act of 2002 mandated that OMB ensure the 
development and maintenance of a governmentwide repository and Web 
site that integrates information about federally funded R&D, including 
R&D related to cybersecurity. Furthermore, the Director of OMB and the 
Director of OSTP jointly release an annual memorandum to the heads of 
executive departments and agencies that specifies high-level R&D 
budget priorities, one of which is to protect the nation's information 
infrastructure. 

Organization: Office of Science and Technology Policy (OSTP); 
Description: OSTP serves as a primary advisor to the President for 
policy formation and budget development on all questions in which 
science and technology are important elements. The office also leads 
an interagency effort to develop and implement science and technology 
policies and budgets that are coordinated across federal agencies. 

Organization: OSTP's National Science and Technology Council (NSTC); 
Description: NSTC, established in 1993, is the principal means for the 
administration to coordinate science and technology policy among the 
diverse entities that make up the federal R&D enterprise. OSTP works 
through NSTC to develop strategies that are coordinated across federal 
agencies. The council operates through its committees, which include 
the Committee on Homeland and National Security and the Committee on 
Technology, among others. Each committee oversees a number of 
subcommittees and interagency working groups focused on science and 
technology. 

Organization: NSTC's Committee on Technology; 
Description: The Committee on Technology addresses policy matters that 
cut across agency boundaries and provides a formal mechanism for 
interagency policy coordination and balanced and comprehensive 
technology R&D programs. Senior-level representatives from federal 
departments and agencies comprise the committee. The committee is 
currently co-chaired by the U.S. Chief Information Officer in OMB and 
the Chief Technology Officer in OSTP. Several other agencies or 
components are members of the committee, including the Departments of 
Homeland Security (DHS), Defense (DOD), Justice, Transportation, and 
the Treasury; the Central Intelligence Agency; the National Security 
Agency (NSA); and the Office of the Cyber Security Officer from the 
National Security Council. 

Organization: The Committee on Technology's Subcommittee on Networking 
and Information Technology Research and Development (NITRD); 
Description: NITRD is a multiagency coordination program that seeks to 
ensure continued U.S. technological leadership and accelerate 
deployment of advanced and experimental information technologies. 
Subcommittee members include representatives from 15 federal agencies 
or components, including the National Science Foundation (NSF), DOD, 
NSA, and National Institute of Standards and Technology (NIST). 
NITRD is responsible for coordinating the planning, budgeting, and 
assessment of activities of a multiagency federal NITRD program. This 
program was chartered under the High-Performance Computing Act of 
1991, as amended by the Next Generation Internet Research Act of 1998 
and the America COMPETES Act of 2007, to help sustain U.S. leadership 
in cutting-edge science, engineering, and technology through 
investments from federal agencies involved in information technology 
R&D.[A]. 

Organization: National Coordination Office (NCO) for NITRD; 
Description: NCO is responsible for providing technical and 
administrative support for the Subcommittee on Networking and 
Information Technology Research and Development and interagency 
activities of the NITRD program. This includes helping identify 
research needs by coordinating interagency meetings as well as 
conferences and workshops with academia and industry. This office is 
to aid information dissemination by publishing reports, including 
reports produced by the PITAC, and the annual supplements to the 
President's budget. 

Organization: Senior Steering Group for Cyber Security; 
Description: In Spring 2008, a senior steering group was created and 
added to NITRD, which is intended to provide overall leadership and 
cybersecurity R&D coordination(CNCI Coordination Plan. The steering 
group's membership includes the co-chair for NITRD; 
the director of NCO; and senior representatives of agencies, such as 
DOD, DHS, National Security Agency, NIST, OSTP, and OMB. Additionally, 
the group is intended to facilitate closer interaction between 
classified and unclassified R&D. Accordingly, this group's membership 
also overlaps with the Special Cyber Operations Research and 
Engineering Interagency Working Group. 

Organization: Cyber Security and Information Assurance Interagency 
Working Group (CSIA IWG); 
Description: CSIA IWG was chartered in August 2005 to facilitate 
greater coordination of federal cybersecurity R&D. The working group 
reports to NITRD and is responsible for facilitating interagency 
program planning, developing and periodically updating an interagency 
roadmap, developing recommendations for establishing federal policies 
and priorities, summarizing annual activities for the NITRD program's 
supplement to the President's budget, and identifying potential 
opportunities for collaboration and coordination. Members include NSF, 
DOD's research organizations, NSA, the Defense Advanced Research 
Projects Agency, and NIST. Other participants include the Central 
Intelligence Agency; the Environmental Protection Agency; the National 
Aeronautics and Space Administration; the National Institutes of 
Health; and the Departments of Homeland Security, Energy, Justice, 
State, Transportation, and the Treasury. 

Organization: Special Cyber Operations Research and Engineering 
(SCORE) Interagency Working Group; 
Description: SCORE was created in Spring 2008 and is intended to work 
in parallel to the CSIA IWG to coordinate classified cybersecurity 
R&D. It is operated under OSTP and the Director for National 
Intelligence. Representatives from the SCORE and CSIA IWG participate 
together in the Senior Steering Group for Cyber Security. 

Source: GAO analysis of Executive Office of the President information. 

[A] The High-Performance Computing Act of 1991, Pub. L. No. 102-194, 
105 Stat. 1595 (Dec. 9, 1991), was amended by the Next Generation 
Internet Research Act of 1998, Pub. L. No. 105-305, 112 Stat. 2919 
(Oct. 28, 1998), and the America COMPETES Act, Pub. L. No. 110-69, 121 
Stat. 572 (Aug. 9, 2007). 

[End of table] 

Private Sector Cybersecurity R&D Coordination: 

The private sector also has cybersecurity R&D working groups aimed at 
better coordinating R&D. Under an existing information-sharing 
framework within a plan referred to as the National Infrastructure 
Protection Plan,[Footnote 6] two Sector Coordinating Councils-- 
Financial Services and Information Technology--have R&D working 
groups. These groups are composed of representatives from companies, 
associations, and other key sector participants to coordinate 
strategic activities and communicate broad sector member views 
associated with cybersecurity R&D throughout their sectors. 
Specifically, these working groups are charged with conducting annual 
reviews of R&D initiatives in their sectors and recommending updates 
to those priorities based on changes in technology, threats, 
vulnerabilities, and risk. 

Federal Agencies and Private Companies Fund or Conduct Cybersecurity 
R&D: 

Five agencies--NSF, DHS, DOD, DOE, and NIST--fund and conduct much of 
the government's cybersecurity R&D. 

According to agency officials, NSF's main cybersecurity R&D program is 
the Trustworthy Computing Program. This program is to support research 
and education activities that explore novel frameworks, theories, and 
approaches toward secure and privacy-preserving systems. According to 
the Subcommittee on Networking and Information Technology Research and 
Development's (NITRD) supplement to the 2011 budget, NSF's budget was 
approximately $71.4 million for cybersecurity R&D. 

DHS's R&D efforts are aimed at countering threats to the homeland by 
making evolutionary improvements to current capabilities and 
developing revolutionary new capabilities. DHS's cybersecurity R&D 
program resides in the agency's Science and Technology Directorate. 
DHS has created R&D tools and made them accessible to the broader 
research community, such as an experimental research testing 
environment and a research data repository. In November 2009, DHS 
issued A Roadmap for Cybersecurity Research, which was an attempt to 
establish a foundation on which a national R&D agenda could be built. 
Furthermore, it was intended to provide detailed R&D agendas related 
to specific cybersecurity problems.[Footnote 7] 

Several agencies within DOD have cybersecurity R&D programs. The 
department's Defense Research and Engineering organization within the 
Office of the Director provides coordination and oversight and 
supports certain cybersecurity research activities directly. The 
office is responsible for DOD's science and technology activities as 
well as for oversight of research and engineering. Although the 
department's research organizations (e.g., the Office of Naval 
Research, the Army Research Laboratory, and the Air Force Research 
Laboratory) have cybersecurity programs, the largest investments 
within its cybersecurity R&D are with the Defense Advanced Research 
Projects Agency (DARPA) and the National Security Agency (NSA). DARPA 
is the central R&D organization for the department, and its 
cybersecurity R&D budget for fiscal year 2010 is approximately $144 
million.[Footnote 8] Its mission is to identify revolutionary, high-
risk, high-payoff technologies of interest to the military, then to 
support the development of these technologies through transition. NSA 
also performs extensive cybersecurity research. Its research programs 
focus on high-speed encryption and certain defense capabilities, among 
other things. For fiscal year 2010, the agency's budget was 
approximately $29 million for cybersecurity R&D. The research is 
conducted and supported by its National Information Assurance Research 
Group. In addition to DARPA and NSA, approximately $70 million was 
budgeted for fiscal year 2010 to the Office of the Secretary of 
Defense and other research organizations within DOD for additional 
cybersecurity R&D. 

DOE also conducts and funds cybersecurity R&D. Nearly all of DOE's 
cybersecurity R&D investments are directed toward short-term 
applications. This work is conducted principally at the national 
laboratories. DOE reported to NITRD that it had spent $3.5 million on 
cybersecurity R&D for fiscal year 2010, and requested the same amount 
for fiscal year 2011. Additionally, DOE conducts cybersecurity R&D for 
other departments, such as DOD. 

NIST's cybersecurity research program is multidisciplinary and focuses 
on a range of long-term and applied R&D. NIST also conducts security 
research in support of future standards and guidelines. NIST's fiscal 
year 2010 budget for cybersecurity was about $29 million. The agency 
also receives funding from other agencies--such as DHS, the Department 
of Transportation and the General Services Administration--to work on 
projects that are consistent with its cybersecurity mission. 

In addition, many private sector companies pursue government grants or 
contracts to conduct cybersecurity R&D on behalf of the government, or 
they independently self-fund cybersecurity research. The private 
sector generally conducts cybersecurity R&D in areas with commercial 
viability, which are focused on developing products to help their 
customers better secure their systems and networks. For example, 
representatives from one private sector company stated that they have 
set up unused computers that attempt to attract hackers for the 
purpose of analyzing the attacker. Another company is conducting R&D 
related to the Internet's architecture. According to private sector 
officials, cybersecurity R&D does not necessarily have to be conducted 
by large companies; some small companies have made large contributions. 

Various Entities Have Issued Guidance on Federal Cybersecurity R&D: 

Various public and private sector entities have issued reports that 
provide guidance and make recommendations for improvements in the 
nation's activities related to specific aspects of cybersecurity, 
including R&D. The following key reports offer guidance and direction 
related to cybersecurity R&D: 

* In February 2003, the White House's The National Strategy to Secure 
Cyberspace identified five national priorities, one of which includes 
reducing cyberspace threats and vulnerabilities.[Footnote 9] As part 
of this priority, the strategy tasked the Director of OSTP with 
coordinating the development of a federal government R&D agenda for 
cybersecurity and updating it on an annual basis. 

* In February 2005, the President's Information Technology Advisory 
Committee (PITAC) recommended several changes in the federal 
government's cybersecurity R&D portfolio.[Footnote 10] One of the 
report's recommendations was to strengthen coordination and oversight 
of federal cybersecurity efforts. 

* The President's Council of Advisors on Science and Technology 
(PCAST) found in its 2007 report, entitled Leadership Under Challenge: 
Information Technology R&D in a Competitive World, that the existing 
federal networking and information technology R&D portfolio was 
unbalanced in favor of low-risk, small-scale, and short-term efforts. 
[Footnote 11] The council recommended that federal agencies increase 
support for larger-scale, longer-term R&D. 

* In December 2008, the Center for Strategic and International Studies 
(CSIS) Commission on Cybersecurity for the 44TH Presidency issued a 
series of recommendations for a comprehensive national approach to 
securing cyberspace.[Footnote 12] As part of the review, CSIS 
recommended the creation of a new National Office of Cyberspace, which 
would work with OSTP to provide overall coordination of cybersecurity 
R&D. 

* The Institute for Information Infrastructure Protection's report, 
entitled National Cyber Security: Research and Development Challenges 
Related to Economics, Physical Infrastructure, and Human Behavior, 
stated that a national cybersecurity research agenda was urgently 
needed that prioritizes problems; encourages and tracks innovative 
approaches; and provides a pipeline of short-, medium-, and long-term 
projects.[Footnote 13] 

* The National Security and Homeland Security Councils' report, 
entitled Cyberspace Policy Review: Assuring a Trusted and Resilient 
Information and Communications Infrastructure, recommended that a 
framework for R&D be developed.[Footnote 14] The report also 
recommended that the administration appoint a cybersecurity policy 
official to coordinate the nation's cybersecurity policies and 
activities. Accordingly, as we have previously mentioned, in December 
2009, President Obama appointed a national Cybersecurity Coordinator. 
Among many things, this official is tasked with updating the national 
cybersecurity strategy. We have a review under way that is assessing 
the implementation status of the recommendations that were made in the 
Cyberspace Policy Review. 

* In November 2009, DHS issued a report entitled A Roadmap for 
Cybersecurity Research, which identifies critical needs and gaps in 11 
cybersecurity research areas. 

GAO Has Made Recommendations to Improve Cybersecurity R&D: 

In addition to the recent cybersecurity reports, we have reported on 
the importance of furthering cybersecurity R&D. Specifically, in 
September 2006, we reported on actions taken by federal entities to 
improve the oversight and coordination of federal cybersecurity R&D 
activities.[Footnote 15] We found that federal entities had taken 
several important steps to improve the oversight and coordination of 
federal cybersecurity R&D; however, a federal cybersecurity research 
agenda had not yet been developed. Furthermore, the federal 
government's R&D repositories did not contain information about all of 
the federally funded cybersecurity research projects. As a result, we 
recommended, among other things, that the Director of OSTP establish 
firm timelines for the completion of the federal cybersecurity R&D 
agenda, which includes near-term, mid-term, and long-term research. We 
also recommended that the Director of OMB issue guidance to agencies 
on reporting information about federally funded cybersecurity R&D 
projects to the governmentwide repositories. Although OMB and OSTP 
have taken initial steps, the agencies have not fully implemented 
these recommendations. 

Additionally, in March 2009, we testified on key improvements needed 
to strengthen the national cybersecurity strategy. Based on input we 
received from expert panels, we identified 12 key improvements that 
are essential to enhancing the strategy and our national cybersecurity 
posture.[Footnote 16] One of these improvements was placing greater 
emphasis on cybersecurity R&D, including consideration of how to 
better coordinate government and private sector efforts. 

Key Challenges to Improving National Cybersecurity R&D Efforts: 

While efforts are under way by OSTP, NITRD, and individual agencies to 
improve cybersecurity R&D, significant challenges remain. We 
identified, through input from experts from relevant federal, private, 
and academic organizations, six major challenges that are impeding 
efforts to improve cybersecurity R&D. 

Lack of a Prioritized National Cybersecurity R&D Agenda: 

According to key expert bodies, a national cybersecurity R&D agenda 
should embody several characteristics. Specifically, according to the 
National Strategy to Secure Cyberspace, a national R&D agenda should 
include near-term (1 to 3 years), mid-term (3 to 5 years), and long- 
term (5 years and longer) goals. Additionally, an agenda should 
include national-level R&D priorities that go beyond goals specific to 
agencies' and companies' missions. It is also essential that 
cyberspace security research efforts are ranked across all sectors and 
funding sources to ensure that national goals are addressed. 
Additionally, according to the Institute for Information 
Infrastructure Protection, it is important that an agenda include 
perspectives from both the public and private sectors. An agenda 
should also specify timelines and milestones for conducting 
cybersecurity R&D activities. Moreover, in 2006, we recommended that 
OSTP develop a federal cybersecurity R&D agenda that includes near-
term, mid-term, and long-term research.[Footnote 17] Additionally, 
pursuant to the High-Performance Computing Act of 1991, as amended by 
the Next Generation Internet Research Act of 1998 and the America 
COMPETES Act of 2007, NITRD is responsible for setting goals and 
priorities for cybersecurity R&D. 

However, despite its legal responsibility and our past 
recommendations, NITRD has not created a prioritized national or 
federal R&D agenda. Officials from DOD, DOE, and DHS indicated that 
there is a lack of a prioritized cybersecurity R&D agenda. 
Furthermore, the aggregated ranked responses from 24 cybersecurity R&D 
private and academic experts we contacted indicated that the lack of a 
prioritized national R&D agenda is the top challenge that they believe 
should be addressed.[Footnote 18] 

While officials from NITRD and OMB stated that they consider the 
following key documents to comprise a national R&D agenda, these 
documents do not constitute, whether taken collectively or separately, 
a prioritized national agenda: 

* NITRD's 2006 Cyber Security and Information Assurance Working 
Group's Federal Plan for Cyber Security and Information Assurance R&D: 
As we have previously reported, this plan was intended to be the first 
step toward developing a federal agenda for cybersecurity research, 
which provides baseline information about ongoing federal R&D 
activities; however, mid-term and long-term cybersecurity research 
goals were not defined. Furthermore, the plan does not specify 
timelines and milestones for conducting R&D activities, nor does it 
assign responsibility for implementation. Additionally, this plan was 
published in 2006, and many experts indicated that it is outdated. For 
example, NSF officials, who were co-developers of the plan, stated 
that the document does not take into account new types of threats that 
have appeared in the past 4 years, and some of the issues identified 
in the 2006 report are less critical today. According to NITRD 
officials, this plan is intended to be a 5-year plan, and they do not 
plan to update it until 2012. 

* The National Security and Homeland Security Councils' 2009 
Cyberspace Policy Review: Assuring a Trusted and Resilient Information 
and Communications Infrastructure: This report presents relevant high- 
level challenges and recommendations for improvements that cover the 
spectrum of cybersecurity issues. However, according to NSF officials, 
the report does not contain sufficient detail related to R&D to be a 
research agenda. Furthermore, DHS officials stated that the Cyberspace 
Policy Review does not attempt to articulate a national-level R&D 
agenda. 

* August 2009 OMB and OSTP memorandum, "Science and Technology 
Priorities for the FY 2011 Budget (M-09-27)": This memorandum also 
does not provide guidance on cybersecurity R&D priorities. As pointed 
out by DHS officials, this memorandum provides high-level points for 
consideration but does not provide a clear national cybersecurity R&D 
agenda. Moreover, DOD stated that the memorandum only provides general 
guidance for departments and agencies as they develop their overall 
science and technology programs. 

* National Science and Technology Council's 2008 Federal Plan for 
Advanced Networking and Research and Development: This plan 
specifically focuses on establishing goals and time frames for 
enhancing networking capabilities, which includes enhancing networking 
security and reliability. However, networking is just one of several 
areas that need to be addressed in the cybersecurity R&D arena. 

The private sector organizations and cybersecurity R&D experts that we 
contacted also did not consider the documents to constitute a national 
R&D agenda. Several private sector representatives stated that they 
exclusively use their own strategies to determine their cybersecurity 
R&D priorities. 

According to NITRD's Cyber Security and Information Assurance 
Interagency Working Group (CSIA IWG) members, they have recently begun 
working on developing a framework that focuses on three main 
cybersecurity R&D themes. The DOD co-chair of CSIA IWG stated that he 
believes the framework will constitute a national cybersecurity R&D 
agenda. The three themes that comprise the framework are (1) 
supporting security policies and security services for different types 
of cyber space interactions; (2) deploying systems that are both 
diverse and changing, to increase complexity and costs for attackers 
and system resiliency; and (3) developing cybersecurity incentives to 
create foundations for cybersecurity markets, establish meaningful 
metrics, and promote economically sound and secure practices. NITRD 
officials stated that they expect the framework to be finalized in 
time for the 2012 budget submission. However, these three themes do 
not cover all of the priorities that should be included in a national 
cybersecurity R&D agenda. For example, among other things, issues such 
as global-scale identity management, which was identified by DHS as a 
top problem that needs to be addressed, and computer forensics, which 
was identified by the private sector and several key government 
reports as a major area needing government focus, are not included in 
this framework. 

Beyond developing a federal plan as we have previously recommended, 
there is a need for a broader national cybersecurity R&D agenda. Until 
such an agenda is developed that (1) contains short-term, mid-term, 
and long-term priorities, (2) includes input from both public and 
private sectors, and (3) is consistent with the updated national 
cybersecurity strategy (when it is available), increased risk exists 
that agencies and private sector organizations will focus on their 
individual priorities for cybersecurity R&D, which may not be the most 
important national research priorities. 

Lack of Leadership for Improving Federal Cybersecurity R&D Efforts: 

According to key expert bodies, leadership for improving cybersecurity 
in R&D is composed of several attributes. Specifically, PITAC 
indicated that federal cybersecurity R&D efforts should be focused, 
coordinated, and overseen by a central body. More specifically, the 
committee recommended that NITRD become the focal point for 
coordinating federal cybersecurity R&D efforts. Furthermore, according 
to CSIS, NITRD should lead the nation toward an aggressive research 
agenda. Additionally, our previous work has highlighted the need to 
define and agree on roles and responsibilities, including how an 
effort will be led. In doing so, the entities can clarify who will do 
what, organize their joint and individual efforts, and facilitate 
decision making.[Footnote 19] 

Although NITRD is primarily responsible for providing leadership in 
coordinating cybersecurity R&D, it has played a facilitator role, 
rather than leading agencies in a strategic direction toward a 
cybersecurity R&D agenda. Experts from 24 private sector and academic 
R&D entities ranked this challenge as the second most important 
cybersecurity R&D challenge, and officials from 2 federal agencies 
indicated that they agreed that there is a lack of government 
leadership. For example, 2 private sector experts stated that there is 
confusion about who in the government is leading the cybersecurity R&D 
area. Another private sector expert stated that while NITRD is playing 
a facilitator role, there is no central entity that is strategically 
leading cybersecurity R&D in the federal government. 

NITRD has intentionally decided to play a facilitator role. 
Specifically, NITRD carries out several activities, such as hosting 
monthly meetings in which agencies discuss their initiatives and 
compiling all of its participating agencies' cybersecurity R&D efforts 
and budgets; however, it generally does not make any specific 
decisions about how these efforts could be better coordinated. 
Recently, NITRD pointed to the National Cyber Leap Year initiative and 
the output from that initiative--CSIA IWG's cybersecurity R&D 
framework that is under development--as evidence of NITRD's leadership 
approach; however, this framework has not been completed. 

Until NITRD exercises its leadership responsibilities, federal 
agencies will likely lack overall direction for cybersecurity R&D. 

Lack of a Process for Sharing Key Information on R&D Initiatives 
between Federal Agencies and the Private Sector: 

We have previously emphasized the importance of establishing a process 
to ensure widespread and ongoing sharing of key cybersecurity-related 
information between federal agencies and private sector 
entities.[Footnote 20] Additionally, according to the 2009 Cyberspace 
Policy Review, it is important that the federal government share 
cybersecurity R&D information with the private sector. 

To improve R&D-related information sharing, in 2008 the Information 
Technology Sector Coordinating Council (IT-SCC) R&D working group 
proposed a framework to the Information Technology Government 
Coordinating Council and NITRD to establish a process for federal 
agencies and the private sector to share key information on R&D 
initiatives.[Footnote 21] Approximately 2 years have passed since the 
IT-SCC made its proposal, and still no decision has been made on 
whether the government will pursue the working group's proposal, nor 
has the government developed an alternative approach to sharing key 
R&D information. 

According to federal and private experts, key factors exist that 
reduce the private sector's and government's willingness to share 
information and trust each other with regard to researching and 
developing new cybersecurity technologies. Specifically, private 
sector officials stated that they are often unwilling to share details 
of their R&D with the government because they want to protect their 
intellectual property. On the government side, officials are concerned 
that the private sector is too focused on making a profit and may not 
necessarily conduct R&D in areas that require the most attention. 
Additionally, government and private sector officials indicated that 
the government does not have a process in place to communicate the 
results on completed federal R&D. 

The private and public sectors share some cybersecurity R&D 
information, but such information-sharing generally occurs only on a 
project-by-project basis. For example, NSF's Industry University 
Cooperative Research Center initiative establishes centers to conduct 
research that is of interest to both industry and academia, and DOD's 
Small Business Innovation Research program funds R&D at small 
technology companies. However, according to federal and private sector 
experts, widespread and ongoing information-sharing generally does not 
occur. Without sharing such information, gaps in research among public 
and private sectors R&D is difficult to identify. 

More recently, NITRD has taken steps to work more formally with the 
private sector and academia, such as hosting the National Cyber Leap 
Year Summit in August 2009, which aimed to bring together researchers 
and developers from the private and public sectors. 

Nevertheless, without an ongoing process for industry and government 
to share cybersecurity R&D information, the nation could be at great 
risk of funding duplicative efforts or having gaps in needed R&D. 

Limited Focus on Long-term, Complex Cybersecurity Research Projects: 

Several entities have emphasized that cybersecurity R&D should include 
long-term, complex projects. Specifically, the President's 2003 
National Strategy to Secure Cyberspace indicated that it is important 
that the Director of OSTP develop a cybersecurity research agenda that 
includes long-term (5 years and longer) research. In 2006, we reported 
that researchers had indicated the need for long-term efforts, such as 
researching cybersecurity vulnerabilities, developing technological 
solutions, and transitioning research results into commercially 
available products.[Footnote 22] Furthermore, in August 2007, PCAST 
recommended that federal agencies increase support for larger-scale, 
longer-term R&D. 

While federal officials point to specific long-term cybersecurity R&D 
investments, such as DOD's development of a National Cyber Range 
[Footnote 23] and NSF's Trustworthy Computing Program, OSTP has not 
established long-term research goals in a national agenda, the absence 
of which continues to plague the advancement of cybersecurity R&D. 
According to experts, one of the contributing factors to the limited 
focus on long-term R&D is that industry is focused on short-term, 
profit-generating R&D. Furthermore, experts stated that unless there 
is commercial viability, industry generally does not invest time or 
money. Another major contributing factor is that the federal 
government has been focused on obtaining and implementing new 
solutions immediately. For example, federal cybersecurity grants 
generally require grantees to deliver their research within a 3 year 
period, and, according to a cybersecurity expert at Purdue University, 
in many cases grantees are required to show the progress of their 
research within 6 months. 

Although highly beneficial, short-term R&D, by definition, has limited 
focus and is not intended to independently tackle the more complex and 
fundamental problems related to cybersecurity, such as security 
problems related to the Internet's infrastructure. If the focus on 
cybersecurity R&D continues to be short-term and confined to our 
current technological environment, it may result in stunted research 
and growth, short-term fixes for systems, and networks that may not 
necessarily be developed with the most appropriate security. 

Lack of a Sufficient Information Technology Human Capital Skill Base: 

Legislation and several key reports have stressed the importance of 
having sufficient cybersecurity education programs and an ample supply 
of qualified cybersecurity professionals. Specifically, the Cyber 
Security Research and Development Act stated that the United States 
needs to expand and improve the pool of information security 
professionals, including researchers, in the workforce.[Footnote 24] 
In addition, the INFOSEC Research Council[Footnote 25] reported that 
it is important that the United States enhance cybersecurity academic 
education and training.[Footnote 26] In December 2008, the Center for 
Strategic and International Studies Commission on Cybersecurity for 
the 44TH Presidency reported that the federal government needs to 
increase the supply of skilled workers and to create a career path 
(including training and advancement) for cyberspace specialists in the 
federal government.[Footnote 27] Furthermore, one of the national 
Cybersecurity Coordinator's responsibilities is updating the national 
cybersecurity strategy, which addresses the cybersecurity human 
capital needs, among other things. 

While several federal programs intended to promote cybersecurity- 
related professions exist today--such as NSF's Pathways to Revitalize 
Undergraduate Computing Education program and DOD's Science, 
Mathematics and Research for Transformation Scholarship for Service 
program, which seek to develop a U.S. workforce with computing 
competencies--government officials and private sector experts agree 
that more can be done. For example, DHS officials indicated there is a 
shortage of cybersecurity R&D management officials. DOD officials 
indicated that more can be done to encourage personnel to pursue 
security degrees, and officials from DOE stated that it is very 
difficult to find highly qualified researchers with the requisite 
experience. Private sector experts voiced similar concerns, such as 
the need to cultivate talented people and the need for employees with 
more cybersecurity R&D experience. 

Government officials and cybersecurity experts suggested that several 
factors have contributed to the lack of human capital expertise in the 
area of cybersecurity R&D. For example, federal officials and 
cybersecurity experts suggested that unclear career paths in 
cybersecurity have contributed to the lack of a sufficient skill base. 
Another expert stated that colleges or universities do not have the 
appropriate tools and products to adequately teach cybersecurity to 
students. While it has been 7 years since The National Strategy to 
Secure Cyberspace articulated plans for improving training and 
creating certifications, human capital weaknesses still exist. 

Without obtaining information on the shortages in researchers in the 
cybersecurity field, it will be difficult for the national 
Cybersecurity Coordinator to update the national cybersecurity 
strategy with the appropriate cybersecurity human capital plans for 
addressing such weaknesses. 

No Mechanism in Place That Identifies All Cybersecurity R&D 
Initiatives and Funding: 

Congress has recognized the importance of making available information 
on federal R&D funding for coordinating federal research activities 
and improving collaboration among those conducting federal R&D. To 
improve the methods by which government information is organized, 
preserved, and made accessible to the public, the E-Government Act of 
2002 mandated that OMB ensure the development and maintenance of a 
governmentwide repository and Web site that integrates information 
about federally funded R&D, including R&D related to cybersecurity. 
[Footnote 28] The Director of OMB delegated this responsibility to NSF. 

As we have previously reported, NSF maintained a repository for 
federally funded R&D, known as the Research and Development in the 
U.S. (RaDiUS) database; however, the database was incomplete and not 
fully populated.[Footnote 29] Therefore, in 2006, we recommended that 
OMB issue guidance to agencies on reporting information about 
federally funded cybersecurity R&D projects to RaDiUS. OMB did not 
implement our recommendation. In 2008, the database was decommissioned 
because, according to a senior official at NSF, the data were 
incomplete, users had difficulty using it, and the database was built 
with antiquated technology. In March 2010, OMB officials stated that 
they are currently evaluating several repositories to replace RaDiUS 
as a centralized database to house all government-funded R&D programs, 
including cybersecurity R&D. While officials stated that they 
anticipate making a decision on a database by the end of fiscal year 
2010, officials were unable to specify when a database would be in 
place that tracks all cybersecurity R&D information. Additionally, it 
is not clear how this fits into the overall coordination efforts for 
which NITRD is responsible. 

Tracking funding that is allocated to classified R&D adds to the 
complexity of this challenge. For example, according to a DOD 
official, the majority of DOD's cybersecurity R&D is composed of 
either classified R&D or unclassified components of a program mixed 
with classified components, thereby rendering the entire program as 
classified. As such, it is difficult to identify the exact funding 
that is allocated to classified versus unclassified R&D. 

There is currently no mechanism in place that identifies all 
cybersecurity R&D initiatives governmentwide and associated funding. 
DHS officials stated that it would be helpful to have a clearinghouse 
that they could use to view what activities are already being 
conducted by the government. In addition, a private sector expert 
stated that having a centralized database in place would improve 
coordination between the public and private sectors. However, 
challenges to maintaining such a mechanism exist. For example, an OSTP 
official indicated that it is difficult to develop and enforce 
policies for identifying specific funding as R&D. Additionally, the 
level of detail to be disclosed is also a factor because national 
security must also be protected. 

However, without a mechanism to track all active and completed 
cybersecurity R&D initiatives, federal researchers and developers as 
well as private companies lack essential information about ongoing and 
completed R&D, thus increasing the likelihood of duplicative efforts, 
inefficient use of government funding, and lost collaboration 
opportunities. Additionally, without a complete understanding of how 
much each federal agency is spending on cybersecurity R&D, it may be 
difficult to make the appropriate resource allocation decisions. 

Conclusions: 

OSTP and NITRD have recently taken steps to try to improve the 
coordination and oversight of cybersecurity R&D. However, key 
challenges still exist, and, until these challenges are addressed, the 
United States may continue to struggle in protecting and securing its 
critical systems and networks. Specifically, the absence of a national 
cybersecurity R&D agenda and leadership increases the risk that 
efforts will not reflect national priorities, key decisions will be 
postponed, and federal agencies will lack overall direction for their 
efforts. Furthermore, without sufficient attention to complex, long-
term research projects and input on the current weaknesses and 
shortages in researchers in cybersecurity, the nation risks falling 
behind in cybersecurity and not being able to adequately protect its 
digital infrastructure. Finally, the lack of a mechanism to track all 
active and completed cybersecurity R&D initiatives and the lack of a 
process for sharing information among the public and private sectors 
may result in duplicative efforts or gaps in needed R&D. 

Recommendation for Executive Action: 

To help address the key cybersecurity R&D challenges, we are 
recommending that the Director of the Office of Science and Technology 
Policy, in conjunction with the national Cybersecurity Coordinator, 
direct the Subcommittee on Networking and Information Technology 
Research and Development to exercise its leadership responsibilities 
and take the following four actions: 

* Establish a comprehensive national R&D agenda by expanding on the 
CSIA IWG framework and ensure that it: 

- contains priorities for short-term, mid-term, and long-term complex 
cybersecurity R&D; 

- includes input from the private sector and academia; and: 

- is consistent with the updated national cybersecurity strategy (when 
available). 

* Identify and report shortages in researchers in the cybersecurity 
field to the national Cybersecurity Coordinator, which should be used 
to update the national cybersecurity strategy with the appropriate 
plans for addressing human capital weaknesses. 

* Establish a mechanism, in working with the Office of Management and 
Budget and consistent with existing law, to keep track of all ongoing 
and completed federal cybersecurity R&D projects and associated 
funding, to the maximum extent possible without jeopardizing national 
security. 

* Utilize the newly established tracking mechanism to develop an 
ongoing process to make federal R&D information available to federal 
agencies and the private sector. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report, which were 
transmitted via e-mail by OSTP's Assistant Director for Information 
Technology R&D. We also received written comments from the Director of 
NIST. Letters from these agencies are reprinted in appendixes II and 
III. In addition, we received comments from a Senior Science Advisor 
from NSF and technical comments from the Director of the Departmental 
Audit Liaison from DHS, via e-mail. Additionally, representatives from 
DOE indicated via e-mail that they reviewed the draft report and did 
not have any comments. Officials from DOD and OMB did not respond to 
our request for comments. 

The Assistant Director for Information Technology R&D from OSTP agreed 
with our recommendation and provided details on the office's plans and 
actions to address our recommendation. For example, to address the 
part of the recommendation to establish a comprehensive national R&D 
agenda, OSTP has begun updating its current 5-year plan for 
cybersecurity R&D. Additionally, to address the portion of the 
recommendation to identify and report shortages in researchers in the 
cybersecurity field, NITRD officials plan to provide an assessment of 
these shortages as part of their annual planning and review processes. 
The Assistant Director for Information Technology R&D also indicated 
that OSTP did not concur with certain findings within our report; 
however, he did not provide any additional information. 

The Director of NIST indicated that he agreed with our recommendation. 
However, he stated NIST officials recommended that we make two changes 
to the draft report. First, the officials believe that OSTP and NITRD 
are coordinating research activities and working with the federal 
government research community to identify a research strategy that 
meets critical future needs in cybersecurity. We acknowledge in the 
report that NITRD facilitates several activities, such as hosting 
monthly meetings in which agencies discuss their initiatives and 
compiling all of its participating agencies' cybersecurity R&D efforts 
and budgets. We also acknowledge that NITRD hosted the National Cyber 
Leap Year Summit in August 2009, which aimed to bring together 
researchers and developers from the private and public sectors. 
Nevertheless, as we state in the report, NITRD is not leading agencies 
in a strategic direction toward a cybersecurity agenda. Second, 
officials requested that we add a sentence that officials from NIST 
believe that a prioritized research strategy is evolving and agencies 
will base their research agenda on this strategy and their mission 
needs. We acknowledge in the report that NITRD is currently working on 
developing a framework that focuses on three main cybersecurity R&D 
themes. NITRD officials expect the framework to be finalized in time 
for the 2012 budget submission. However, these themes do not cover all 
of the priorities that should be included in a national cybersecurity 
R&D agenda. 

Regarding comments from NSF's Senior Science Advisor, she indicated 
that she generally agreed with our recommendation. The Senior Science 
Advisor and the Departmental Audit Liaison from DHS provided technical 
comments, which have been incorporated in the report where appropriate. 

As arranged with your offices, unless you publicly announce the 
contents of this report earlier, we plan no further distribution until 
30 days from the report date. At that time, we will be sending copies 
of this report to interested congressional committees; the Secretaries 
of Homeland Security, Defense, Energy, and Commerce; the Directors of 
the Office of Science and Technology Policy, Office of Management and 
Budget, and National Science Foundation; and other interested parties. 
In addition, the report will be available at no charge on GAO's Web 
site at [hyperlink, http://www.gao.gov]. 

If you or your staffs have any questions on the matters discussed in 
this report, please contact David A. Powner at (202) 512-9286 or 
pownerd@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or 
wilshuseng@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in appendix IV. 

Signed by: 

David A. Powner: 
Director, Information Technology Management Issues: 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

The objective of our review was to determine the key challenges to 
enhancing national-level cybersecurity research and development (R&D) 
efforts among the federal government and private companies. 

To identify the key agencies involved in federal cybersecurity R&D, we 
researched several cybersecurity R&D-related documents, including the 
President's Information Technology Advisory Committee 2005 report, the 
Subcommittee on Networking and Information Technology Research and 
Development's (NITRD) Cyber Security and Information Assurance Working 
Group's 2006 Federal Plan for Cyber Security and Information Assurance 
R&D, the Institute for Information Infrastructure Protection 2009 
Report, and the National Security and Homeland Security Councils' 
Cyberspace Policy Review. We also reviewed NITRD's 2010 Supplement to 
the President's Budget, which lists key agencies that fund and conduct 
cybersecurity R&D, and a previous GAO report[Footnote 30] to identify 
the agencies that provide high-level oversight. These agencies include 
the Departments of Defense, Energy, and Homeland Security; the 
National Institute of Standards and Technology; the National Science 
Foundation; the Office of Management and Budget; and the Office of 
Science and Technology Policy. 

To identify private sector organizations with a major role in 
cybersecurity R&D, we consulted and interviewed cybersecurity experts 
in the information technology (IT) and communication sectors. We 
developed a list of companies through the membership lists of IT and 
communication private sector councils, which are composed of a wide 
range of companies that specialize in these areas. We narrowed down 
the list by asking each company whether they conduct cybersecurity R&D 
and whether they would be willing to speak to us about their 
cybersecurity R&D priorities, as well as their views on what role the 
government should be playing in the cybersecurity R&D arena. Those 
that responded positively to our questions consisted of 18 companies 
that we included in our review. We also identified 9 additional 
private sector and academic organizations. We selected these experts 
on the basis of those we have consulted in previous reviews or who 
were recommended to us by other experts. Additionally, we identified 
other academic experts from our Executive Council for Information 
Management and Technology, which is composed of public-and private-
sector IT management experts who assist us in obtaining different 
perspectives on current IT management and policy issues. We included 
the following industry and academic entities in our review: 

Alcatel-Lucent: 
AT&T: 
Carnegie Mellon University: 
Digital Intelligence: 
Google: 
IBM Corporation: 
Information Security Forum: 
Information Technology Sector Coordinating Council: 
In-Q-Tel: 
Intel Corporation: 
Lumeta Corporation: 
McAfee, Inc. 
Microsoft: 
Net Witness: 
Neustar: 
Purdue University: 
Oracle Corporation: 
Raytheon BBN Technologies: 
Renesys StrongAuth, Inc. 
Symantec: 
University at Albany, Center for Technology in Government: 
Verizon Business: 

Three of the 27 academic and private organizations asked us not to 
include their names in our report, and one expert was a private sector 
consultant who was a former director of the National Coordination 
Office. 

To identify key challenges to enhancing national-level cybersecurity 
R&D efforts, we analyzed documentation, such as agencies' research 
plans and cybersecurity reports, and interviewed federal officials and 
industry experts. We then aggregated the identified challenges and 
validated the top challenges by asking the experts to rank the 
challenges in order of importance. 

In addition, we analyzed relevant federal law and policy, including 
the National Strategy to Secure Cyberspace, the High-Performance 
Computing Act of 1991, the E-Government Act of 2002, the Cyber 
Security Research and Development Act, the Next Generation Internet 
Research Act of 1998, and Homeland Security Presidential Directive 7. 
We also reviewed prior GAO reports. 

We conducted this performance audit from June 2009 to June 2010, in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objective. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objective. 

[End of section] 

Appendix II: Comments from the Office of Science and Technology Policy: 

Executive Office Of The President: 
Office Of Science And Technology Policy: 
Washington, DC 20502: 

Response to GAO Report 10-466, Cybersecurity: 

Overall Response: While the Office of Science and Technology Policy 
(OSTP) can not concur with certain of the findings in GAO-I 0-466, 
current OSTP actions and plans are in line with GAO's Recommendations 
for Executive Action and the Office can fully support these 
recommendations. 

Response to GAO Recommendations for Executive Action: The four GAO 
recommendations for Executive Action are paraphrased in italics below 
followed by OSTP comments in plain text. 

(1) Establish a comprehensive national R&D agenda by expanding on the 
CSIA IWG framework. 

The current 5-year plan for cybersecurity R&D — entitled "Federal Plan 
for Cyber Security and Information Assurance Research and 
Development" — is available online at [hyperlink, 
http://www.nitrd.gov/pubs/csia/csia_federal_plan.pdf]. This plan is 
being updated in three phases as follows. 

First, the Networking and Information Technology Research and 
Development (NITRD) Program is developing a program-wide strategic 
plan covering all areas of networking and information technology, 
including cybersecurity. A full draft of the plan is expected to be 
available for comments in the coming months. 

Second, NITRD's Cybersecurity and Information Assurance (CSIA) working 
group, the Senior Steering Group for Cybersecurity (SSG), and the 
Special Cyber Operations Research and Engineering group (SCORE; a 
joint OSTP, ODNI effort) are developing a game-change R&D strategy 
that responds to the leap-ahead goals of the Comprehensive National 
Cybersecurity Initiative (CNCI) and the innovation goals of the 
President's Cyberspace Policy Review. The three game-changing R&D 
themes that emerged from the National Cyber Leap Year process will be 
released for public input in the next few days. 

Third, CSIA and SCORE will work together in the coming months to 
revise the previous 5-year plan. The revised plan will be guided by 
the new NITRD-wide strategic plan, embrace the current game-change R&D 
goals and expand on the game-change process, and complement the game-
change approach (focused on current and emerging threats) with a 
strong foundation of basic research and development to address the 
unanticipated threats and new technologies of tomorrow. 

(2) Identify, and report shortages in researchers in the cybersecurity 
field to the National Cybersecurity Coordinator. 

The Information and Communications Infrastructure Interagency Policy 
Committee (ICI-IPC) has recently developed a National Initiative for 
Cybersecurity Education (NICE; the initiative plan is available at: 
[hyperlink, 
http://www.whitehouse.gov/sites/default/files/rssviewer/cybersecuritynic
eeducation.pdt]).The Initiative responds to the CNCI education and 
workforce elements and the Building Capacity for a Digital Nation 
goals of the President's Cyberspace Policy Review. The initiative 
reports to the ICI-IPC and the President's Cybersecurity Coordinator. 
A key goal in this initiative is to ensure the nation has a robust 
workforce of cybersecurity professionals, including researchers. The 
CSIA and SCORE groups will support this effort by providing an 
assessment of shortages in the cybersecurity research population as 
part of their annual planning and review processes. 

(3) Establish a mechanism...to keep track of all ongoing and completed 
federal cybersecurity R&D projects and associated finding; and; 

(4) Utilize the mechanism to develop an ongoing process to make 
federal R&D information available to federal agencies and the private 
sector. 

As part of its Open Government efforts, the N1TRD Program has been 
exploring ways to make its activities more transparent, participatory, 
and collaborative. A first step has been to make all 20 years of its 
funding information easily available online (see [hyperlink, 
http://www.nitrd.goviOpen/Index.aspx]). The Program, with leadership 
from the National Science Foundation and in cooperation with OSTP and 
the Office of Management and Budget (OMB), is exploring mechanisms for 
providing an R&D funding dashboard. The dashboard is envisioned to 
cover cybersecurity R&D as well as other areas of Federal networking 
and information technology research and development. 

[End of section] 

Appendix III: Comments from the National Institute of Standards and 
Technology: 

United States Department Of Commerce: 
Office Of The Director: 
National Institute of Standards and Technology: 
Gaithersburg, Maryland 20899-0001: 

May 4, 2010: 

Memorandum For: 
Shannin O'Neill: 
Assistant Director, Information Technology: 
United States Government Accountability Office: 
Washington, D.C. 20548: 

From: {Signed by] Patrick Gallagher: 
Director: 

Subject: Comments on Government Accountability Office (GAO) Draft 
Report Entitled "Cybersecurity: Key Challenges Need to Be Addressed to 
Improve Research and Development" (GAO-10-466). 

This is in response to your draft report dated June 2010 entitled 
"Cybersecurity: Key Challenges Need to Be Addressed to Improve 
Research and Development" (GA0-10-466). Thank you for the opportunity 
to review and comment on this draft. 

We agree with the report's recommendation that "the Office of Science 
and Technology Policy (OSTP) direct the Subcommittee on Networking and 
Information Technology Research and Development (NITRD) to exercise 
its leadership responsibilities by taking several actions, including 
developing a national agenda, establishing a mechanism to keep track 
of federal cybersecurity research and development (R&D) funding, and 
utilizing the mechanism to develop a process to make federal R&D 
information available." 

Staff members from the Information Technology Laboratory (ITL) 
Computer Security Division (CSD), have reviewed the draft of the 
report and recommend the changes listed below: 

1. As we have previously stated during the Exit Conference, this 
report creates the impression that there is little leadership, 
coordination, and planning in the Federal government for cybersecurity 
research and development. We believe that OSTP and NITRD are 
coordinating research activities and working with the Federal 
government research community to identify a research strategy that 
meets the critical future needs in cyber space. 

2. Page 13. Change the first full paragraph to read "The aggregated 
ranked responses from 24 cybersecurity R&D private and academic 
experts we contacted indicate that the lack of a prioritized national 
R&D agenda is the top challenge that they believe should be addressed. 
However, officials from NIST believe that a prioritized research 
strategy is evolving and agencies will base their research agenda on 
using this strategy and its mission needs." 

We are looking forward to receiving your final report. Please contact 
Rachel Kinney on (301) 975-8707 should you have any questions 
regarding this response. 

[End of section] 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

David A. Powner at (202) 512-9286 or pownerd@gao.gov Gregory C. 
Wilshusen at (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the contacts named above, the following staff also made 
key contributions to this report: Shannin O'Neill, Assistant Director; 
Rebecca Alvarez; Jamey Collins; Eric Costello; Min Hyun; Sairah Ijaz; 
Kendrick Johnson; Anjalique Lawrence; Lee McCracken; and Kevin Walsh. 

[End of section] 

Footnotes: 

[1] A vulnerability is a flaw or weakness in hardware or software that 
can be exploited, resulting in a violation of an implicit or explicit 
security policy. 

[2] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 
2009). 

[3] Cybersecurity refers to the defense against attacks on the 
information technology infrastructure of an organization or, in this 
case, of the federal government and agencies. Cybersecurity is 
intertwined with the physical security of assets--from computers, 
networks, and their infrastructure to the environment surrounding 
these systems. While both parts of security are necessary to achieve 
overall security, this report focuses on protecting software and data 
from attacks that are electronic in nature and that typically arrive 
over a data communication link. Cybersecurity is a major concern of 
both the federal government and the private sector. 

[4] The White House, National Security Presidential Directive 
54/Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 
8, 2008). 

[5] GAO, Cybersecurity: Progress Made but Challenges Remain in 
Defining and Coordinating the Comprehensive National Initiative, 
[hyperlink, http://www.gao.gov/products/GAO-10-338] (Washington, D.C.: 
Mar. 5, 2010). 

[6] The National Infrastructure Protection Plan, which was published 
in 2006 and revised in 2009, defines the organizational structures 
that provide the framework for coordination of critical infrastructure 
protection efforts at all levels of government as well as within and 
across private-sector-specific councils. These coordinating councils 
are composed of the representatives of owners and operators, generally 
from the private sector. 

[7] Examples of the problems identified by DHS include the following: 
scalable trustworthy systems, enterprise-level metrics, combating 
insider threats, global-scale identity management, situational 
understanding and attack attribution, privacy-aware security, and 
usable security. 

[8] Budget figures provided to NITRD by agencies to include in its 
annual supplement to the President's budget do not include funding for 
classified R&D projects. 

[9] The White House, The National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003). 

[10] President's Information Technology Advisory Committee, Cyber 
Security: A Crisis of Prioritization (Arlington, Va.: Feb. 28, 2005). 

[11] President's Council of Advisors on Science and Technology, 
Leadership Under Challenge: Information Technology R&D in a 
Competitive World (Washington, D.C.: Aug. 10, 2007). 

[12] Center for Strategic and International Studies, Securing 
Cyberspace for the 44th Presidency: A Report of the CSIS Commission on 
Cyber Security for the 44th Presidency (Washington, D.C.: December 
2008). 

[13] The Institute for Information Infrastructure Protection is a 
national consortium of academic institutions, federally funded labs, 
and nonprofit organizations dedicated to strengthening the cyber 
infrastructure of the United States. 

[14] The National Security Council and the Homeland Security Council, 
Cyberspace Policy Review: Assuring a Trusted and Resilient Information 
and Communications Infrastructure (Washington, D.C.: May 29, 2009). 

[15] GAO, Information Security: Coordination of Federal Cyber Security 
Research and Development, [hyperlink, 
http://www.gao.gov/products/GAO-06-811] (Washington, D.C.: Sept. 29, 
2006). 

[16] GAO, National Cybersecurity Strategy: Key Improvements Are Needed 
to Strengthen the Nation's Posture, [hyperlink, 
http://www.gao.gov/products/GAO-09-432T] (Washington, D.C.: Mar. 10, 
2009). 

[17] [hyperlink, http://www.gao.gov/products/GAO-06-811]. 

[18] Experts from 3 of the 27 private sector organizations and 
academic institutions did not respond to our request to rank the 
challenges. 

[19] See, for example, GAO, Results-Oriented Government: Practices 
That Can Help Enhance and Sustain Collaboration among Federal 
Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] 
(Washington, D.C.: Oct. 21, 2005); and Internet Infrastructure: DHS 
Faces Challenges in Developing a Joint Public/Private Recovery Plan, 
[hyperlink, http://www.gao.gov/products/GAO-06-672] (Washington, D.C.: 
June 16, 2006). 

[20] For more information on GAO reports and recommendations related 
to information sharing, see GAO, Information Sharing: Practices That 
Can Benefit Critical Infrastructure Protection, [hyperlink, 
http://www.gao.gov/products/GAO-02-24] (Washington, D.C.: Oct. 15, 
2001); Critical Infrastructure Protection: Improving Information 
Sharing with Infrastructure Sectors, [hyperlink, 
http://www.gao.gov/products/GAO-04-780] (Washington, D.C.: July 09, 
2004); High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-05-207] (Washington, D.C.: January 
2005); Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cybersecurity 
Responsibilities, [hyperlink, http://www.gao.gov/products/GAO-05-434] 
(Washington, D.C.: May 26, 2005); and Cyber Analysis and Warning: DHS 
Faces Challenges in Establishing a Comprehensive National Capability, 
[hyperlink, http://www.gao.gov/products/GAO-08-588] (Washington, D.C.: 
July 31, 2008). 

[21] The IT-SCC R&D working group's proposal consists of establishing 
a repeatable process in which the private sector and government would, 
among other things, identify gaps between R&D initiatives and 
priorities in the public and private sectors. The gap analysis would 
be developed by both sectors sharing their current R&D activities; 
infrastructure risks, threats, and vulnerabilities; and known 
conditions (e.g., integrity of software code and pieces of the 
infrastructure that are not inherently secure). It was proposed that 
this work would result in a published document that would articulate 
R&D priorities and a roadmap and would be updated on a regular basis. 

[22] [hyperlink, http://www.gao.gov/products/GAO-06-811]. 

[23] DOD's National Cyber Range is a testing environment for 
cybersecurity researchers to assist in producing qualitative and 
quantitative assessments of various cybersecurity technologies and 
scenarios. This was developed under CNCI. 

[24] 15 U.S.C. § 7401(5)(B). 

[25] The INFOSEC Research Council consists of government sponsors of 
information security research from DOD, the intelligence community, 
and federal civil agencies. The council aims to provide its membership 
with a communitywide forum to discuss critical information security 
issues, convey the research needs of their respective communities, and 
describe current research initiatives and proposed courses of action 
for future research investments. 

[26] INFOSEC Research Council, Hard Problems List (November 2005). 

[27] Securing Cyberspace for the 44TH Presidency: A Report of the CSIS 
Commission. 

[28] Pub. L. No. 107-347, § 207(g)(1)(A), 116 Stat. 2899, 2919-21 
(Dec. 17, 2002). 

[29] [hyperlink, http://www.gao.gov/products/GAO-06-811]. 

[30] GAO, Information Security: Coordination of Federal Cyber Security 
Research and Development, [hyperlink, 
http://www.gao.gov/products/GAO-06-811] (Washington, D.C.: Sept. 29, 
2006). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: