GAO releases report on cybersecurity strategy

This week the Government Accountability Office (GAO) released a report urging the White House Office of Science and Technology Policy (OSTP) to come up with a clear and comprehensive cybersecurity R & D strategy. The report, prepared by request of the House Committee on Homeland Securty, called upon OSTP to show more leadership in the creation of an R & D plan.

There’s been some press coverage of the report. Here’s a good snippet from Infoweek:

“The report notes that officials within the White House’s Office of Science and Technology Policy’s Subcommittee on Networking and Information Technology (NITRD) are endowed with a leadership role in terms of coordinating cybersecurity R&D efforts, they haven’t taken advantage of that role. Despite GAO recommendations and responsibilities laid out in legislation, NITRD has never prioritized a national or federal R&D agenda.”

“The report recommends that the White House follow the Bush administration’s National Strategy to Secure Cyberspace, which urged the creation of near-term, mid-term and long-term goals for cybersecurity R&D. The report notes that OSTP is only in the beginning stages of creating such an agenda and updating its 5-year plan for cybersecurity R&D.”

These conclusions about NITRD’s role aren’t surprising. The computing research community has had long-standing concerns about the ability of the NITRD NCO to exercise a leadership role in coordinating the federal IT R&D investment. A big part of that inability to lead comes down to the NCO’s lack of budgetary authority, but that’s a reality of the federal budget process — there’s no way federal agencies will cede control of a piece of their budgets to some central coordinating office (other than OMB). As a result, NITRD becomes less about leadership and coordination and more about agencies reporting what they plan to do and the NCO collecting that information.

It will be interesting to see whether the PCAST’s new look at NITRD, now underway and due in late August or September, will address these cyber security concerns. That review is being shepherded by PCAST members Eric Schmidt, CEO of Google, and Shirley Ann Jackson, President of RPI, and driven by a subcommittee led by Ed Lazowska, Chair of CRA’s Computing Community Consortium and professor computer science at University of Washington, and David E. Shaw, head of D.E. Shaw and Co. (We’ll have more on the PCAST study in a later post…).

GAO releases report on cybersecurity strategy