National Cybersecurity Strategy
Key Improvements Are Needed to Strengthen the Nation's Posture Gao ID: GAO-09-432T March 10, 2009Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy. In this testimony, you asked GAO to summarize (1) key reports and recommendations on the national cybersecurity strategy and (2) the views of experts on how to strengthen the strategy. In doing so, GAO relied on its previous reports related to the strategy and conducted panel discussions with key cybersecurity experts to solicit their views on areas for improvement.
Over the last several years, GAO has consistently reported that the Department of Homeland Security (DHS) has yet to fully satisfy its responsibilities designated by the national cybersecurity strategy. To address these shortfalls, GAO has made about 30 recommendations in key cybersecurity areas. While DHS has since developed and implemented certain capabilities to satisfy aspects of its cybersecurity responsibilities, it still has not fully satisfied the recommendations, and thus further action needs to be taken to fully address these areas. In discussing the areas addressed by GAO's recommendations as well as other critical aspects of the strategy, GAO's panel of cybersecurity experts identified 12 key areas requiring improvement. GAO found these to be largely consistent with its reports and its extensive research and experience in the area. Until GAO's recommendations are fully addressed and the above improvements are considered, our nation's federal and private-sector infrastructure systems remain at risk of not being adequately protected. Consequently, in addition to fully implementing GAO's recommendations, it is essential that the improvements be considered by the new administration as it begins to make decisions on our nation's cybersecurity strategy.
GAO-09-432T, National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture
This is the accessible text file for GAO report number GAO-09-432T
entitled 'National Cybersecurity Strategy: Key Improvements Are Needed
to Strengthen the Nation's Posture' which was released on March 10,
2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Emerging Threats, Cybersecurity, and Science
and Technology, Committee on Homeland Security, House of
Representatives.
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected at 2:00 p.m. DST:
Tuesday, March 10, 2009:
National Cybersecurity Strategy:
Key Improvements Are Needed to Strengthen the Nation's Posture:
Statement of David Powner,
Director, Information Technology Management Issues:
GAO-09-432T:
GAO Highlights:
Highlights of GAO-09-432T, a testimony to the Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology, Committee on
Homeland Security, House of Representatives.
Why GAO Did This Study:
Pervasive and sustained computer-based (cyber) attacks against federal
and private-sector infrastructures pose a potentially devastating
impact to systems and operations and the critical infrastructures that
they support. To address these threats, President Bush issued a 2003
national strategy and related policy directives aimed at improving
cybersecurity nationwide. Congress and the Executive Branch, including
the new administration, have subsequently taken actions to examine the
adequacy of the strategy and identify areas for improvement.
Nevertheless, GAO has identified this area as high risk and has
reported on needed improvements in implementing the national
cybersecurity strategy.
In this testimony, you asked GAO to summarize (1) key reports and
recommendations on the national cybersecurity strategy and (2) the
views of experts on how to strengthen the strategy. In doing so, GAO
relied on its previous reports related to the strategy and conducted
panel discussions with key cybersecurity experts to solicit their views
on areas for improvement.
What GAO Found:
Over the last several years, GAO has consistently reported that the
Department of Homeland Security (DHS) has yet to fully satisfy its
responsibilities designated by the national cybersecurity strategy. To
address these shortfalls, GAO has made about 30 recommendations in key
cybersecurity areas including the 5 listed in the table below. While
DHS has since developed and implemented certain capabilities to satisfy
aspects of its cybersecurity responsibilities, it still has not fully
satisfied the recommendations, and thus further action needs to be
taken to fully address these areas.
Table: Key Cybersecurity Areas Identified by GAO as Needing Further
Action:
1. Bolstering cyber analysis and warning capabilities.
2. Completing actions identified during cyber exercises.
3. Improving cybersecurity of infrastructure control systems.
4. Strengthening DHS‘s ability to help recover from Internet
disruptions.
5. Addressing cybercrime.
Source: GAO analysis of prior GAO reports.
[End of table]
In discussing the areas addressed by GAO‘s recommendations as well as
other critical aspects of the strategy, GAO‘s panel of cybersecurity
experts identified 12 key areas requiring improvement (see table
below). GAO found these to be largely consistent with its reports and
its extensive research and experience in the area.
Table: Key Strategy Improvements Identified by Cybersecurity Experts:
1. Develop a national strategy that clearly articulates strategic
objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading
and overseeing national cybersecurity policy.
3. Establish a governance structure for strategy implementation.
4. Publicize and raise awareness about the seriousness of the
cybersecurity problem.
5. Create an accountable, operational cybersecurity organization.
6. Focus more actions on prioritizing assets, assessing
vulnerabilities, and reducing vulnerabilities than on developing
additional plans.
7. Bolster public/private partnerships through an improved value
proposition and use of incentives.
8. Focus greater attention on addressing the global aspects of
cyberspace.
9. Improve law enforcement efforts to address malicious activities in
cyberspace.
10. Place greater emphasis on cybersecurity research and development,
including consideration of how to better coordinate government and
private sector efforts.
11. Increase the cadre of cybersecurity professionals.
12. Make the federal government a model for cybersecurity, including
using its acquisition function to enhance cybersecurity aspects of
products and services.
Source: GAO analysis of opinions solicited during expert panels.
[End of table]
Until GAO‘s recommendations are fully addressed and the above
improvements are considered, our nation‘s federal and private-sector
infrastructure systems remain at risk of not being adequately
protected. Consequently, in addition to fully implementing GAO‘s
recommendations, it is essential that the improvements be considered by
the new administration as it begins to make decisions on our nation‘s
cybersecurity strategy.
What GAO Recommends:
GAO has previously made about 30 recommendations, mostly directed at
DHS, to improve our nation‘s cybersecurity strategy efforts. DHS in
large part has concurred with GAO‘s recommendations and, in many cases,
has actions planned and under way to implement them.
View [hyperlink, http://www.gao.gov/products/GAO-09-432T] or key
components. For more information, contact David A. Powner at (202) 512-
9286 or pownerd@gao.gov.
[End of section]
Madam Chair and Members of the Subcommittee:
Thank you for the opportunity to join in today's hearing to discuss
efforts to protect our nation from cybersecurity threats. Pervasive and
sustained computer-based (cyber) attacks against the United States and
others continue to pose a potentially devastating impact to systems and
operations and the critical infrastructures that they support. To
address these threats, President Bush issued a 2003 national strategy
and related policy directives aimed at improving cybersecurity
nationwide, including both government systems and those cyber critical
infrastructures owned and operated by the private sector.[Footnote 1]
Because the threats have persisted and grown, a commission--commonly
referred to as the Commission on Cybersecurity for the 44th Presidency
and chaired by two congressmen and industry officials--was established
in August 2007 to examine the adequacy of the strategy and identify
areas for improvement.[Footnote 2] At about the same time, the Bush
Administration began to implement a series of initiatives aimed
primarily at improving cybersecurity within the federal government.
More recently, in February 2009, President Obama initiated a review of
the government's overall cybersecurity strategy and supporting
activities.
Today, as requested, I will discuss (1) our reports, containing about
30 recommendations, on the national cybersecurity strategy and related
efforts and (2) the results of expert panels we convened to discuss how
to strengthen the strategy and our nation's cybersecurity posture. In
preparing for this testimony, we relied on our previous reports on
federal efforts to fulfill national cybersecurity responsibilities.
These reports contain detailed overviews of the scope and methodology
we used. We also obtained the views of nationally recognized
cybersecurity experts by means of two panel discussions on the
effectiveness of the current national cybersecurity strategy and
recommendations for improvement. In summarizing the panel discussions,
we provided all panel members an opportunity to comment on our written
summaries, and their comments were incorporated as appropriate. The
panelists' names and titles are in appendix I. We conducted our work in
support of this testimony during February and March 2009, in the
Washington, D.C., area. The work on which this testimony is based was
performed in accordance with generally accepted government auditing
standards.
Background:
Government officials are concerned about attacks from individuals and
groups with malicious intent, such as criminals, terrorists, and
adversarial foreign nations. For example, in February 2009, the
Director of National Intelligence testified that foreign nations and
criminals have targeted government and private sector networks to gain
a competitive advantage and potentially disrupt or destroy them, and
that terrorist groups have expressed a desire to use cyber attacks as a
means to target the United States.[Footnote 3] The director also
discussed that in August 2008, the national government of Georgia's Web
sites were disabled during hostilities with Russia, which hindered the
government's ability to communicate its perspective about the conflict.
The federal government has developed a strategy to address such cyber
threats. Specifically, President Bush issued the 2003 National Strategy
to Secure Cyberspace[Footnote 4] and related policy directives, such as
Homeland Security Presidential Directive 7,[Footnote 5] that specify
key elements of how the nation is to secure key computer-based systems,
including both government systems and those that support critical
infrastructures owned and operated by the private sector. The strategy
and related policies also establish the Department of Homeland Security
(DHS) as the focal point for cyber CIP and assign the department
multiple leadership roles and responsibilities in this area. They
include (1) developing a comprehensive national plan for CIP, including
cybersecurity; (2) developing and enhancing national cyber analysis and
warning capabilities; (3) providing and coordinating incident response
and recovery planning, including conducting incident response
exercises; (4) identifying, assessing, and supporting efforts to reduce
cyber threats and vulnerabilities, including those associated with
infrastructure control systems;[Footnote 6] and (5) strengthening
international cyberspace security. In addition, the strategy and
related policy direct DHS and other relevant stakeholders to use risk
management principles to prioritize protection activities within and
across the 18 critical infrastructure sectors in an integrated,
coordinated fashion.
Because the threats have persisted and grown, President Bush in January
2008 began to implement a series of initiatives--commonly referred to
as the Comprehensive National Cybersecurity Initiative (CNCI)--aimed
primarily at improving DHS and other federal agencies' efforts to
protect against intrusion attempts and anticipate future threats.
[Footnote 7] While these initiatives have not been made public, the
Director of National Intelligence stated that they include defensive,
offensive, research and development, and counterintelligence efforts,
as well as a project to improve public/private partnerships.[Footnote
8] Subsequently, in December 2008, the Commission on Cybersecurity for
the 44th Presidency reported, among other things, that the failure to
protect cyberspace was an urgent national security problem and made 25
recommendations aimed at addressing shortfalls with the strategy and
its implementation.[Footnote 9] Since then, President Obama (in
February 2009) initiated a review of the cybersecurity strategy and
supporting activities. The review is scheduled to be completed in April
2009.
GAO Has Made Recommendations to Address Shortfalls with Key Aspects of
National Cybersecurity Strategy and its Implementation:
Over the last several years we have reported on our nation's efforts to
fulfill essential aspects of its cybersecurity strategy. In particular,
we have reported consistently since 2005 that DHS has yet to fully
satisfy its cybersecurity responsibilities designated by the strategy.
To address these shortfalls, we have made about 30 recommendations in
key cybersecurity areas including the 5 listed in table 1. DHS has
since developed and implemented certain capabilities to satisfy aspects
of its cybersecurity responsibilities, but the department still has not
fully satisfied our recommendations, and thus further action needs to
be taken to address these areas.
Table 1: Key Cybersecurity Areas Identified by GAO As Needing Further
Action:
1. Bolstering cyber analysis and warning capabilities.
2. Completing actions identified during cyber exercises.
3. Improving cybersecurity of infrastructure control systems.
4. Strengthening DHS's ability to help recover from Internet
disruptions.
5. Addressing cybercrime.
Source: GAO analysis of prior GAO reports.
[End of table]
In July 2008, we reported[Footnote 10] that DHS's United States
Computer Emergency Readiness Team (US-CERT) did not fully address 15
key cyber analysis and warning attributes related to (1) monitoring
network activity to detect anomalies, (2) analyzing information and
investigating anomalies to determine whether they are threats, (3)
warning appropriate officials with timely and actionable threat and
mitigation information, and (4) responding to the threat. For example,
US-CERT provided warnings by developing and distributing a wide array
of notifications; however, these notifications were not consistently
actionable or timely. As a result, we recommended that the department
address shortfalls associated with the 15 attributes in order to fully
establish a national cyber analysis and warning capability as
envisioned in the national strategy. DHS agreed in large part with our
recommendations.
In September 2008, we reported[Footnote 11] that since conducting a
major cyber attack exercise, called Cyber Storm, DHS had demonstrated
progress in addressing eight lessons it had learned from these efforts.
However, its actions to address the lessons had not been fully
implemented. Specifically, while it had completed 42 of the 66
activities identified, the department had identified 16 activities as
ongoing and 7 as planned for the future.[Footnote 12] Consequently, we
recommended that DHS schedule and complete all of the corrective
activities identified in order to strengthen coordination between
public and private sector participants in response to significant cyber
incidents. DHS concurred with our recommendation. To date, DHS has
continued to make progress in completing some identified activities but
has yet to do so for others.
In a September 2007 report and an October 2007 testimony, we reported
[Footnote 13] that consistent with the national strategy requirement to
identify and reduce threats and vulnerabilities, DHS was sponsoring
multiple control systems security initiatives, including an effort to
improve control systems cybersecurity using vulnerability evaluation
and response tools. However, DHS had not established a strategy to
coordinate the various control systems activities across federal
agencies and the private sector, and it did not effectively share
information on control system vulnerabilities with the public and
private sectors. Accordingly, we recommended that DHS develop a
strategy to guide efforts for securing control systems and establish a
rapid and secure process for sharing sensitive control system
vulnerability information. DHS recently began developing a strategy and
a process to share sensitive information.
We reported and later testified[Footnote 14] in 2006 that the
department had begun a variety of initiatives to fulfill its
responsibility, as called for by the national strategy, for developing
an integrated public/private plan for Internet recovery. However, we
determined that these efforts were not comprehensive or complete. As
such, we recommended that DHS implement nine actions to improve the
department's ability to facilitate public/private efforts to recover
the Internet in case of a major disruption. In October 2007, we
testified[Footnote 15] that the department had made progress in
implementing our recommendations; however, seven of the nine have not
been completed. To date, an integrated public/private plan for Internet
recovery does not exist.
In 2007, we reported[Footnote 16] that public and private entities
[Footnote 17] faced a number of challenges in addressing cybercrime,
including ensuring adequate analytical and technical capabilities for
law enforcement and conducting investigations and prosecuting
cybercrimes that cross national and state borders.
Cybersecurity Experts Highlighted Key Improvements Needed to Strengthen
the Nation's Cybersecurity Posture:
In addition to our recommendations on improving key aspects of the
national cybersecurity strategy and its implementation, we also
obtained the views of experts (by means of panel discussions) on these
and other critical aspects of the strategy, including areas for
improvement. The experts, who included former federal officials,
academics, and private sector executives, highlighted 12 key
improvements that are, in their view, essential to improving the
strategy and our national cybersecurity posture. These improvements are
in large part consistent with our above mentioned reports and extensive
research and experience in this area. They include:
1. Develop a national strategy that clearly articulates strategic
objectives, goals, and priorities--The strategy should, among other
things, (1) include well-defined strategic objectives, (2) provide
understandable goals for the government and the private sector (end
game), (3) articulate cyber priorities among the objectives, (4)
provide a vision of what secure cyberspace should be in the future, (5)
seek to integrate federal government capabilities, (6) establish
metrics to gauge whether progress is being made against the strategy,
and (7) provide an effective means for enforcing action and
accountability when there are progress shortfalls. According to expert
panel members, the CNCI provides a good set of tactical initiatives
focused on improving primarily federal cybersecurity; however, it does
not provide strategic objectives, goals, and priorities for the nation
as a whole.
2. Establish White House responsibility and accountability for leading
and overseeing national cybersecurity policy--The strategy makes DHS
the focal point for cybersecurity; however, according to expert panel
members, DHS has not met expectations and has not provided the high-
level leadership needed to raise cybersecurity to a national focus.
Accordingly, panelists stated that to be successful and to send the
message to the nation and cyber critical infrastructure owners that
cybersecurity is a priority, this leadership role needs to be elevated
to the White House. In addition, to be effective, the office must have,
among other things, commensurate authority--for example, over budgets
and resources--to implement and employ appropriate incentives to
encourage action.
3. Establish a governance structure for strategy implementation--The
strategy establishes a public/private partnership governance structure
that includes 18 critical infrastructure sectors, corresponding
government and sector coordinating councils, and cross-sector councils.
However, according to panelists, this structure is government-centric
and largely relies on personal relationships to instill trust to share
information and take action. In addition, although all sectors are not
of equal importance in regard to their cyber assets and functions, the
structure treats all sectors and all critical cyber assets and
functions equally. To ensure effective strategy implementation, experts
stated that the partnership structure should include a committee of
senior government representatives (for example, the Departments of
Defense, Homeland Security, Justice, State, and the Treasury and the
White House) and private sector leaders representing the most critical
cyber assets and functions. Expert panel members also suggested that
this committee's responsibilities should include measuring and
periodically reporting on progress in achieving the goals, objectives,
and strategic priorities established in the national strategy and
building consensus to hold involved parties accountable when there are
progress shortfalls.
4. Publicize and raise awareness about the seriousness of the
cybersecurity problem--Although the strategy establishes cyberspace
security awareness as a priority, experts stated that many national
leaders in business and government, including in Congress, who can
invest resources to address cybersecurity problems are generally not
aware of the severity of the risks to national and economic security
posed by the inadequacy of our nation's cybersecurity posture and the
associated intrusions made more likely by that posture. Expert panel
members suggested that an aggressive awareness campaign is needed to
raise the level of knowledge of leaders and the general populace that
our nation is constantly under cyber attack.
5. Create an accountable, operational cybersecurity organization--DHS
established the National Cyber Security Division (within the Office of
Cybersecurity and Communications) to be responsible for leading
national day-to-day cybersecurity efforts; however, according to
panelists, this has not enabled DHS to become the national focal point
as envisioned. Panel members stated that currently, DOD and other
organizations within the intelligence community that have significant
resources and capabilities have come to dominate federal efforts. They
told us that there also needs to be an independent cybersecurity
organization that leverages and integrates the capabilities of the
private sector, civilian government, law enforcement, military,
intelligence community, and the nation's international allies to
address incidents against the nation's critical cyber systems and
functions. However, there was not consensus among our expert panel
members regarding where this organization should reside.
6. Focus more actions on prioritizing assets and functions, assessing
vulnerabilities, and reducing vulnerabilities than on developing
additional plans--The strategy recommends actions to identify critical
cyber assets and functions, but panelists stated that efforts to
identify which cyber assets and functions are most critical to the
nation have been insufficient. According to panel members, inclusion in
cyber critical infrastructure protection efforts and lists of critical
assets are currently based on the willingness of the person or entity
responsible for the asset or function to participate and not on
substantiated technical evidence. In addition, the current strategy
establishes vulnerability reduction as a key priority; however,
according to panelists, efforts to identify and mitigate known
vulnerabilities have been insufficient. They stated that greater
efforts should be taken to identify and eliminate common
vulnerabilities and that there are techniques available that should be
used to assess vulnerabilities in the most critical, prioritized cyber
assets and functions.
7. Bolster public/private partnerships through an improved value
proposition and use of incentives--While the strategy encourages action
by owners and operators of critical cyber assets and functions, panel
members stated that there are not adequate economic and other
incentives (i.e., a value proposition) for greater investment and
partnering in cybersecurity. Accordingly, panelists stated that the
federal government should provide valued services (such as offering
useful threat or analysis and warning information) or incentives (such
as grants or tax reductions) to encourage action by and effective
partnerships with the private sector. They also suggested that public
and private sector entities use means such as cost-benefit analyses to
ensure the efficient use of limited cybersecurity-related resources.
8. Focus greater attention on addressing the global aspects of
cyberspace--The strategy includes recommendations to address the
international aspects of cyberspace but, according to panelists, the
U.S. is not addressing global issues impacting how cyberspace is
governed and controlled. They added that, while other nations are
actively involved in developing treaties, establishing standards, and
pursuing international agreements (such as on privacy), the U.S. is not
aggressively working in a coordinated manner to ensure that
international agreements are consistent with U.S. practice and that
they address cybersecurity and cybercrime considerations. Panel members
stated that the U.S. should pursue a more coordinated, aggressive
approach so that there is a level playing field globally for U.S.
corporations and enhanced cooperation among government agencies,
including law enforcement. In addition, a panelist stated that the U.S.
should work towards building consensus on a global cyber strategy.
9. Improve law enforcement efforts to address malicious activities in
cyberspace--The strategy calls for improving investigative coordination
domestically and internationally and promoting a common agreement among
nations on addressing cybercrime. According to a panelist, some
improvements in domestic law have been made (e.g., enactment of the
PROTECT Our Children Act of 2008), but implementation of this act is a
work in process due to its recent passage. Panel members also stated
that current domestic and international law enforcement efforts,
including activities, procedures, methods, and laws are too outdated
and outmoded to adequately address the speed, sophistication, and
techniques of individuals and groups, such as criminals, terrorists,
and adversarial foreign nations with malicious intent. An improved law
enforcement is essential to more effectively catch and prosecute
malicious individuals and groups and, with stricter penalties, deter
malicious behavior.
10. Place greater emphasis on cybersecurity research and development,
including consideration of how to better coordinate government and
private sector efforts--While the strategy recommends actions to
develop a research and development agenda and coordinate efforts
between the government and private sectors, experts stated that the
U.S. is not adequately focusing and funding research and development
efforts to address cybersecurity or to develop the next generation of
cyberspace to include effective security capabilities. In addition, the
research and development efforts currently underway are not being well
coordinated between government and the private sector.
11. Increase the cadre of cybersecurity professionals--The strategy
includes efforts to increase the number and skills of cybersecurity
professionals but, according to panelists, the results have not created
sufficient numbers of professionals, including information security
specialists and cybercrime investigators. Expert panel members stated
that actions to increase the number of professionals with adequate
cybersecurity skills should include (1) enhancing existing scholarship
programs (e.g., Scholarship for Service) and (2) making the
cybersecurity discipline a profession through testing and licensing.
12. Make the federal government a model for cybersecurity, including
using its acquisition function to enhance cybersecurity aspects of
products and services--The strategy establishes securing the
government's cyberspace as a key priority and advocates using federal
acquisition to accomplish this goal. Although the federal government
has taken steps to improve the cybersecurity of agencies (e.g.,
beginning to implement the CNCI initiatives), panelists stated that it
still is not a model for cybersecurity. Further, they said the federal
government has not made changes in its acquisition function and the
training of government officials in a manner that effectively improves
the cybersecurity capabilities of products and services purchased and
used by federal agencies.
In summary, our nation is under cyber attack, and the present strategy
and its implementation have not been fully effective in mitigating the
threat. This is due in part to the fact that there are further actions
needed by DHS to address key cybersecurity areas, including fully
addressing our recommendations. In addition, nationally recognized
experts have identified improvements aimed at strengthening the
strategy and in turn, our cybersecurity posture. Key improvements
include developing a national strategy that clearly articulates
strategic objectives, goals, and priorities; establishing White House
leadership; improving governance; and creating a capable and respected
operational lead organization. Until the recommendations are fully
addressed and these improvements are considered, our nation's most
critical federal and private sector infrastructure systems remain at
unnecessary risk to attack from our adversaries. Consequently, in
addition to fully implementing our recommendations, it is essential
that the Obama administration consider these improvements as it reviews
our nation's cybersecurity strategy and begins to make decisions on
moving forward.
Madam Chair, this concludes my statement. I would be happy to answer
any questions that you or members of the subcommittee may have at this
time.
If you have any questions on matters discussed in this testimony,
please contact me at (202) 512-9286, or by e-mail at pownerd@gao.gov.
Other key contributors to this testimony include Bradley Becker,
Camille Chaires, Michael Gilmore, Nancy Glover, Kush Malhotra, Gary
Mountjoy, Lee McCracken, and Andrew Stavisky.
[End of section]
Appendix I: Cybersecurity Expert Panel Participants:
Steve D. Crocker, Chair, Security and Stability Advisory Committee,
Internet Corporation for Assigned Names and Numbers.
Robert Dix, Vice President of Government Affairs, Juniper Networks,
Inc.
Martha Stansell-Gamm, (Retired) Chief, Computer Crime and Intellectual
Property Section, Department of Justice.
Dr. Lawrence Gordon, Ernst & Young Alumni Professor of Managerial
Accounting and Information Assurance, Robert H. Smith School of
Business, University of Maryland.
Tiffany Jones, Director, Public Policy and Government Relations,
Symantec.
Tom Kellerman, Vice President of Security Awareness, Core Security.
Dr. Kathleen Kiernan, Chief Executive Officer, The Kiernan Group, and
Chairman of the Board, InfraGard.
Cheri McGuire, Principal Security Strategist, Microsoft Corporation,
and former Acting Director, National Cyber Security Division, U.S.
Department of Homeland Security.
Allan Paller, Director of Research, SANS Institute.
Andy Purdy, President, DRA Enterprises, Inc., and former Acting
Director, National Cyber Security Division, U.S. Department of Homeland
Security.
Marcus Sachs, Executive Director of Government Affairs for National
Security Policy, Verizon Communications; and Director, SANS Internet
Storm Center.
Howard Schmidt, President and Chief Executive Officer, Information
Security Forum.
David Sobel, Senior Counsel, Electronic Frontier Foundation.
Amit Yoran, Chairman and Chief Executive Officer, NetWitness
Corporation; former Director, National Cyber Security Division, U.S.
Department of Homeland Security.
[End of section]
Footnotes:
[1] Critical infrastructures are systems and assets, whether physical
or virtual, so vital to nations that their incapacity or destruction
would have a debilitating impact on national security, national
economic security, national public health or safety, or any combination
of those matters. Federal policy established 18 critical infrastructure
sectors: agriculture and food, banking and finance, chemical,
commercial facilities, communications, critical manufacturing, dams,
defense industrial base, emergency services, energy, government
facilities, information technology, national monuments and icons,
nuclear reactors, materials and waste, postal and shipping, public
health and health care, transportation systems, and water.
[2] The commission was created by the Center for Strategic and
International Studies (CSIS), a bipartisan, nonprofit organization
that, among other things, provides strategic insights and policy
solutions to decision makers. Entitled the CSIS Commission on
Cybersecurity for the 44th Presidency, the body was co-chaired by
Representative James Langevin, Representative Michael McCaul, Scott
Charney (Microsoft), and Lt. General Harry Raduege, USAF (Ret).
[3] Statement of the Director of National Intelligence before the
Senate Select Committee on Intelligence, Annual Threat Assessment of
the Intelligence Community for the Senate Select Committee on
Intelligence (Feb. 12, 2009).
[4] The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[5] The White House, Homeland Security Presidential Directive 7
(Washington, D.C.: Dec. 17, 2003).
[6] Control systems are computer-based systems that perform vital
functions in many of our nation‘s critical infrastructures, including
electric power generation, transmission, and distribution; oil and gas
refining and pipelines; water treatment and distribution; chemical
production and processing; railroads and mass transit; and
manufacturing.
[7] The White House, National Security Presidential Directive
54/Homeland Security Presidential Directive 23 (Washington, D.C.: Jan.
8, 2008).
[8] Statement of the Director of National Intelligence before the
Senate Select Committee on Intelligence, Annual Threat Assessment of
the Intelligence Community for the Senate Select Committee on
Intelligence (Feb. 12, 2009).
[9] Center for Strategic and International Studies, Securing Cyberspace
for the 44TH Presidency, A Report of the CSIS Commission on
Cybersecurity for the 44TH Presidency (Washington, D.C.: December
2008).
[10] GAO, Cyber Analysis and Warning: DHS Faces Challenges in
Establishing a Comprehensive National Capability, [hyperlink,
http://www.gao.gov/products/GAO-08-588] (Washington, D.C.: July 31,
2008).
[11] GAO, Critical Infrastructure Protection: DHS Needs To Fully
Address Lessons Learned from Its First Cyber Storm Exercise,
[hyperlink, http://www.gao.gov/products/GAO-08-825] (Washington, D.C.:
Sept. 9, 2008).
[12] At that time, DHS reported that one other activity had been
completed, but the department was unable to provide evidence
demonstrating its completion.
[13] GAO, Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain,
[hyperlink, http://www.gao.gov/products/GAO-07-1036] (Washington, D.C.:
Sept. 10, 2007) and Critical Infrastructure Protection: Multiple
Efforts to Secure Control Systems Are Under Way, but Challenges Remain,
[hyperlink, http://www.gao.gov/products/GAO-08-119T] (Washington, D.C.:
Oct. 17, 2007).
[14] GAO, Internet Infrastructure: DHS Faces Challenges in Developing a
Joint Public/Private Recovery Plan, [hyperlink,
http://www.gao.gov/products/GAO-06-672] (Washington, D.C.: June 16,
2006) and Internet Infrastructure: Challenges in Developing a
Public/Private Recovery Plan, [hyperlink,
http://www.gao.gov/products/GAO-06-863T] (Washington, D.C.: July 28,
2006).
[15] GAO, Internet Infrastructure: Challenges in Developing a Public/
Private Recovery Plan, [hyperlink,
http://www.gao.gov/products/GAO-08-212T] (Washington, D.C.: Oct. 23,
2007).
[16] GAO, Cybercrime: Public and Private Entities Face Challenges in
Addressing Cyber Threats, [hyperlink,
http://www.gao.gov/products/GAO-07-705] (Washington, D.C.: June 2007).
[17] These public and private entities include the Departments of
Justice, Homeland Security, and Defense, and the Federal Trade
Commission, Internet security providers and software developers.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
