The federal government is facing a number of challenges in its efforts to meet objectives set forth in the recently partially declassified Comprehensive National Cybersecurity Initiative (CNCI), according to a report released on Friday from the Government Accountability Office (GAO).
The GAO was asked by Congress to determine what actions have been taken to plan CNCI activities and what challenges the government faces in achieving the initiative's objectives. The CNCI, a program that began in 2008 under the Bush administration to help secure the United States in cyberspace, consists of 12 projects aimed at reducing vulnerabilities, protecting against intrusions, and anticipating future threats against federal executive branch information systems.
Currently, the White House and federal agencies have made progress in their efforts to plan and coordinate CNCI activities, but one of the hurdles they are facing is that federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, the report states.
As an example, Melissa Hathaway, the former acting White House cybersecurity policy adviser, told the GAO that federal agencies had an ad hoc, uncoordinated response to a July 2009 distributed denial-of-service attack against government websites.
In addition, the report states that there are several cybersecurity response centers, including the National Cyber Security Center (NCSC) and another within the Department of Homeland Security, which have many of the same responsibilities for coordinating the federal response to cybersecurity incidents, the report states.
Another issue detailed in the report is that federal agencies have not yet developed measures of effectiveness in meeting goals of the CNCI, the report states. They have begun to develop measures for information security, but they have not yet been applied to the initiative.
Also, individuals within the government have not reached an agreement on the scope of education efforts, the report states. Specifically, they have not come to an agreement as to whether public awareness should be included as part of the initiative or if they should remain focused on creating a cyber workforce
Overall, the initiative has not been transparent, which has hindered both coordination with the private sector and accountability to the public, the report states. Currently, just a few elements of the CNCI have been made public, including an outline of the initiative that was declassified last week, and presented by Howard Schmidt, White House cybersecurity coordinator, at the RSA Conference in San Francisco.
Separate to the CNCI, the federal government faces additional challenges in securing its information systems, the report states. For example, the government does not have a formal strategy for coordinating outreach to international entities for the purposes of standards setting, law enforcement or information sharing, the GAO found. The government also lacks a plan for identity management and authentication efforts.
The GAO recommended that the federal Office of Management and Budget (OMB) address each of the six challenges that were identified or the goals set forth in the CNCI will not fully be met, the report states.
In a letter sent to the GAO in response to the report, federal CIO Vivek Kundra said the federal Office of Management and Budget agreed with all the recommendations in the report, except that there needs to be better defined roles and responsibilities for agencies participating in the CNCI.
“The roles and responsibilities of agencies participating in the CNCI are clearly defined,” he said.
Kundra said the government's response to the July cyberattack was not an activity that fell under the roles of the CNCI. In addition, he said the NCSC's role is to assist with situational awareness across the government and private sector, while the other cybersecurity response centers are responsible for carrying out operational incident response duties.
On a positive side, the GAO report states that the federal government has established several interagency working groups to coordinate CNCI activities, one of which carried out the initial brainstorming and information-gathering for the establishment of the initiative. Another presented final plans to the president, and a third serves as the focal point for monitoring and coordinating projects.