Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development
Highlights
Computer networks and infrastructures, on which the United States and much of the world rely to communicate and conduct business, contain vulnerabilities that can leave them susceptible to unauthorized access, disruption, or attack. Investing in research and development (R&D) is essential to protect critical systems and to enhance the cybersecurity of both the government and the private sector. Federal law has called for improvements in cybersecurity R&D, and, recently, President Obama has stated that advancing R&D is one of his administration's top priorities for improving cybersecurity. GAO was asked to determine the key challenges in enhancing national-level cybersecurity R&D efforts among the federal government and private companies. To do this, GAO consulted with officials from relevant federal agencies and experts from private sector companies and academic institutions as well as analyzed key documents, such as agencies' research plans.
Several major challenges impede efforts to improve cybersecurity R&D. Among the most critical challenges are the following: 1) Establishing a prioritized national R&D agenda. While R&D that is in support of specific agencies' missions is important, it is also essential that national research efforts be strategically guided by an ordered set of national-level R&D goals. Additionally, it is critical that cyberspace security research efforts are prioritized across all sectors to ensure that national goals are addressed. Accordingly, the National Strategy to Secure Cyberspace recommended that the Office of Science and Technology Policy (OSTP) coordinate the development of an annual cybersecurity research agenda that includes near-term (1-3 years), mid-term (3-5 years), and long-term (5 years or longer) goals. Although OSTP has taken initial steps toward developing such an agenda, one does not currently exist. OSTP and Office of Management and Budget officials stated that they believe an agenda is contained in existing documents; however, these documents are either outdated or lack appropriate detail. Without a current national cybersecurity R&D agenda, the nation is at risk that agencies and private sector companies may focus on their individual priorities, which may not be the most important national research priorities. 2) Strengthening leadership. While officials within OSTP's Subcommittee on Networking and Information Technology Research and Development (NITRD)--a multiagency coordination body that is primarily responsible for providing leadership in coordinating cybersecurity R&D--have played a facilitator role in coordinating cybersecurity R&D efforts within the federal government, they have not led agencies in a strategic direction. NITRD's lack of leadership has been noted by many experts as well as by a presidential advisory committee that reported that federal cybersecurity R&D efforts should be focused, coordinated, and overseen by a central body. Until NITRD exercises its leadership responsibilities, federal agencies will lack overall direction for cybersecurity R&D. 3) Tracking R&D fundingand establishing processes for the public and private sectors to share key R&D information. Despite a congressional mandate to develop a governmentwide repository that tracks federally funded R&D, including R&D related to cybersecurity, such a repository is not currently in place. Additionally, the government does not have a process to foster the kinds of relationships necessary for coordination between the public and private sectors. While NITRD hosted a major conference last year that brought together public, private, and academic experts, this was a one-time event, and, according to experts, next steps remain unclear. Without a mechanism to track all active and completed cybersecurity R&D initiatives, federal researchers and developers as well as private companies lack essential information about ongoing and completed R&D. Moreover, without a process for industry and government to share cybersecurity R&D information, the nation is at risk of having unforeseen gaps. GAO is recommending that the Director of OSTP direct NITRD to exercise its leadership responsibilities by taking several actions, including developing a national agenda, and establishing and utilizing a mechanism to keep track of federal cybersecurity R&D funding. OSTP agreed with GAO's recommendation and provided details on planned actions. GAO recommends that TSA establish milestones for a staffing study, verify the accuracy of all reported screening data, develop a contingency plan for screening domestic cargo, and develop plans for meeting the mandate as it applies to inbound cargo. TSA partially concurred with verifying screening data and did not concur with developing a contingency plan because it did not believe such actions were feasible. GAO believes these recommendations remain valid, as discussed in this report. TSA agreed with all other recommendations.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Science and Technology Policy | To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and establish a comprehensive national R&D agenda by expanding on the CSIA IWG framework and ensure that it 1) contains priorities for short-term, mid-term, and long-term complex cybersecurity R&D; 2) includes input from the private sector and academia; and 3) is consistent with the updated national cybersecurity strategy (when available). |
In December 2011, the National Science and Technology Council issued the Trustworthy Cyberspace: Strategic Plan for Federal Cybersecurity Research and Development Program. This strategy included input from the private sector and academia and it included near-term, mid-term, and long-term milestones for four primary areas of focus including inducing change, developing scientific foundations, maximizing research impact, and accelerating transition to practice. While an updated national cybersecurity strategy does not yet exist, in February 2013, the President released Presidential Policy Directive 21--Critical Infrastructure Security and Resilience. Consistent with the Strategic Plan for Federal Cybersecurity Research and Development, the directive emphasized the need for innovative cybersecurity research and development. Specifically, it set forth specific priorties, such as facilitating research and development initiatives to incentivize cybersecurity investments. As a result, federal agencies and the private sector are more likely to focus on the most important national cybersecurity research priorities.
|
Office of Science and Technology Policy | To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and identify and report shortages in researchers in the cybersecurity field to the national Cybersecurity Coordinator, which should be used to update the national cybersecurity strategy with the appropriate plans for addressing human capital weaknesses. |
In September 2010, the Office of Personnel and Management (OPM) launched a government-wide cybersecurity survey to identify shortages in researchers in the cybersecurity field. In July 2013, in collaboration with the Office of Science and Technology Policy (OSTP) and others, OPM initiated a special cybersecurity workforce project to, among other things, identify and report on cybersecurity researcher shortages. For example, these groups are building a statistical data set of existing and future cybersecurity positions in the OPM Enterprise Human Resources Integration data warehouse. As a result of these efforts, OSTP, OPM and others will have access to specific information to address shortages of cybersecurity researchers.
|
Office of Science and Technology Policy | To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and establish a mechanism, in working with the Office of Management and Budget and consistent with existing law, to keep track of all ongoing and completed federal cybersecurity R&D projects and associated funding, to the maximum extent possible without jeopardizing national security. |
In response to our recommendation, the Office of Science and Technology Policy (OSTP) issued a memorandum in February 22, 2013 that requires that the results of federally funded scientific research be made available to the public, industry, and the scientific communities. Specifically, the memo states that federal agencies that invest in research and development, should create plans to enable public access to their federally funded research and digital scientific data. As a mechanism to achieve that objective, the memo suggests that repositories could be maintained by the Federal agency funding the research, through an arrangement with other Federal agencies, or through other parties working in partnership with the agency including, but not limited to, scholarly and professional associations, publishers and libraries.
|
Office of Science and Technology Policy | To help address the key cybersecurity R&D challenges, the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, should direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities and utilize the newly established tracking mechanism to develop an ongoing process to make federal R&D information available to federal agencies and the private sector. |
In response to our recommendation, the Office of Science and Technology Policy (OSTP) issued a memorandum dated February 22, 2013 that requires that the results of federally funded scientific research be made available to the public, industry, and the scientific communities. The memo states that federal agencies that invest in research and development should create plans to enable public access to their federally funded research and digital scientific data. As a result, public and private sector access to federal research and development information should be greatly enhanced.
|