Cyberspace
United States Faces Challenges in Addressing Global Cybersecurity and Governance Gao ID: GAO-10-606 July 2, 2010Recent foreign-based intrusions on the computer systems of U.S. federal agencies and commercial companies highlight the vulnerabilities of the interconnected networks that comprise the Internet, as well as the need to adequately address the global security and governance of cyberspace. Federal law and policy give a number of federal entities responsibilities for representing U.S. cyberspace interests abroad, in collaboration with the private sector. More recently, the President appointed a national Cybersecurity Coordinator charged with improving the nation's cybersecurity leadership. GAO was asked to identify (1) significant entities and efforts addressing global cyberspace security and governance issues, (2) U.S. entities responsible for addressing these issues and the extent of their involvement at the international level, and (3) challenges to effective U.S. involvement in global cyberspace security and governance efforts. To do this, GAO analyzed policies, reports, and other documents and interviewed U.S. government and international officials and experts from over 30 organizations.
There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation. For example, the International Organization for Standardization is a nongovernmental organization that develops and publishes international standards, including those related to cybersecurity, through a consensus-based process involving a network of the national standards bodies of 162 countries. A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings. The global aspects of cyberspace present key challenges to U.S. policy. Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace. GAO recommends that the national Cybersecurity Coordinator address challenges including developing a comprehensive national global cyberspace strategy. The national Cybersecurity Coordinator and his staff generally concurred with the recommendations and stated that actions are already being taken.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: David A. Powner Team: Government Accountability Office: Information Technology Phone: (202) 512-9286GAO-10-606, Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance
This is the accessible text file for GAO report number GAO-10-606
entitled 'Cyberspace: United States Faces Challenges in Addressing
Global Cybersecurity and Governance' which was released on August 2,
2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
July 2010:
Cyberspace:
United States Faces Challenges in Addressing Global Cybersecurity and
Governance:
GAO-10-606:
GAO Highlights:
Highlights of GAO-10-606, a report to congressional requesters.
Why GAO Did This Study:
Recent foreign-based intrusions on the computer systems of U.S.
federal agencies and commercial companies highlight the
vulnerabilities of the interconnected networks that comprise the
Internet, as well as the need to adequately address the global
security and governance of cyberspace. Federal law and policy give a
number of federal entities responsibilities for representing U.S.
cyberspace interests abroad, in collaboration with the private sector.
More recently, the President appointed a national Cybersecurity
Coordinator charged with improving the nation‘s cybersecurity
leadership. GAO was asked to identify (1) significant entities and
efforts addressing global cyberspace security and governance issues,
(2) U.S. entities responsible for addressing these issues and the
extent of their involvement at the international level, and (3)
challenges to effective U.S. involvement in global cyberspace security
and governance efforts. To do this, GAO analyzed policies, reports,
and other documents and interviewed U.S. government and international
officials and experts from over 30 organizations.
What GAO Found:
There are a number of key entities and efforts with significant
influence on international cyberspace security and governance. The
organizations range from information-sharing forums that are
nondecision-making gatherings of experts to private organizations to
treaty-based, decision-making bodies founded by countries. Their
efforts include those to address topics such as incident response,
technical standards, and law enforcement cooperation. For example, the
International Organization for Standardization is a nongovernmental
organization that develops and publishes international standards,
including those related to cybersecurity, through a consensus-based
process involving a network of the national standards bodies of 162
countries.
A number of U.S. federal entities have responsibilities for, and are
involved in, international cyberspace governance and security efforts.
Specifically, the Departments of Commerce, Defense, Homeland Security,
Justice, and State, among others, are involved in efforts to develop
international standards, formulate cyber-defense policy, facilitate
overseas investigations and law enforcement, and represent U.S.
interests in international forums. Federal entities have varying roles
among organizations and efforts with international influence over
cyberspace security and governance, including engaging in bilateral
and multilateral relationships with foreign countries, providing
personnel to foreign agencies, leading or being a member of a U.S.
delegation, coordinating U.S. policy with other U.S. entities through
the interagency process, or attending meetings.
The global aspects of cyberspace present key challenges to U.S. policy
(see table). Until these challenges are addressed, the United States
will be at a disadvantage in promoting its national interests in the
realm of cyberspace.
Table: U.S. Challenges in Addressing Global Cybersecurity and
Governance:
Challenge: Leadership;
Description: Providing top-level leadership that can coordinate across
federal entities and forge a coherent national approach.
Challenge: Strategy;
Description: Developing a comprehensive national strategy that
specifies overarching goals, subordinate objectives, activities to
support those objectives, and outcome-oriented performance metrics and
time frames.
Challenge: Coordination;
Description: Engaging all key federal entities in order to coordinate
policy related to global aspects of cyberspace security and governance.
Challenge: Standards and policies;
Description: Ensuring that international technical standards and
polices do not pose unnecessary barriers to U.S. trade.
Challenge: Incident response;
Description: Participating in international cyber-incident response,
which includes appropriately sharing information without jeopardizing
national security.
Challenge: Differing law;
Description: Investigating and prosecuting transnational cybercrime
amid a plurality of laws, varying technical capabilities, and
differing priorities.
Challenge: Norms;
Description: Providing models of behavior that shape the policies and
activities of countries, such as defining countries‘ sovereign
responsibility regarding the actions of its citizens.
Source: GAO analysis of federal and nonfederal information.
[End of table]
What GAO Recommends:
GAO recommends that the national Cybersecurity Coordinator address
challenges including developing a comprehensive national global
cyberspace strategy. The national Cybersecurity Coordinator and his
staff generally concurred with the recommendations and stated that
actions are already being taken.
View [hyperlink, http://www.gao.gov/products/GAO-10-606] or key
components. For more information, contact David A. Powner at (202) 512-
9286 or pownerd@gao.gov.
[End of section]
Contents:
Letter:
Background:
Several Key Entities and Efforts Address Global Cyberspace Security
and Governance:
U.S. Government Entities Are Involved with Multiple Global Cyberspace
Security and Governance Efforts:
The U.S. Government Faces Challenges in Addressing the Global Aspects
of Cyberspace:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Commerce:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Sources of Cybersecurity Threats:
Table 2: Types of Cyber Exploits:
Table 3: Key Entities and Efforts with Significant Influence on
International Cyberspace Security and Governance:
Table 4: Department of Commerce's International Efforts Related to
Cyberspace Security or Governance:
Table 5: DOD's International Efforts Related to Cyberspace Security or
Governance:
Table 6: DHS's International Efforts Related to Cyberspace Security or
Governance:
Table 7: DOJ's International Efforts Related to Cyberspace Security or
Governance:
Table 8: Department of State's International Efforts Related to
Cyberspace Security or Governance:
Table 9: FCC's International Efforts Related to Cyberspace Security or
Governance:
Table 10: USTR's International Efforts Related to Cyberspace Security
or Governance:
Figure:
Figure 1: U.S. Government Involvement in Key Entities and Efforts
Addressing Global Cyberspace Security and Governance:
Abbreviations:
ANSI: American National Standards Institute:
APEC: Asia-Pacific Economic Cooperation:
ASEAN: Association of Southeast Asian Nations:
CCIPS: Computer Crime and Intellectual Property Section:
CERT: computer emergency response team:
CICTE: Inter-American Committee against Terrorism:
CITEL: Inter-American Telecommunication Commission:
CNCI: Comprehensive National Cybersecurity Initiative:
CS&C: Office of Cyber Security and Communication:
DHS: Department of Homeland Security:
DNS: domain name system:
DOC: Department of Commerce:
DOJ: Department of Justice:
EEB/CIP: Bureau of Economic, Energy, and Business Affairs,
International Communications and Information Policy:
EUR/RPM: Office of European Security and Political Affairs:
FBI: Federal Bureau of Investigation:
FCC: Federal Communications Commission:
FIRST: Forum of Incident Response and Security Teams:
GCA: Global Cybersecurity Agenda:
G8: Group of Eight:
HSPD: Homeland Security Presidential Directive:
ICANN: Internet Corporation for Assigned Names and Numbers:
ICI-IPC: Information and Communications Infrastructure Interagency
Policy Committee:
IEC: International Electrotechnical Commission:
IEEE: Institute of Electrical and Electronic Engineers:
IETF: Internet Engineering Task Force:
IGF: Internet Governance Forum:
INL: Bureau of International Narcotics and Law Enforcement Affairs:
INR: Bureau of Intelligence and Research:
ISO: International Organization for Standardization:
ITU: International Telecommunication Union:
ITU-D: International Telecommunication Union-Telecommunication
Development Sector:
ITU-R: International Telecommunication Union-Radiocommunication Sector:
ITU-T: International Telecommunication Union-Telecommunication
Standardization Sector:
JCS: Joint Chiefs of Staff:
JTC: joint technical committee:
NATO: North Atlantic Treaty Organization:
NIST: National Institute of Standards and Technology:
NSC: National Security Council:
NSD: National Security Division:
NSPD: National Security Presidential Directive:
NTIA: National Telecommunications and Information Administration:
OAS: Organization of American States:
OASD (GSA): Office of the Assistant Secretary of Defense for Global
Strategic Affairs:
OASD (NII)/DOD CIO: Office of the Assistant Secretary of Defense for
Networks and Information Integration/DOD Chief Information Officer:
OECD: Organisation for Economic Cooperation and Development:
REMJA: Meetings of Ministers of Justice or Other Ministers or
Attorneys General of the Americas:
TEL: Telecommunication and Information Working Group:
UN: United Nations:
USNCB: U.S. National Central Bureau of INTERPOL:
USSS: United States Secret Service:
USTR: Office of the United States Trade Representative:
WPISP: Working Party on Information Security and Privacy:
WTO: World Trade Organization:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
July 2, 2010:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
The Honorable Yvette D. Clarke:
Chairwoman:
Subcommittee on Emerging Threats, Cybersecurity, and Science and
Technology:
Committee on Homeland Security:
House of Representatives:
The Honorable Kirsten E. Gillibrand:
United States Senate:
Recent intrusions on U.S. corporations and federal agencies by
attackers in foreign countries highlight the threats posed by the
worldwide connection of our networks and the need to adequately
address global cyberspace security and governance. A multitude of
organizations are actively involved in developing international
agreements and standards related to the security and governance of
cyberspace, and U.S. government and private sector involvement in
these organizations and efforts is essential to promoting our national
and economic security to the rest of the world.
Cyberspace is the globally interconnected digital information and
communications infrastructure. The Internet is a decentralized network
of computer networks with no single authority responsible for
governing or securing it. Computers attached to the network are
subject to the laws and policies of the nation and network where they
are physically located, although users from anywhere in the world may
be able to post or retrieve information from any particular accessible
computer. This complicates Internet governance, as Internet users may
be able to use the network to retrieve or post information, such as
hate speech, or perform an activity, such as gambling, which is
illegal where they are physically located, but not illegal in the
country where the computer they are accessing is located.
Our objectives were to identify (1) significant entities and efforts
addressing global cyberspace security and governance issues, (2) U.S.
entities responsible for addressing cyberspace security and governance
and the extent of their involvement at the international level, and
(3) challenges to effective U.S. involvement in global cyberspace
security and governance efforts. To identify entities and efforts with
significant influence on international cyberspace security and
governance, we collected and analyzed documents, such as resolutions,
charters, organizational charts, policies, reports, and studies, and
conducted structured interviews with relevant federal, private sector,
and foreign officials. To identify responsible U.S. entities and their
related efforts, we collected, reviewed, and analyzed documents and
conducted structured interviews with officials from responsible U.S.
departments and agencies, including the Departments of Commerce (DOC),
Defense (DOD), Homeland Security (DHS), Justice (DOJ), State, and the
Treasury, as well as the Federal Communications Commission (FCC), the
United States Agency for International Development (USAID), and the
United States Trade Representative (USTR). To determine challenges to
effective U.S involvement, we analyzed relevant documentation and the
results of structured interviews. Appendix I provides more detail
about our objectives, scope, and methodology.
We conducted this performance audit from June 2009 to July 2010, in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Background:
The Internet is a vast network of interconnected networks that is used
by governments, businesses, research institutions, and individuals
around the world to communicate, engage in commerce, perform research,
educate, and entertain. Increasing computer interconnectivity--most
notably growth in the use of the Internet--has revolutionized the way
that our government, our nation, and much of the world communicate and
conduct business. From its origins in the 1960s as a research project
sponsored by the U.S. government, the Internet has grown increasingly
important to both American and foreign businesses and consumers,
serving as the medium for hundreds of billions of dollars of commerce
each year. The Internet has also become an extended information and
communications infrastructure, supporting vital services such as power
distribution, health care, law enforcement, and national defense.
Today, private industry--including telecommunications companies, cable
companies, and Internet service providers--owns and operates the vast
majority of the Internet's infrastructure. The various networks that
make up the Internet include the national backbone and regional
networks, residential Internet access networks, and the networks run
by individual businesses or "enterprise" networks. When a user wants
to access a Web site or send an e-mail to someone who is connected to
the Internet through a different service provider, the data must be
transferred between networks. Data travels from a user's device to the
Internet through various means, such as coaxial cable, satellite, or
wirelessly, to a provider's facility where it is aggregated with other
users' traffic. Data cross between networks at Internet exchange
points, which can be either hub points where multiple networks
exchange data or private interconnection points. At these exchange
points, computer systems called routers determine the optimal path for
the data to reach their destination. Data travel through the national
and regional networks and exchange points around the globe, as
necessary, to reach the recipient's Internet service provider and the
recipient.
The networks that make up the Internet communicate via standardized
rules called protocols. For example, a critical set of protocols,
collectively known as the domain name system (DNS), ensures the
uniqueness of each e-mail and Web site address. This system links e-
mail and Web site addresses with the underlying numerical addresses
that computers use to communicate with each other. It translates names
into addresses and back again in a process invisible to the end user.
Cyber Threats and Incidents Impact National and Economic Security:
The global interconnectivity provided by the Internet allows cyber
attackers to easily cross national borders, access vast numbers of
victims at the same time, and easily maintain anonymity. Attacks can
come from a variety of sources, including criminal groups, hackers,
and terrorists. Table 1 lists sources of threats that have been
identified by the U.S. intelligence community and others.
Table 1: Sources of Cybersecurity Threats:
Threat: Bot-network operators;
Description: Bot-net operators use a network, or bot-net, of
compromised, remotely controlled systems to coordinate attacks and to
distribute phishing schemes, spam, and malware attacks. The services
of these networks are sometimes made available on underground markets
(e.g., purchasing a denial of service attack or servers to relay spam
or phishing attacks).
Threat: Criminal groups;
Description: Criminal groups seek to attack systems for monetary gain.
Specifically, organized criminal groups use spam, phishing, and
spyware/malware to commit identity theft and online fraud.
International corporate spies and criminal organizations also pose a
threat to the United States through their ability to conduct
industrial espionage and large-scale monetary theft and to hire or
develop hacker talent.
Threat: Hackers;
Description: Hackers break into networks for the thrill of the
challenge, bragging rights in the hacker community, revenge, stalking
others, and monetary gain, among other reasons. While gaining
unauthorized access once required a fair amount of skill or computer
knowledge, hackers can now download attack scripts and protocols from
the Internet and launch them against victim sites. Thus, while attack
tools have become more sophisticated, they have also become easier to
use. According to the Central Intelligence Agency, the large majority
of hackers do not have the requisite expertise to threaten difficult
targets such as critical U.S. networks. Nevertheless, the worldwide
population of hackers poses a relatively high threat of an isolated or
brief disruption causing serious damage.
Threat: Insiders;
Description: The disgruntled organization insider is a principal
source of computer crime. Insiders may not need a great deal of
knowledge about computer intrusions because their knowledge of a
target system often allows them to gain unrestricted access to cause
damage to the system or to steal system data. The insider threat
includes contractors hired by the organization, as well as employees
who accidentally introduce malware into systems.
Threat: Nations;
Description: Nations use cyber tools as part of their information-
gathering and espionage activities. In addition, several nations are
aggressively working to develop information warfare doctrine,
programs, and capabilities. Such capabilities enable a single entity
to have a significant and serious impact by disrupting the supply,
communications, and economic infrastructures that support military
power--impacts that could affect the daily lives of U.S. citizens
across the country.
Threat: Phishers;
Description: Individuals, or small groups, execute phishing schemes in
an attempt to steal identities or information for monetary gain.
Phishers may also use spam and spyware/malware to accomplish their
objectives.
Threat: Spammers;
Description: Individuals or organizations distribute unsolicited e-
mail with hidden or false information in order to sell products,
conduct phishing schemes, distribute spyware/malware, or attack
organizations (i.e., denial of service).
Threat: Spyware/malware authors;
Description: Individuals or organizations with malicious intent carry
out attacks against users by producing and distributing spyware and
malware. Several destructive computer viruses and worms have harmed
files and hard drives, including the Melissa Macro Virus, the
Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer,
and Blaster.
Threat: Terrorists;
Description: Terrorists seek to destroy, incapacitate, or exploit
critical infrastructures in order to threaten national security, cause
mass casualties, weaken the U.S. economy, and damage public morale and
confidence. Terrorists may use phishing schemes or spyware/malware in
order to generate funds or gather sensitive information.
Sources: GAO analysis based on data from the Director of National
Intelligence, Department of Justice, the Central Intelligence Agency,
and the Software Engineering Institute's CERTŪ Coordination Center.
[End of table]
Different types of cyber threats can use various cyber exploits that
may adversely affect computers, software, a network, an agency's
operation, an industry, or the Internet itself (see table 2). Groups
or individuals may intentionally deploy cyber exploits targeting a
specific cyber asset or attack through the Internet using a virus,
worm, or malware with no specific target.
Table 2: Types of Cyber Exploits:
Type of exploit: Denial of service;
Description: A method of attack from a single source that denies
system access to legitimate users by overwhelming the target computer
with messages and blocking legitimate traffic. It can prevent a system
from being able to exchange data with other systems or use the
Internet.
Type of exploit: Distributed denial of service;
Description: A variant of the denial of service attack that uses a
coordinated attack from a distributed system of computers rather than
from a single source. It often makes use of worms to spread to
multiple computers that can then attack the target.
Type of exploit: Exploit tools;
Description: Publicly available and sophisticated tools that intruders
of various skill levels can use to determine vulnerabilities and gain
entry into targeted systems.
Type of exploit: Logic bombs;
Description: A form of sabotage in which a programmer inserts code
that causes the program to perform a destructive action when some
triggering event occurs, such as terminating the programmer's
employment.
Type of exploit: Phishing;
Description: The creation and use of e-mails and Web sites--designed
to look like those of well-known legitimate businesses, financial
institutions, and government agencies--in order to deceive Internet
users into disclosing their personal data, such as bank and financial
account information and passwords. The phishers then use that
information for criminal purposes, such as identity theft and fraud.
Type of exploit: Sniffer;
Description: Synonymous with packet sniffer. A program that intercepts
routed data and examines each packet in search of specified
information, such as passwords transmitted in clear text.
Type of exploit: Trojan horse;
Description: A computer program that conceals harmful code. A Trojan
horse usually masquerades as a useful program that a user would wish
to execute.
Type of exploit: Virus;
Description: A program that infects computer files, usually executable
programs, by inserting a copy of itself into the file. These copies
are usually executed when the infected file is loaded into memory,
allowing the virus to infect other files. Unlike a computer worm, a
virus requires human involvement (usually unwitting) to propagate.
Type of exploit: Vishing;
Description: A method of phishing based on voice-over-Internet-
Protocol technology and open-source call center software that have
made it inexpensive for scammers to set up phony call centers and
criminals to send e-mail or text messages to potential victims, saying
there has been a security problem, and they need to call their bank to
reactivate a credit or debit card, or send text messages to cell
phones, instructing potential victims to contact fake online banks to
renew their accounts.
Type of exploit: War driving;
Description: A method of gaining entry into wireless computer networks
using a laptop, antennas, and a wireless network adapter that involves
patrolling locations to gain unauthorized access.
Type of exploit: Worm;
Description: An independent computer program that reproduces by
copying itself from one system to another across a network. Unlike
computer viruses, worms do not require human involvement to propagate.
Type of exploit: Zero-day exploit;
Description: A cyber threat taking advantage of a security
vulnerability on the same day that the vulnerability becomes known to
the general public and for which there are no available fixes.
Source: GAO analysis of data from GAO and industry reports.
[End of table]
Recent reports of cyber attacks illustrate that such attacks could
have a debilitating impact on national security.
* In May 2007, Estonia was the reported target of a denial-of-service
cyber attack with national consequences. The coordinated attack
created mass outages of its government and commercial Web sites.
[Footnote 1]
* In March 2008, DOD reported that, in 2007, computer networks
operated by DOD, other federal agencies, and defense-related think
tanks and contractors were targets of computer network intrusions.
Although those responsible were not definitively identified, the
attacks appeared to have originated in China.[Footnote 2]
* In January 2010, it was reported that at least 30 technology
companies--most in Silicon Valley, California--were victims of
intrusions. The cyber attackers infected computers with hidden
programs allowing unauthorized access to files that may have included
the companies' computer security systems, crucial corporate data, and
software source code.[Footnote 3]
* In January 2010, a California-based company filed suit alleging that
two Chinese companies stole software code and then distributed it to
tens of millions of end users as part of Chinese government-sponsored
filtering software. The company is seeking more than $2.2 billion
dollars. Academic researchers found that portions of the company's
software code had been copied and used in initial versions of the
Chinese software.[Footnote 4]
* Based on an 8-month investigation in 2009, university researchers
reported that computer systems in India were attacked. The suspected
cyberattackers remotely connected to Indian computers using social
networks to install bot-nets that infiltrated and infected Indian
computers with malware. The incidents were reported to have been
traced back to an underground espionage organization that was able to
steal sensitive national security and defense information.[Footnote 5]
U.S. Policy Recognizes the Need to Address Global Aspects of
Cybersecurity:
As threats to cyberspace have persisted and grown and cyberspace has
expanded globally, the federal government has developed policies,
strategies, and initiatives that recognize the importance of
addressing cybersecurity on a global basis. For example, President
Obama's Cyberspace Policy Review determined that the United States
needs a strategy for cybersecurity that brings like-minded nations
together on issues such as technical standards and acceptable legal
norms regarding territorial jurisdiction, sovereign responsibility,
and use of force.[Footnote 6] It includes an action to develop U.S.
government positions for an international cybersecurity policy and
strengthen international partnerships to create initiatives that
address the full range of activities, policies, and opportunities
associated with cybersecurity. The policy review also recommended that
the President establish a cybersecurity coordinator position to
integrate the government's cybersecurity policies. Subsequently, in
December 2009, a Special Assistant to the President and Cybersecurity
Coordinator, referred as the Cybersecurity Coordinator in this report,
was appointed with responsibility for addressing the recommendations
made in the Cyberspace Policy Review, including coordinating
interagency cybersecurity policies and strategies and developing a
comprehensive national strategy to secure the nation's digital
infrastructure.
In addition, The National Strategy to Secure Cyberspace recognized
that securing cyberspace is a global matter due to the
interconnectedness of the world's computer systems. Accordingly, it
states that securing global cyberspace requires international
cooperation to raise awareness, share information, promote security
standards, and investigate and prosecute cybercrime.[Footnote 7] Also,
Homeland Security Presidential Directive 7 (HSPD-7) directs DHS to,
among other things, develop a comprehensive and integrated plan
outlining goals and initiatives for protecting critical infrastructure
that includes a strategy for working with international organizations.
[Footnote 8] The directive also designates the Department of State, in
conjunction with the Department of Commerce, DOD, DHS, DOJ, the
Department of the Treasury, and other appropriate agencies, to work
with foreign countries and international organizations to strengthen
the protection of U.S. critical infrastructure and key resources.
Further, while National Security Presidential Directive 54/Homeland
Security Presidential Directive 23 (NSPD-54/HSPD-23), establishing the
Comprehensive National Cybersecurity Initiative (CNCI), is focused on
safeguarding federal executive branch government information systems,
it includes one initiative focused on building an approach that deters
interference and attacks in cyberspace by improving warning
capabilities, articulating roles for private sector and international
partners, and developing appropriate responses for both state and
nonstate actors.[Footnote 9] It also recognizes the need to develop an
approach to better manage the federal government's global supply chain.
Several Key Entities and Efforts Address Global Cyberspace Security
and Governance:
There are a number of key entities and efforts whose international
activities significantly influence the security and governance of
cyberspace. Although these 19 organizations, listed in table 3, do not
represent all international cyber-related entities and efforts, they
were consistently identified as key by the organizations and experts
we interviewed. The organizations range from information-sharing
forums that are nondecision-making gatherings of experts to private
organizations to treaty-based, decision-making bodies founded by
countries. Their efforts include those to address topics such as
incident response, technical standards, and law enforcement
cooperation. These entities have reported ongoing initiatives that
involve governments and private industry stakeholders to address a
broad set of topics, such as implementation of incident response
mechanisms, the development of technical standards, the facilitation
of criminal investigations, and the creation of international policies
related to information technology and critical infrastructure.
Table 3: Key Entities and Efforts with Significant Influence on
International Cyberspace Security and Governance:
* Asia-Pacific Economic Cooperation;
* Association of Southeast Asian Nations;
* Council of Europe;
* European Union;
* Forum of Incident Response and Security Teams;
* Group of Eight;
* Institute of Electrical and Electronic Engineers;
* International Electrotechnical Commission;
* International Organization for Standardization;
* International Telecommunication Union;
* Internet Corporation for Assigned Names and Numbers;
* Internet Engineering Task Force;
* Internet Governance Forum;
* INTERPOL;
* Meridian;
* North Atlantic Treaty Organization.
* Organization of American States.
* Organisation for Economic Cooperation and Development.
* United Nations.
Source: GAO analysis of data provided by U.S. and foreign governmental
agencies and the private sector.
[End of table]
Asia-Pacific Economic Cooperation:
Asia-Pacific Economic Cooperation (APEC) is a cooperative economic and
trade forum designed to promote economic growth and cooperation among
21 countries from the Asia-Pacific region.[Footnote 10] APEC's
Telecommunication and Information Working Group (TEL) is to support
security efforts associated with the information infrastructure of
member countries through activities designed to strengthen effective
incident response capabilities, develop information security
guidelines, combat cybercrime, monitor security implications of
emerging technologies, and foster international cooperation on
cybersecurity. According to APEC, the working group has pursued some
of these activities by collaborating with other international
organizations, such as the Association of Southeast Asian Nations, the
International Telecommunication Union, and the Organisation for
Economic Cooperation and Development.
Association of Southeast Asian Nations:
Association of Southeast Asian Nations (ASEAN) is an economic and
security cooperative comprised of 10 member nations from Southeast
Asia.[Footnote 11] According to the 2009-2015 Roadmap for an ASEAN
Community, it seeks to combat transnational cybercrime by fostering
cooperation among member-nations' law enforcement agencies and
promoting the adoption of cybercrime legislation.[Footnote 12] In
addition, the road map calls for activities to develop information
infrastructure and expand computer emergency response teams (CERT) and
associated drills to all ASEAN partners.
Council of Europe:
The Council of Europe is an organization of 47 member countries
founded in 1949 to develop common and democratic principles for the
protection of individuals. In 2001, the council adopted a Convention
on Cybercrime to improve international cooperation in combating
actions directed against the confidentiality, integrity, and
availability of computer systems, networks, and data. This convention
identified agreed-upon cyber-related activities that should be deemed
criminal acts in countries' domestic law. These acts included illegal
access to a computer system, computer-related fraud, activities
involving child pornography, and copyright infringement. The U.S.
Senate ratified this convention in August 2006. The Council of Europe
also sponsors training and conferences to address cybersecurity issues
such as its 2009 joint conference with the Organization of American
States/Inter-American Committee against Terrorism, which focused on
ways in which the Internet is misused by terrorist organizations and
their supporters.
European Union:
The European Union is an economic and political partnership among 27
European countries.[Footnote 13] Subcomponents of its executive body--
the European Commission--are to engage in cybersecurity activities
designed to improve (1) preparedness and prevention, (2) detection and
response, (3) mitigation and recovery, (4) international cooperation,
and (5) criteria for European critical infrastructure in the
information communication technology sector. European Commission
officials stated that, in the future, the European Commission will
prioritize international engagement involving mutual assistance,
recovery efforts, and crisis management.
In addition, the European Commission formed the European Network and
Information Security Agency (ENISA), an independent European agency
created to enhance the capability of its members to address and
respond to network and information security problems. Established in
2004, ENISA's international outreach is to primarily focus on
information infrastructure protection and resilience, awareness
raising, and the exchange of information among its members. Officials
stated that they anticipate performing greater international outreach
outside of Europe beginning in 2012.
Several independent organizations within Europe develop technical
standards. The European Committee for Standardization is to work to
remove trade barriers for European industry and provide a platform for
the development of European standards and technical specifications.
The European Committee for Electrotechnical Standardization is a not-
for-profit technical organization that is responsible for preparing
voluntary electrotechnical standards for electrical and electronic
goods and services in the European market. The European
Telecommunications Standards Institute is also a not-for-profit
organization that is responsible for producing globally applicable
standards for information and communications technologies including
those supporting the Internet.
Forum of Incident Response and Security Teams:
Forum of Incident Response and Security Teams (FIRST) is an
international confederation of individual CERTs that work together to
share technical and security incident information. It includes over
220 members from 42 countries. The members' incident response teams
represent government, law enforcement, academia, the private sector,
and other organizations. FIRST's steering committee is responsible for
its general operating policy, procedures, and other matters affecting
the organization. The steering committee also selects the Secretariat,
the coordinator of meetings and workshops, and the administrator for
data and communications.
According to FIRST, it has also worked with multiple international
standards organizations to develop standards for cybersecurity and
incident management and response. In addition, FIRST uses the Common
Vulnerability Scoring System as a standard method for rating
information technology vulnerabilities, which helps when communicating
vulnerabilities and their properties to others.
Group of Eight:
The Group of Eight (G8) is an international forum that includes the
governments of Canada, France, Germany, Italy, Japan, Russia, the
United Kingdom, and the United States. The G8's cybersecurity efforts
are directed by the G8 Subgroup on High-Tech Crime, which seeks to
prevent, investigate, and prosecute crimes involving computers,
networked communications, and other new technologies. In 1997, the
subgroup created the 24-7 High-Tech Crime Point-of-Contact Network,
which allows law enforcement officials from countries--including those
from outside the G8--to quickly contact their counterparts in other
participating nations for assistance with cybercrime investigations.
The network is to supplement traditional methods of obtaining law
enforcement assistance. In 2004, the Subgroup on High-Tech Crime also
developed a best practices guide for network security to assist
network operators and system administrators when responding to
computer incidents.
Institute of Electrical and Electronic Engineers:
The Institute of Electrical and Electronic Engineers (IEEE) is a
professional association focused on electrical and computer sciences,
engineering, and related disciplines. Its cybersecurity-related
activities include the development of technical standards through the
IEEE Standards Association, which follows consensus-based standards
development processes. For example, IEEE standards include 802.11, an
internationally recognized standard that addresses encryption and
wireless networking. In addition, according to its reports, the IEEE
Standards Association has been involved with the U.S. National
Institute of Standards and Technology (NIST) to draft cybersecurity
standards for electric utility control systems.
International Electrotechnical Commission:
The International Electrotechnical Commission (IEC) prepares and
publishes international standards for electrical, electronic, and
related technologies. Its membership includes national committees from
over 70 nations, which are comprised of representatives from each
country's public and private sectors. The IEC and the International
Organization for Standardization (ISO), through a joint technical
committee (JTC), have developed information security standards for all
types of organizations, including commercial enterprises, government
agencies, and not-for-profit organizations. For example, ISO/IEC
27001:2005 addresses the development and maintenance of information
security management systems and the security controls that protect
information assets. According to the standard, ISO/IEC JTC 1 developed
this international standard to be applicable to all organizations
regardless of size.
ISO:
ISO is a nongovernmental organization that develops and publishes
international standards through a consensus-based process involving a
network of the national standards institutes of 162 countries with a
Central Secretariat in Geneva, Switzerland, supporting the process.
Its standards include those for traditional activities such as
agriculture and construction, as well as those for the latest in
information and communication technology. As previously mentioned, the
ISO is a part of the ISO/IEC JTC 1.
The International Telecommunication Union:
The International Telecommunication Union (ITU) is a United Nations
(UN) agency whose mission includes developing technical standards,
allocating the radio spectrum, and providing technical assistance and
capacity-building to developing countries. According to ITU, three
sectors carry out these missions by promoting recommendations: the ITU-
Telecommunication Standardization Sector (ITU-T), the ITU-
Radiocommunication Sector (ITU-R), and the ITU-Telecommunication
Development Sector (ITU-D). In addition, the ITU General-Secretariat
provides top-level leadership to ensure that institutional strategies
are harmonized across all sectors. ITU members include delegations
from 191 nations, as well as more than 700 members from the private
sector.
The ITU has also developed technical standards for security and, more
recently, engaged in other cybersecurity activities. For example, ITU-
T has established a study group for telecommunications security to
focus on developing standards and recommendations associated with
network and information security, application security, and identity
management. Similarly, ITU-D, through its members' efforts, prepared a
report on cybersecurity best practices for countries seeking to
organize national cybersecurity efforts. While this effort was
underway, the ITU General-Secretariat separately issued a Global
Cybersecurity Agenda (GCA) designed to promote a comprehensive and
coordinated international approach to cybersecurity across all ITU
sectors. The GCA has five specific focus areas: legal measures,
technical and procedural measures, organizational structures, capacity-
building, and international cooperation. In addition, the ITU
Secretary General signed a memorandum of understanding with the
International Multilateral Partnership Against Cyber Threats that is
to establish an operations center to coordinate incident response and
to provide cyber threat information to member countries and the
private sector.[Footnote 14]
Internet Corporation for Assigned Names and Numbers:
The Internet Corporation for Assigned Names and Numbers (ICANN) is the
private, not-for-profit U.S. corporation whose primary function is the
coordination of the technical management of the Internet's domain name
and addressing system. According to ICANN officials, the corporation
is overseen by a board of directors composed of 21 representatives,
including 15 voting members and 6 nonvoting liaisons. It signed an
Affirmation of Commitments with the Department of Commerce in
September 2009, which, according to department officials, completed
the transition of the technical management of the DNS to a private-
sector led, multistakeholder model that is intended to ensure
accountability and transparency in its decision-making with the goal
of protecting the interests of global Internet users. ICANN is to
facilitate DNS policy development through a bottom-up process
involving the diverse interests of generic and country code top-level
domain registries, domain name registrars, the regional Internet
registries, the technical community, business and individual Internet
users, and governments. According to ICANN officials, it also performs
the Internet Assigned Names Authority functions under contract to the
Department of Commerce. The Internet Assigned Names Authority's
functions consist of several interdependent Internet management
responsibilities, including coordination of the assignment of
technical protocol parameters, performance of administrative functions
associated with root zone management, and the allocation of Internet
numbering resources.
Internet Engineering Task Force:
The Internet Engineering Task Force (IETF) is a technical standards-
setting body responsible for developing and maintaining the Internet's
core standards, including the DNS protocol and its security extensions
and the current and next-generation versions of the Internet Protocol.
According to government officials, the core standards the IETF
develops define, on a basic level, how the Internet operates and what
functions it is capable of performing. It is a voluntary, consensus-
based standards body, whose participants include network operators,
academics, and representatives of government and industry, among
others. Much of IETF's work is conducted via e-mail lists, although it
does host three meetings at locations around the world each year.
The Internet Governance Forum:
The 2005 World Summit on the Information Society's Tunis Agenda
mandated that the UN Secretary-General create the Internet Governance
Forum (IGF) as a multistakeholder venue to discuss public policy
issues related to key elements of Internet governance. According to a
recognized expert, the IGF's broad membership and emphasis on
information exchange enable it to serve as a uniquely important forum
for foreign governments, the private sector, civil society
organizations, and individuals to engage in open discussion without
being preoccupied with advocating a particular policy outcome.
Although the annual meetings do not directly result in standards,
recommendations, or binding agreements, ideas generated by IGF can
contribute to outcome-oriented efforts at other international
organizations.
INTERPOL:
INTERPOL, the world's largest international police organization, was
created to facilitate cross-border police cooperation. It collects,
stores, analyzes, and shares information related to cybercrime between
its 188 member countries through its global police communications
system. It is also responsible for coordinating operational resources
such as computer forensic analysis in support of cybercrime
investigations. Further, INTERPOL has a network of investigators in
national computer crime units to help law enforcement seize digital
evidence as quickly as possible and facilitate cooperation when a
cyber attack involves multiple jurisdictions. To develop strategies
for emerging cybercrime methods, it assembles groups of experts into
regional working groups that harness the regional expertise available
in Europe, Asia, the Americas, the Middle East, and North Africa. The
working party activities are to include sharing information on
regional cybercrime trends, enhancing cooperation among the member
countries, and developing educational materials for law enforcement.
Meridian:
Founded in 2005, the Meridian Conference and Process aims to exchange
ideas and initiate actions for government-to-government cooperation on
critical information infrastructure protection issues globally. An
annual conference and interim activities are held each year to help
build trust and establish relationships within the membership to
facilitate sharing of experiences and good practices on critical
information infrastructure protection from around the world.
Participation in the Meridian Process is open to all countries and
aimed at senior government policy-makers. DHS's National Protection
and Programs Directorate's Office of Cyber Security and Communication
hosted the 2009 Meridian Conference, which brought together more than
100 participants from 40 countries. The conference allowed
participants to explore the benefits of and opportunities for
cooperation between governments and share best practices. Key U.S.
cybersecurity leaders from DHS and the White House engaged with
conference delegates and shared views on U.S. cybersecurity
priorities. The Meridian Process also seeks to advance collaborative
efforts on specific topics such as control systems security.
North Atlantic Treaty Organization:
The North Atlantic Treaty Organization (NATO) is an alliance of 28
countries from North America and Europe.[Footnote 15] NATO approved a
Cyber Defense Policy in January 2008 to provide direction to its
member nations to protect key information systems and support efforts
to counter cyber attacks. Specifically, the policy establishes the
Cyber Defense Management Authority, which has authority for managing
cyber defense crises, to include directing the NATO Computer Incident
Response Capability. NATO also encourages the creation of state-
sponsored cyber-defense authorities to exchange information, define
the scope of mutual support in the event of an identified cyber
incident, and to identify communication and information systems that
handle information deemed critical to the alliance.
Organization of American States:
The Organization of American States (OAS) is an intergovernmental
organization comprised of 34 independent nations in North, Central,
and South America, as well as island nations in the Caribbean.
[Footnote 16] In 2004, the OAS member states adopted the Inter-
American Comprehensive Strategy for Cybersecurity. The strategy
identifies cybersecurity as an emerging threat to OAS member states
and requires three OAS entities to take action to address different
aspects of cybersecurity. Specifically, the strategy directs the Inter-
American Committee against Terrorism (CICTE) to develop plans for the
creation of a hemisphere-wide, 24-hours-per-day, 7-days-per-week
network of Computer Security Incident Response Teams. In addition, the
strategy directs the Inter-American Telecommunication Commission
(CITEL) to evaluate existing technical cybersecurity standards,
recommend the adoption of particularly important cybersecurity
standards, and identify obstacles to implementing those cybersecurity
standards within the Americas. Finally, the strategy directs the
Meetings of Ministers of Justice or Other Ministers or Attorneys
General of the Americas (REMJA), through the Group of Government
Experts on Cyber-Crime, to provide technical assistance to member
states in drafting and enacting effective computer crime laws to
protect information systems and facilitate investigations and
prosecutions.
Organisation for Economic Cooperation and Development:
The Organisation for Economic Cooperation and Development (OECD) is an
intergovernmental organization composed of 31 democratic countries.
[Footnote 17] Member countries' governments can compare policy
experiences, seek answers to common problems, identify best practices,
and coordinate domestic and international policies. The OECD Working
Party on Information Security and Privacy (WPISP) uses a consensus-
based process to develop policy options to address the security and
privacy implications of the growing use of information and
communication technologies. In addition to developing policy analysis,
OECD is responsible for making recommendations designed to improve the
security and privacy of its member countries. For example, in 2008,
the OECD Council adopted a recommendation calling for member countries
to cooperate among themselves and with the private sector to improve
the protection of critical information infrastructure. Specifically,
the recommendations called for bilateral and multilateral sharing of
best practices, development of common understandings of cross-border
interdependencies and vulnerabilities, identification of national
agencies involved in critical information infrastructure protection,
acknowledgment of the value of international watch and warning
networks, and international cooperation on cyber research and
development.
UN:
The UN is an international organization with 192 member countries
founded in 1945 and chartered to maintain international peace and
security, develop friendly relations among countries, and promote
social progress, better living standards, and human rights. The
General Assembly, which provides a forum for discussing and adopting
resolutions on cyberspace-related issues and raising international
cybersecurity awareness, is the UN's chief deliberative, policymaking,
and representative body. Other organizational entities within the UN,
such as the Office on Drugs and Crime, are additional forums where
member countries can discuss approaches for transnational issues,
including cybercrime.
U.S. Government Entities Are Involved with Multiple Global Cyberspace
Security and Governance Efforts:
Multiple U.S. government entities participate in the formulation,
coordination, implementation, and oversight of international efforts
that can impact cyberspace security and governance. These efforts are
authorized by statutes, presidential directives, and national
policies. Federal entities' involvement in these efforts ranges from
engaging in bilateral and multilateral relationships with foreign
countries to providing personnel to foreign agencies to leading or
being a member of a U.S. delegation to attending meetings.
National Security Council:
The National Security Council (NSC) is the principal forum for
considering national security and foreign policy matters that require
presidential involvement. The NSC was established by the National
Security Act of 1947 and subsequently placed within the Executive
Office of the President. Presidential Policy Directive-1, signed in
February 2009, directs multiple federal entities to participate in NSC
meetings and established interagency policy committees to serve as the
main mechanisms for coordination of national security policy. The
committees are designed to provide policy analysis for consideration
by more senior committees within the NSC system and ensure timely
responses by the President. According to DOD officials, the NSC
approved an Information and Communications Infrastructure Interagency
Policy Committee (ICI-IPC) in March 2009. Officials further stated
that the ICI-IPC subsequently approved a subcommittee to focus on
international cyberspace policy efforts (International Sub-IPC).
Officials from the Departments of Commerce, Defense, Homeland
Security, Justice, State, and the Treasury, as well as officials from
the Office of the United States Trade Representative and the Federal
Communications Commission stated that they participate in the
International Sub-IPC, where they coordinate international cyberspace-
related policy efforts.
Department of Commerce:
The Department of Commerce's (DOC) mission is to foster, promote, and
develop the foreign and domestic commerce of the United States. It is
responsible under HSPD-7, in coordination with other federal and
nonfederal entities, for improving technology for cyber systems and
promoting critical infrastructure efforts, including using its
authority under the Defense Production Act. Two of the department's
subcomponents are responsible for activities that can impact
international efforts related to cyberspace security and governance.
The National Telecommunications and Information Administration (NTIA)
is to serve as the principal presidential adviser on information
policy and telecommunications issues. In addition, NIST is to promote
U.S. innovation and industrial competitiveness by advancing
measurement science, standards, and technology. According to NIST
officials, it carries out these responsibilities, in part, with the
American National Standards Institute (ANSI), a U.S. organization that
is responsible for coordinating and promoting voluntary consensus
standards and information-sharing to minimize overlap and duplication
of U.S. standards-related efforts.[Footnote 18] Department of Commerce
officials also stated that the department participates in the
activities of the International Sub-IPC. NTIA and NIST officials
provided descriptions of their efforts, which we summarized in table 4.
Table 4: Department of Commerce's International Efforts Related to
Cyberspace Security or Governance:
Agency/component: NTIA;
Description of effort:
* Oversees the Internet Assigned Names Authority contract, and
negotiated the Affirmation of Commitments signed between the U.S.
government and ICANN in September 2009. NTIA also represents the U.S.
government on ICANN's Government Advisory Committee;
* Participates in ITU-T study group efforts (cybersecurity standards,
promotion of neutral policy-related outputs as appropriate) as a
substantive expert member of U.S. delegations;
* Participates in ITU-D study group efforts (national best-practices
guidelines, tools to promote a culture of cybersecurity, and
cybersecurity self-assessment tools) as an expert member of U.S.
delegations;
* Participates in ITU-R study group efforts (spectrum management) as
an expert member of U.S. delegations;
* Has participated in technical, policy, and regulatory capacity-
building efforts in Latin America and the Caribbean through efforts in
OAS-CITEL as an expert member of U.S. delegations;
* Participates in technical, policy, and regulatory capacity-building
efforts in Latin America through efforts in OAS-CICTE as an expert
member of its workshops and through efforts supporting its work in
global cyber incident response team development;
* Participates in policy and regulatory training sessions through
specialized U.S. Telecommunications Training Institute training
activities;
* Participates in APEC-TEL regarding issues such as cybersecurity and
child online safety;
* Oversees the implementation of Domain Name System Security
Extensions at the authoritative root zone, as well as its
implementation within the US and EDU top-level domains;
* Joined OECD WPISP's Volunteer Group on Cybersecurity Strategies
which was created in March 2010 to monitor potential overlaps with
other intergovernmental cybersecurity forums;
* Participates in IETF meetings to track DNS and Internet Protocol-
related activities;
* Participates in IGF meetings;
* Has participated in technical infrastructure capacity-building
efforts (such as for Central Asia and Eastern Africa);
* Participates in the International Sub-IPC.
Agency/component: NIST;
Description of effort:
* Chairs (since as early as 2002) and participates in multiple U.S.
technical advisory groups to JTC-1 that have developed or are
developing standards related to security evaluation techniques,
identity management, identification card and smart card
interoperability, cloud computing, biometrics, and cryptography;
* Participates in ITU-T study group efforts via the joint standards
development project with ISO-IEC JTC-1;
* Serves as editor and area director while contributing to IETF
standards efforts, including multiple efforts related to Internet
Protocol version 6;
* Serves as editor and otherwise contributes to IEEE 802;
* Provides guidance to organizations for implementing wireless
networks standards.
Source: GAO analysis of Department of Commerce data.
[End of table]
DOD:
DOD provides the military forces needed to protect the security of the
United States. As part of its mission, DOD is responsible for
protecting and defending its networks, including independently
establishing bilateral relationships with foreign military and other
international partners to share computer vulnerability data and
coordinate activities and operations. As a federal department with
cyber expertise, DOD is included by HSPD-7 among the departments that
are to collaborate with DHS to secure cyberspace. Under these
authorities, multiple subcomponents within the department are
responsible for cyberspace activities related to strategy, policy,
plans, and operations. The Office of the Assistant Secretary of
Defense for Global Strategic Affairs (OASD (GSA)) is the primary
policy organization within DOD responsible for formulating the
department's international cyberspace policies. The Office of the
Assistant Secretary of Defense for Networks and Information
Integration/DOD Chief Information Officer (OASD(NII)/DOD CIO) is to
develop and coordinate information-sharing relationships with
international military partners to support computer network defense
operations. The Joint Staff J-5 is responsible for translating
national policy into joint doctrine for DOD's combatant commands and
represents the Joint Chiefs of Staff (JCS) at the ICI-IPC. DOD
officials also stated that the department has a role in the activities
of the International Sub-IPC. DOD officials provided descriptions of
their efforts, which we summarized in table 5.
Table 5: DOD's International Efforts Related to Cyberspace Security or
Governance:
Agency/component: OASD (GSA);
Description of effort:
* Develops DOD strategy for international cyberspace engagement and
coordinates intra-agency cyber activities for the Secretary and Deputy
Secretary of Defense;
* Supports NATO cyberspace policy development;
* Participates in ITU-T and ITU-D study group efforts (cybersecurity
standards, national best-practices guidelines, tools to promote a
culture of cybersecurity, and cybersecurity self-assessment tools) as
a member of U.S. delegations;
* Participate in UN General Assembly proceedings as subject matter
expert in U.S. delegations;
* Participates in an intra-agency working group related to ICANN;
* Develops bilateral and multilateral agreements regarding military
cooperation for cyberspace operations;
* Provides policy guidance to other U.S. agencies participating in
international efforts via the International Sub-IPC.
Agency/component: OASD(NII)/DOD CIO;
Description of effort:
* Leads the International Information Assurance Program, which
develops and manages cyber-related bilateral and multilateral data
sharing relationships with foreign military partners;
* Represents the United States at the NATO C3 Board that approves the
NATO Cyber Defense Policy and directs policy implementation via the
Cyber Defense Management Board;
* Sponsors the biannual International Cyber Defense Workshop, which
provides technical security training to military and civilian
information assurance specialists and computer security practitioners
on topics including computer network defense, response and analysis,
and computing forensics;
* Provides technical expertise and guidance to other U.S. agencies
participating in international efforts via the International Sub-IPC.
Agency/component: JCS;
Description of effort:
* Maintains Joint Staff country desk officers to liaise with foreign
military counterparts in coordination with Defense Attachés and the
Department of State;
* Provides liaison officers to the UN Military mission;
* Develops and provides professional military education with respect
to joint military doctrine, including cyberspace operations, to allied
nations;
* Represents the JCS and provides guidance to other U.S. agencies
participating in international efforts via the International Sub-IPC.
Source: GAO analysis of DOD data.
[End of table]
DHS:
DHS is responsible for preventing and deterring terrorist attacks and
protecting against and responding to other threats and hazards within
the United States, including with regard to key resources and critical
infrastructure. Federal law and policy also tasks DHS with critical
infrastructure protection responsibilities that include strengthening
international cyberspace security in conjunction with other federal
agencies, international organizations, and industry. Multiple DHS
subcomponents conduct activities that are related to cyberspace
security and governance. According to DHS officials, the Office of
Cyber Security and Communications (CS&C) is responsible for, among
other things, building and maintaining a national cyberspace response
system, implementing a cyber-risk management program for protection of
critical infrastructure, and planning for and providing national
security and emergency preparedness communications to the federal
government. DHS officials also stated that the department has a role
in the activities of the International Sub-IPC. DHS's United States
Secret Service (USSS) is responsible for investigating crimes related
to U.S. financial infrastructure, including computer fraud,
cybercrime, and other types of electronic crimes. DHS officials
provided descriptions of their efforts, which we summarized in table 6.
Table 6: DHS's International Efforts Related to Cyberspace Security or
Governance:
Agency/component: CS&C;
Description of efforts:
* Participates in ITU-T's cybersecurity and telecommunications
standards study group efforts as a member of U.S. delegations;
* Participates in ITU-D's cybersecurity capacity-building study group
efforts (such as national cybersecurity best-practices guides and
cybersecurity self-assessment tools) as a member of U.S. delegations;
* Engages multi-national companies to develop key practices that
mitigate risk to the global supply chain;
* Co-sponsors an international academic working group reviewing
international standards for information assurance education;
* Conducts large-scale cybersecurity exercises, such as Cyber Storm,
with international partners to improve incident response and
coordination capabilities;
* Participates in FIRST;
* Coordinates the development of incident response standard operating
procedures for the International Watch and Warning Network, a
government-to-government forum. The network was established in 2004 to
foster international collaboration on addressing cyber threats,
attacks, and vulnerabilities, and enhancing global cyber situational
awareness and incident response capabilities;
* Serves on the Steering Committee for the Meridian Process and serves
as chair of the Meridian Process Control Systems Information Exchange;
* Serves as the Deputy Co-Convener of the cybersecurity-focused
biannual meetings of APEC-TEL's Security and Prosperity Steering Group;
promotes cybersecurity exercises, awareness raising, and other topics
by convening and participating in APEC-TEL workshops;
directly participates in APEC-TEL meetings as a member of U.S.
delegations;
* Advises on the OECD's WPISP efforts as a member of U.S. delegations;
* Participates in OAS-CICTE efforts to advance cybersecurity and
develop cyber incident response teams across the hemisphere and
promote regional capacity-building;
* Participates in OAS-CITEL cybersecurity standards efforts as a
member via the U.S. mission (including workplan development and
increasing the level of training);
* Participated in the 2009 Organization for Security and Co-operation
in Europe meeting focused on cybersecurity;
* Engages in bilateral and multilateral relationships with foreign
countries including information sharing on issues of mutual concern
and operations; exchanging good practices; collaborating on the
development of mitigation measures; and coordination of watch,
warning, and incident response efforts;
* Provides cybersecurity-related training to developing nations at the
U.S. Telecommunication and Training Institute;
* Provides subject matter expertise to NATO's Civil Communications
Planning Committee on programs/activities that address cybersecurity;
* Participates in international efforts via the International Sub-IPC;
* Provides control systems security training to developed and
developing nations.
Agency/component: USSS;
Description of efforts:
* Participates in OAS-CICTE efforts;
* Participates in OAS-REMJA efforts;
* Assigns USSS personnel to DOJ to coordinate criminal investigations
with INTERPOL;
* Investigates transnational cybercrimes using electronic crimes
special agents assigned both domestically and internationally,
including through the European Electronic Crimes Task Force;
* Provides training to International Law Enforcement Academies and
forensics training to European partners through the European
Electronic Crimes Task Force.
Source: GAO analysis of DHS data.
[End of table]
DOJ:
DOJ is the chief law enforcement agency of the U.S. government and is
responsible for prosecuting violations of cyber-related laws such as
the Computer Fraud and Abuse Act. HSPD-7 also directs DOJ to work with
DHS in efforts to investigate and prosecute threats to and attacks
against cyberspace. Further, the directive instructs DOJ, and other
federal agencies, to work with foreign countries and international
organizations to strengthen critical infrastructure and key resources
of the United States. DOJ officials also stated that the department
has a role in the activities of the International Sub-IPC.
According to DOJ officials, multiple DOJ subcomponents conduct
activities that can impact international efforts related to cyberspace
security and governance. For example, DOJ's Criminal Division, through
the Computer Crime and Intellectual Property Section (CCIPS), is
responsible for prosecuting U.S. citizens and foreign nationals who
commit electronic crime. CCIPS also provides international training on
cybercrime and participates in a number of international organizations
addressing cybercrime. The Federal Bureau of Investigation's (FBI)
Cyber Division is the lead federal agency for investigating
cybercrime, including criminal intrusions, online child protection,
intellectual property protection, and identity theft. In addition, the
FBI operates the -National Cyber Investigative Joint Task Force that
includes intelligence and law enforcement agencies and is tasked with
investigating, predicting, and preventing cyber terrorism, cyber
espionage, and cybercrime. DOJ's National Security Division's (NSD)
primary mission is counterterrorism and protecting against other
threats to national security, and it is responsible for coordinating
efforts between the U.S. intelligence community and prosecutors and
law enforcement agencies. The U.S. National Central Bureau of INTERPOL
(USNCB) represents the United States as an INTERPOL member and serves
as a point of contact for U.S. federal, state, local, and tribal law
enforcement for the international exchange of information for criminal
investigations. DOJ officials provided descriptions of their
international efforts related to cyberspace security and governance,
which we summarized in table 7.
Table 7: DOJ's International Efforts Related to Cyberspace Security or
Governance:
Agency/component: CCIPS;
Description of efforts:
* Prosecutes U.S. citizens and foreign nationals who commit electronic
crime;
* Leads U.S. efforts at the G8 Subgroup on High-Tech Crime, including
management of the 24-7 High-Tech Crime Points-of-Contact Network;
* Chairs the OAS-REMJA Experts Group and participates in training
programs related to investigating and prosecuting cyber crimes;
* Participates in providing training programs to APEC and ASEAN member
states related to investigating and prosecuting cyber crimes;
* Provides training to African countries related to cybercrime,
including cooperative assistance with legislative drafting and
investigative training programs, in connection with the African Union,
Economic Community of West African States, Common Market for Eastern
and Southern Africa, and Organisation International de la Francophonie;
* Monitors ITU-D study group efforts and GCA activities related to
cybercrime;
* Chairs the implementation committee of, and provides training
related to, the Council of Europe's Convention on Cybercrime;
* Participates in OECD's WPISP meetings;
* Participates in the Organization for Security and Co-operation in
Europe meetings;
* Participates in UN General Assembly proceedings;
* Participates in the UN Crime Congress and Crime Commission
negotiations;
* Interacts with the European Union's Freedom, Security, and Justice
directorate regarding multiple cybercrime related topics, such as the
Budapest Convention on Cybercrime, international cybercrime training,
and policy issues associated with ICANN;
* Participates, in coordination with the FBI and other government
agencies, in efforts to ensure ICANN management is aware of law
enforcement and public safety needs related to preservation of records;
* Has provided law enforcement training to CERT organizations,
including FIRST;
* Establishes bilateral and multilateral relationships with foreign
countries to cooperate on cybercrime investigations and cyber-related
training;
* Participates in U.S. foreign policy efforts related to cyberspace
issues including free speech rights and jurisdictional questions;
* Proposes, or comments on proposals for, legislation affecting
international cybercrime;
on request, critiques other countries' draft cybercrime statutes;
* Runs interagency meetings to coordinate international cybercrime
training;
* Provides training and emergency assistance to U.S. and foreign
agencies, including INTERPOL, for obtaining electronic evidence from
foreign countries;
* Provides policy guidance to other U.S. agencies participating in
international efforts, via the International Sub-IPC.
Agency/component: FBI Cyber Division;
Description of efforts:
* Investigates violations of U.S. laws related to cybercrime;
* Posts legal attachés to U.S. embassies to serve as the FBI's
representatives;
* Establishes bilateral and multilateral relationships with foreign
countries to cooperate on cybercrime investigations;
chairs the Strategic Alliance Cyber Crime Working Group, a
multilateral effort with close U.S. allies to improve law enforcement
cooperation;
* Leads an international task force related to the Innocent Images
National Initiative designed to combat the production, distribution,
and possession of child pornography and online predators;
* Provides agency personnel to foreign law enforcement agencies to
provide support to cybersecurity-related investigations and foster law
enforcement relations;
* Leads ICANN international meetings and Regional Internet Registry
meetings to ensure Internet Service Providers and Regional Internet
Registries are aware of law enforcement requirements with regard to
the DNS. Introduced, along with the UK Serious Organized Crime Agency,
LE Registrar Accreditation Agreement and Due Diligence proposal before
the ICANN Governmental Advisory Board and Board of Directors at the
ICANN meeting in Seoul, Korea;
* Provides cybercrime investigation training to foreign students via
International Law Enforcement Academies.
Agency/component: NSD;
Description of efforts:
* Participating in Cyber Storm III, a planned large-scale
cybersecurity exercises with international partners to improve
incident response and coordination capabilities;
* Consulted on white paper regarding the Global Internet Freedom
Initiative;
* Participates in UN Counterterrorism Implementation Task Force
workshops on legal and technical aspects of countering terrorist use
of the Internet;
* Participates in the International Sub-IPC.
Agency/component: USNCB;
Description of efforts:
* Serves as U.S. liaison to INTERPOL.
Source: GAO analysis of DOJ data.
[End of table]
Department of State:
As the lead U.S. agency with responsibility for foreign affairs, the
Department of State has a variety of duties relating to cyberspace.
For example, it is responsible for the formulation, coordination, and
oversight of foreign policy related to international communications
and information policy, including exercising primary authority for the
determination of U.S. positions and the conduct of U.S. participation
in negotiations with foreign governments and international bodies. It
is also responsible for coordination and oversight with respect to all
major science and technology agreements. In addition, under the 2003
National Strategy to Secure Cyberspace, the Department of State is to
lead federal efforts to enhance international cyberspace security
cooperation. Under HSPD-7, the department is also to work
collaboratively with DHS in efforts to secure cyberspace. Further,
according to officials, the department has a role in CNCI efforts and
the activities of the International Sub-IPC. Department officials
further stated that the department focuses on engaging countries,
bilaterally and multilaterally, on a range of cyberspace issues.
To fulfill the department's lead responsibility, a number of
Department of State entities are given roles. For example, the Bureau
of Economic, Energy, and Business Affairs, International
Communications and Information Policy (EEB/CIP), is responsible for
international telecommunications and information policy. In addition,
the Bureau of Intelligence and Research (INR), Office of Cyber
Affairs, is responsible for providing intelligence analysis and
coordinating international outreach on cybersecurity issues. The
Bureau of International Narcotics and Law Enforcement Affairs (INL) is
responsible for coordinating policy and programs to combat cybercrime.
Finally, the Office of European Security and Political Affairs (EUR/
RPM) develops and coordinates policy on U.S. security interests in
Europe. Department officials provided descriptions of their bureaus'
specific international efforts, which we summarized in table 8. During
the course of our work, Department of State officials stated that
their department had initiated an internal reorganization that would
determine how its cybersecurity related activities will be
coordinated; however, the reorganization had not yet occurred.
Table 8: Department of State's International Efforts Related to
Cyberspace Security or Governance:
Agency/component: EEB/CIP;
Description of efforts:
* Leads the coordination and development of U.S. positions for ITU
meetings, including the ITU Plenipotentiary Conference, World
Telecommunication Development Conference, World Telecommunication
Standardization Assembly, and World Radiocommunication Conference;
* Leads U.S. delegations to ITU-T, including study group efforts
focused on developing cybersecurity standards, cable transmission
standards, next generation networks, and cybersecurity;
* Leads U.S. delegations to ITU-D and chaired study group efforts
focused on national best-practices guides and cybersecurity self-
assessment tools;
* Participates in ITU-R study group efforts related to cybersecurity;
* Provides input into the ITU-GCA through the annual meeting of the
ITU Council; participated in the Group of Experts that helped identify
global cybersecurity issues and recommend activities for ITU
involvement;
* Holds an annual Information Society Dialogue with the European
Commission to exchange information on telecommunications and
information and communications technology developments;
* Participate in IGF meetings as moderators, panelists, and attendees;
* Co-Chairs with the Bureau of Democracy, Human Rights, and Labor, the
NetFreedom Task Force whose goal is to promote the free flow of
information and freedom of expression on the Internet;
* Leads U.S. delegations to biennial meetings of the APEC-TEL's
Security and Prosperity Steering Group;
* Leads U.S. delegations to OECD's WPISP meetings to develop policy
options to sustain trust, information security, and privacy;
* Leads U.S. delegations to OAS-CITEL meetings to discuss regional
positions on issues pending before the ITU, including cybersecurity;
* Engages in bilateral and multilateral relationships with foreign
countries to address a range of cybersecurity issues;
* Participates in Sub-IPCs.
Agency/component: INR;
Description of efforts:
* Authored and negotiated approval of UN General Assembly resolutions
(including those related to combating the criminal misuse of
information technologies, creation of a global culture of
cybersecurity, protecting critical information infrastructures, and
taking stock of national efforts to protect critical information
infrastructures);
* Participates as subject matter experts in U.S. delegations to ASEAN
meetings that focus on cyberspace policy and international security,
such as terrorist exploitation of the Internet;
* Represents the U.S. at the UN Group of Governmental Experts;
* Leads U.S. efforts at the Organization for Security and Co-operation
in Europe by sponsoring workshops and providing expertise on critical
infrastructure protection, cyberterrorism, and cybersecurity;
* Participates in OAS-CICTE conferences and workshops focused on
cybersecurity and counterterrorism;
* Participates in Meridian conference activities;
* Engages in bilateral and multilateral relationships with foreign
countries to address a range of cybersecurity issues;
* Prepares analysis of international cybersecurity issues;
* Coordinates the Department of State's representation to the ICI-IPC,
including the International Sub-IPC.
Agency/component: INL;
Description of efforts:
* Provides leadership to U.S. delegations to the G8 Subgroup on High-
Tech Crime;
* Promotes greater acceptance and use of the UN Convention Against
Transnational Organized Crime as an alternative means for countries to
address cybercrime;
* Provides leadership to cybercrime efforts within OAS-REMJA;
* Participates in the International Sub-IPC.
Agency/component: EUR/RPM;
Description of efforts:
* Develops and coordinates U.S. policy related to NATO, including
consideration of NATO cyber defense policies and the planned revision
of NATO's Strategic Concept.
Source: GAO analysis of Department of State data.
[End of table]
FCC:
FCC is an independent federal agency charged with regulating
interstate and international communications by radio, television,
wire, satellite, and cable. The FCC is organized into seven bureaus,
and, according to FCC officials, the International Bureau has primary
responsibility for representing the FCC in satellite and international
matters. FCC officials also stated that the agency has a role in the
activities of the International Sub-IPC. FCC officials provided
descriptions of their efforts, which we summarized in table 9.
Table 9: FCC's International Efforts Related to Cyberspace Security or
Governance:
Agency/component: International Bureau;
Description of efforts:
* Participates in ITU-R study group efforts as a member of U.S.
delegations;
* Participates in ITU-D study group efforts (domestic enforcement of
laws, rules, and regulations on telecommunications by national
telecommunication regulatory authorities) as a member of U.S.
delegation;
* Participates in OAS-CITEL meetings as a member of U.S. delegation;
* Has attended a meeting of OECD's WPISP;
* Provides technical expertise and guidance to other U.S. agencies
participating in international efforts via the International Sub-IPC
and Telecommunications Standardization Advisory Group.
Source: GAO analysis of FCC data.
[End of table]
USTR:
USTR is the primary adviser to the President on international trade
matters. It is responsible for developing and coordinating U.S.
international trade policy and has the responsibility for trade
negotiations with other countries. The Trade Agreements Act of 1979
gives USTR the responsibility for coordinating the development of U.S.
trade policy on all standards-related activities. According to USTR
officials, the USTR leads federal government policy deliberations on
foreign standards-related measures through the interagency Trade
Policy Staff Committee in order to prevent and resolve trade concerns
arising from standards-related measures. In addition, it is to engage
with other governments on standards-related issues, as well as through
multilateral organizations such as APEC and OECD. Further, according
to USTR officials, it also has a role in the activities of the
International Sub-IPC. USTR officials provided descriptions of their
efforts, which we summarized in table 10.
Table 10: USTR's International Efforts Related to Cyberspace Security
or Governance:
Agency/component: USTR;
Description of efforts:
* Manages the implementation of the World Trade Organization (WTO)
Agreement on Technical Barriers to Trade by monitoring other WTO
members' technical regulations and conformity assessment procedures;
also engages with other WTO members bilaterally and in the WTO to
clarify and resolve issues;
* Leads U.S. efforts to negotiate the Anti-Counterfeiting Trade
Agreement Act, part of which would establish international standards
for enforcing property rights in the digital environment;
* Leads the Trade Policy Staff Committee and the Trade Policy Review
Group to coordinate interagency policies related to international
trade;
* Participates in Meridian Conference activities;
* Participate in OECD-WPISP meetings as a member of U.S. delegations;
* Participates in APEC-TEL;
* Engages with ISO on policy matters and serves as a voting member of
the ANSI ISO Council and the ANSI International Policy Committee;
* Provides technical expertise and guidance to other U.S. agencies
participating in international efforts via the International Sub-IPC.
Source: GAO analysis of USTR data.
[End of table]
Federal Entities' Roles Vary:
Federal entities' roles range from leading or being a member of a U.S.
delegation to an international entity or effort, providing policy
advice to other U.S. entities through the interagency process, and
attending meetings. For example, DHS's CS&C hosted and led the 2009
Meridian conference that brought together more than 100 participants
from 40 countries. In contrast, DHS participates at the biannual
meetings of the OECD's WPISP as a member of the U.S. delegation.
Figure 1 illustrates federal agencies' involvement with the key
entities and efforts.
Figure 1: U.S. Government Involvement in Key Entities and Efforts
Addressing Global Cyberspace Security and Governance:
[Refer to PDF for image: table]
Key entities and efforts:
DOC/NTIA:
APEC: [Check];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Check];
ITU-D: [Check];
ITU-R: [Check];
ITU-GCA: [Empty];
ICANN: [Check];
IETF: [Check];
IGF: [Check];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Check];
OAS-CITEL: [Check];
OAS-REMJA: [Empty];
OECD WPISP: [Check];
United Nations: [Empty].
DOC/NIST:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Check];
IEC: [Check];
ISO: [Check];
ITU-T: [Check];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Check];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Empty].
DOD/OASD (GSA):
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Check];
ITU-D: [Check];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Check];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Check].
DOD/OASD (NII/DOD CIO):
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Check];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Check];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Empty].
DOD/JCS:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Check].
DHS/CS&C:
APEC: [Check];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Check];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Check];
ITU-D: [Check];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Check];
NATO: [Check];
OAS-CICTE: [Check];
OAS-CITEL: [Check];
OAS-REMJA: [Empty];
OECD WPISP: [Check];
United Nations: [Empty].
DHS/USSS:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Check];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Check];
OAS-CITEL: [Empty];
OAS-REMJA: [Check];
OECD WPISP: [Empty];
United Nations: [Empty].
DOJ/CCIPS:
APEC: [Check];
ASEAN: [Check];
Council of Europe: [Check];
European Union: [Check];
FIRST: [Check];
G8 Subgroup on High Tech Crime: [Check];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Check];
ITU-R: [Empty];
ITU-GCA: [Check];
ICANN: [Check];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Check];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Check];
OECD WPISP: [Check];
United Nations: [Check].
DOJ/FBI:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Check];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Empty].
DOJ/NSD:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Check].
DOJ/USNCB:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Check];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Empty];
United Nations: [Empty].
STATE:
APEC: [Check];
ASEAN: [Check];
Council of Europe: [Empty];
European Union: [Check];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Check];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Check];
ITU-D: [Check];
ITU-R: [Check];
ITU-GCA: [Check];
ICANN: [Empty];
IETF: [Empty];
IGF: [Check];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Check];
OAS-CICTE: [Check];
OAS-CITEL: [Check];
OAS-REMJA: [Check];
OECD WPISP: [Check];
United Nations: [Check].
FCC:
APEC: [Empty];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Empty];
ITU-T: [Empty];
ITU-D: [Check];
ITU-R: [Check];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Empty];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Check];
OAS-REMJA: [Empty];
OECD WPISP: [Check];
United Nations: [Empty].
USTR:
APEC: [Check];
ASEAN: [Empty];
Council of Europe: [Empty];
European Union: [Empty];
FIRST: [Empty];
G8 Subgroup on High Tech Crime: [Empty];
IEEE: [Empty];
IEC: [Empty];
ISO: [Check];
ITU-T: [Empty];
ITU-D: [Empty];
ITU-R: [Empty];
ITU-GCA: [Empty];
ICANN: [Empty];
IETF: [Empty];
IGF: [Empty];
INTERPOL: [Empty];
Meridian: [Check];
NATO: [Empty];
OAS-CICTE: [Empty];
OAS-CITEL: [Empty];
OAS-REMJA: [Empty];
OECD WPISP: [Check];
United Nations: [Empty].
Note: [Check] = The range of federal entities' roles include leading
or being a member of a U.S. delegation to an international
organization or effort to attending meetings.
[End of figure]
The U.S. Government Faces Challenges in Addressing the Global Aspects
of Cyberspace:
The U.S. government faces a number of challenges that impede its
ability to formulate and implement a coherent approach to addressing
the global aspects of cyberspace, including (1) providing top-level
leadership, (2) developing a coherent and comprehensive strategy, (3)
coordinating across all relevant federal entities, (4) ensuring
cyberspace-related technical standards and policies do not pose
unnecessary barriers to U.S. trade, (5) participating in international
cyber incident response, (6) differing legal systems and enforcing
U.S. criminal and civil laws, and (7) defining international norms for
cyberspace.
Providing Top-Level Leadership:
Sustained top-level leadership is critical to adequately planning and
executing activities that address issues of national importance.
According to the President's Cyberspace Policy Review, the U.S.'s
cybersecurity policy official is to lead specific near-term
international goals and objectives, such as developing an
international policy framework and strengthening and integrating the
interagency processes to formulate and coordinate our international
cybersecurity-related position. However, the recently appointed
Cybersecurity Coordinator's authority and capacity to effectively
coordinate and forge a coherent national approach to cyberspace policy
are still under development.
In addition, while the International Sub-IPC has led international
cyberspace-related policy analysis since March 2009, according to
Department of Commerce officials, it does not drive agency actions but
instead focuses on ensuring that all agencies are aware of each
others' international cyber-related activities. A DOD official stated
that, at least prior to the Cybersecurity Coordinator's appointment,
the International Sub-IPC focused on identifying relevant
organizations and policy areas that should be included in future
interagency discussions.
Although the Departments of Commerce, Homeland Security, Justice, and
State have served in leadership roles for the specific activities of
the key entities and efforts identified, federal agencies have not
provided top-level leadership for the U.S. on these issues. For
example, although the Department of State is charged with leading
other federal agencies in establishing global networks to share threat
information, department officials stated that only the President or an
executive entity such as the NSC possesses the necessary authority to
direct agencies such as DHS to participate.
Until the Cybersecurity Coordinator provides top-level leadership,
there is an increased risk that U.S. agencies will not formulate and
coordinate U.S. international cybersecurity-related positions as
envisioned in the President's Cyberspace Policy Review.
Developing a Coherent and Comprehensive Strategy:
Our work has demonstrated the importance of comprehensive strategies
that specify overarching goals, subordinate objectives, supporting
activities, roles and responsibilities, and outcome-oriented
performance metrics, as well as time frames to help ensure
accountability and align agency activities with the U.S.'s long-term
economic, national security, and other interests.[Footnote 19]
Although multiple federal entities are engaged in a variety of
international efforts that impact cyberspace governance and security,
the U.S. government has not documented a clear vision of how these
efforts, taken together, support overarching national goals. In lieu
of a comprehensive strategy, multiple agency officials cited a variety
of documents that may inform agency policies and efforts, including
the 2003 National Strategy to Secure Cyberspace and the 2009
President's Cyberspace Policy Review.
However, none of the documents, taken individually or collectively,
provide a comprehensive strategy. For example, while the 2003 National
Strategy to Secure Cyberspace states that the Department of State will
lead other federal agencies, the strategy does not further articulate
either specific supporting activities or time frames in which to
accomplish this or other objectives. Similarly, according to the
President's Cyberspace Policy Review, the cybersecurity policy
official should lead specific near-term international goals and
objectives; however, it does not further articulate either the
specific supporting activities or time frames in which to accomplish
this or other objectives. Officials from the Departments of State and
Defense stated that, as called for by the President's Cyberspace
Policy Review, an effort is currently under way to develop an
international strategy for cyberspace. However, we have not seen any
evidence of such activities and, thus, were unable to determine what
progress, if any, has been made towards accomplishing this goal. In
addition, in March 2010, we reported that the federal government
lacked a formal strategy for coordinating outreach to international
partners for the purposes of standards setting, law enforcement, and
information-sharing.[Footnote 20]
Unless agency and White House officials follow a comprehensive
strategy that clearly articulates overarching goals, subordinate
objectives, specific activities, performance metrics, and reasonable
time frames to achieve results, the Congress and the American public
will be ill-equipped to assess how, if at all, federal efforts to
address the global aspects of cyberspace ultimately support U.S.
national security, economic, and other interests.
Coordinating across All Relevant Federal Entities:
Interagency mechanisms that fully engage all key federal agencies are
crucial to ensuring that agencies' efforts are coordinated, mutually
reinforcing, and supportive of national goals. Federal agencies have
relied upon a variety of forums to coordinate their international
efforts that impact cyberspace governance and security.
However, federal agencies have not demonstrated an ability to
coordinate their activities and project clear policies on a consistent
basis. Multiple DOD officials stated that relationships among a small
number of government officials--rather than a formal interagency
mechanism--remain a primary means by which agencies avoid policy
conflicts. For example, DOD officials stated that DOD has authority to
establish relationships with foreign countries to share computer
vulnerability data, but it is not required to notify other agencies
when such relationships are developed, though officials stated that
DOD does so as a courtesy. In addition, DOD and Department of State
officials acknowledged that the announcement of the Secretary of
Defense's decision to establish the Cyber Command was not coordinated
with the Department of State, although DOD officials stated that the
department had shared the purpose, intent, and mission with other
agencies, including the Department of State. Nevertheless, the
announcement was perceived by several foreign governments and other
entities as a potentially threatening attempt by the U.S. government
to militarize cyberspace, according to recognized experts.
By contrast, multiple agency officials stated that there are
interagency mechanisms that have been effective at coordinating U.S.
policy. USTR officials stated that interagency coordination had
improved significantly since the inception of the ICI-IPC, and noted
that the International Sub-IPC established a working group in late
2009, chaired by NIST and the National Security Agency, to ensure that
the U.S. engages strategically in international standards forums.
However, while the International Sub-IPC was established in March 2009
and has been used to coordinate international cyberspace-related
activities and analysis across federal agencies, some key federal
entities only recently began participating, and the extent to which it
fully engages all key federal entities is unclear. For example,
officials from the FCC told us that they did not begin participating
in the International Sub-IPC meetings until January 2010. The
Cybersecurity Coordinator's staff added that they are continuing to
work on ways to improve engagement with all federal entities.
The global aspect of cyberspace may prevent any single mechanism from
coordinating all U.S. policies that have the potential to affect
cyberspace governance and security. Nevertheless, unless federal
agencies institutionalize a coordination mechanism that engages all
key federal entities, it is less likely that federal agencies will be
aware of each other's efforts, or that their efforts, taken together,
will support U.S. national interests in a coherent or consistent
fashion.
Ensuring Cyberspace-Related Technical Standards and Policies Do Not
Pose Unnecessary Barriers to U.S. Trade:
U.S. and foreign technical standards and related policies--including
those that address areas such as cybersecurity or privacy--can create
incidental barriers to trade by forcing private companies to choose
between exiting a market and redesigning their products to comply with
the technical standards of a particular country. In this regard, some
countries have attempted to mandate compliance with their indigenously
developed cybersecurity standards in a manner that risks
discriminating against U.S. companies.
For example, USTR reported that, in 2007, China proposed information
security regulations that would have mandated testing and
certification of security functions for information technology
products such as routers, smart cards, and secure databases and
operating systems sold commercially in China.[Footnote 21] According
to USTR, these regulations would have gone beyond internationally
accepted practices by mandating testing and certification for products
in the commercial sector, not just products for government use in
national security applications. As a result, this information security
policy could pose a trade barrier to foreign companies that seek to
market and sell their products to China, according to industry groups,
a European delegation to the WTO,[Footnote 22] and as reported by the
USTR. USTR officials stated that, after international concerns were
voiced by U.S. officials and officials from other countries, China
agreed in 2009 to limit the scope of the testing and certification
requirements to products sold to the government.
Similarly, in 2009, USTR reported that the government of South Korea
considered mandating adoption of an indigenous encryption standard as
part of a large-scale government adoption of voice-over-Internet-
Protocol systems. USTR officials stated that they successfully
convinced the South Korean government to limit its plans to select
South Korean government agencies, which would have otherwise forced
U.S. equipment and software suppliers to customize their products to
comply with the South Korean standard.
Mandatory standards proposed to improve the security of U.S.
government systems may also have the potential to impact U.S. and
foreign trade. Multiple private sector representatives stated that
they believed cybersecurity standards imposed by the U.S. government,
such as supply-chain security standards, risk encouraging other
countries to erect cybersecurity-related trade barriers that would
discriminate against U.S. companies.
Participating in International Cyber Incident Response:
The 2003 National Strategy to Secure Cyberspace states that the United
States will foster the establishment of an international network
capable of receiving, assessing, and disseminating threat information
globally. More recently, the President's Cyberspace Policy Review
stated that the federal government should explore, consistent with our
national interests, expansion of information-sharing about network
incidents and vulnerabilities with our nation's major allies.
Although multiple federal agencies are parties to information-sharing
or incident-response agreements with other countries, the federal
government lacks a coherent approach toward participating in a broader
international framework for responding to cyber incidents with global
impact. U.S. and European government officials, members of the private
sector, and subject matter experts told us that establishing an
effective international framework for incident response is difficult
for multiple reasons, including the national security concerns
associated with sharing potentially sensitive information, the large
number of independent organizations involved in incident response, and
the absence of incident response capabilities within some countries.
Security concerns related to sharing sensitive information with
foreign countries can hamper U.S. efforts to establish international
incident response capabilities. A DOD official stated that there is
disagreement, particularly within the U.S. intelligence community, as
to whether the benefits of sharing cyber-threat information outweigh
the risk of harm to U.S. security interests should sensitive data be
leaked to an adversary of the United States. An official from a
European governmental entity also agreed that political and national
security considerations associated with sharing sensitive data pose
barriers to effective international cooperation.
According to the President's Cyberspace Policy Review and recognized
experts, the sheer number of international entities engaged in
incident response can also impede international coordination. For
example, an official from a major U.S.-based software manufacturer
stated that during a major 2009 cyber incident, the company had to
work with each of the 27 member states of the European Union
individually. Moreover, it has been reported that differences in data
availability, consistency, reliability, and terminology among at least
54 national-level CERTs hinder efforts to identify cybersecurity
trends, threats, and vulnerabilities among countries and/or regions.
[Footnote 23]
In addition, there is no internationally recognized organization
responsible for coordinating an international response to a cyber
incident. For example, although the 2003 National Strategy to Secure
Cyberspace identifies FIRST as a potential basis for an international
incident response capability, FIRST is not intended to have an
operational capability and exercises no authority over the
organization and operation of individual member teams. Moreover, the
Global Response Center, which was established by the International
Multilateral Partnership Against Cyber Threats, has not demonstrated
that it possesses the capacity to provide a legitimate global
information security service to benefit all participants, according to
current and former officials from the Department of State and DHS, as
well as members of the private sector. In addition, officials from
multiple government agencies stated that a single authoritative
international incident response organization would not be appropriate.
Further, according to Department of State and DHS officials, some
countries still lack the technical capacity to establish national-
level CERTs, which may hinder U.S. or foreign entities from being able
to work with those countries as part of a coordinated response to a
cyber incident. In particular, the absence of national CERTs may
challenge efforts to establish a broader network to share information,
according to DHS officials.
The lack of an international framework for incident response has
complicated efforts of U.S.-based multinational companies to respond
to international cyber incidents. For example, an official from a
large U.S.-based software company stated that the lack of guidance
regarding U.S. prohibitions against interacting with certain countries
complicated efforts to respond to the 2009 Confickr worm. In
particular, the software company was unsure whether it was permitted
to work directly with DNS providers located in countries the United
States has labeled as state sponsors of terrorism. The global nature
of cyber threats coupled with the absence of clear guidance to U.S.-
based companies may undermine international efforts to mitigate cyber
incidents.
Differing Legal Systems and Enforcing U.S. Criminal and Civil Laws:
Several factors complicate the efforts to enforce U.S. criminal and
civil law related to cyberspace, including the (1) differences among
laws of nations, (2) insufficient technical capacity of judicial
systems, and (3) inconsistent enforcement of existing laws.
The differences among laws of nations can impede U.S. and foreign
efforts to enforce domestic criminal and civil laws related to
cyberspace. For example, FBI and USSS officials stated that
differences between U.S. and foreign privacy laws have hampered their
efforts to acquire evidence for certain transnational cybercrime
investigations.
To enforce criminal or civil cyber-related laws, law enforcement
personnel and judicial officers require specialized skills and
training. As we reported in 2007, the rapid evolution of technology
and cybercrime techniques means that law enforcement agencies must
continuously upgrade technical equipment and software tools.[Footnote
24] As a result, competing national priorities may prevent other
countries from acquiring the necessary technical expertise and tools
to effectively investigate cybercrime. Moreover, DOJ officials told us
that developing countries that lack such expertise may be less
inclined to adopt legislation necessary to investigate and prosecute
alleged acts of cybercrime.
Even countries possessing the requisite legislation and specialized
skills and training may nevertheless not have the necessary political
or public support to enforce their laws. In particular, agency
officials stated that, because most cybercrime victims are American
citizens, some governments view cybercrime as primarily a U.S. problem
and are therefore less likely to cooperate with U.S. law enforcement
agencies. We identified similar issues related to investigating and
prosecuting transborder cybercrime in 2007.[Footnote 25]
As previously discussed, federal entities, including DOJ, DHS, and the
Department of State, participate in efforts to address the inherent
challenges imposed by transnational cybercrime. Without continued
engagement with the international community, the United States faces
increased risk that our law enforcement will be impeded in their
efforts to investigate and prosecute cybercrime.
Defining International Norms for Cyberspace:
The Center for Strategic and International Studies and the President's
Cyberspace Policy Review acknowledge the importance of establishing
international norms for cyberspace.[Footnote 26] According to the
Center for Strategic and International Studies, international norms,
though not legally binding, can provide models of behavior that shape
the policies and activities of countries. For example, the President's
Cyberspace Policy Review calls for the United States to work toward an
international norm for "sovereign responsibility," which could include
establishing whether--and if so, how--the international community
holds a country accountable for cyberattacks launched by its citizens.
In addition, the President's Cyberspace Policy Review calls for the
United States to work toward an international norm for the "use of
force" in cyberspace, which could include defining the boundary
between what constitutes a cyber attack and what constitutes cyber-
espionage. According to the Center for Strategic and International
Studies, some have stated that there are advantages to the United
States not having specifically defined positions; however, others have
stated that clear international norms concerning the use of force in
cyberspace may be necessary to develop the ability to deter
individuals or countries from launching some types of cyber attacks
against U.S. interests.
Multiple federal agencies reported that they participate in efforts
that may contribute to developing international norms for cyberspace.
Department of State officials stated that the department is actively
engaged in the development of international norms in forums such as
the UN and the Organization for Security and Co-operation in Europe,
but that developing norms is a complicated and long-term process. DOD
officials also stated that the absence of agreed upon definitions for
cyberspace-related terminology--sometimes referred to as a lexicon--
can impede efforts to develop international norms. In addition,
Department of State and DOD officials stated that CNCI directs the
Department of State to develop policy approaches to deter cyber
attacks against the United States; however, we have not seen any
evidence of what progress, if any, has been made. Officials from the
Department of State, DOD, DHS, and DOJ stated that these efforts have
been coordinated, in part, through the International Sub-IPC.
Conclusions:
The rapid integration of information and communication technologies
into virtually every aspect of modern life and the increase in
associated threats have outpaced efforts by the United States and the
international community. Without top-level leadership, the federal
government has not forged a coherent and comprehensive strategy for
cyberspace security and governance policy. In addition, the
interagency coordination processes, in particular the International
Sub-IPC, have not entirely ensured that all relevant federal entities
are engaged in global efforts or demonstrated that federal efforts,
taken together, support national interests coherently and
consistently. These challenges in U.S. leadership, strategy, and
coordination have hampered the nation's ability to promote cyberspace-
related technical standards and policies and establish global cyber
incident response capabilities consistent with our national economic
and national security interests. In addition, U.S. law enforcement
efforts to investigate and prosecute crime have been complicated by
the differing national legal systems, making it difficult to enforce
U.S. criminal and civil law. Further, the United States has been
unable to define cyberspace-related norms that may be necessary for
guiding a U.S. response to cyber incidents. Until these challenges are
addressed, the United States will be at a disadvantage in promoting
its national interests in the realm of cyberspace.
Recommendations for Executive Action:
We recommend that the Special Assistant to the President and
Cybersecurity Coordinator, in collaboration with other federal
entities and the private sector, take the following five actions to
address the challenges identified:
* Make recommendations to appropriate agencies and interagency
coordination committees regarding any necessary changes to more
effectively coordinate and forge a coherent national approach to
cyberspace policy.
* Develop with the Departments of Commerce, Defense, Homeland
Security, Justice, and State and other relevant federal and nonfederal
entities, a comprehensive U.S. global cyberspace strategy that:
- articulates overarching goals, subordinate objectives, specific
activities, performance metrics, and reasonable time frames to achieve
results;
- addresses technical standards and policies while taking into
consideration U.S. trade; and:
- identifies methods for addressing the enforcement of U.S. civil and
criminal law.
* Enhance the interagency coordination mechanisms, including the ICI-
IPC, by ensuring relevant federal entities are engaged and that their
efforts, taken together, support U.S. interests in a coherent and
consistent fashion.
* Establish, with DHS, the Department of State, and other key U.S. and
international governmental and nongovernmental entities, protocols for
working on cyber incident response globally in a manner that is
consistent with our national security interests.
* Determine, in conjunction with the Departments of Defense and State
and other relevant federal entities, which, if any, cyberspace norms
should be defined to support U.S. interests in cyberspace and methods
for fostering such norms internationally.
Agency Comments and Our Evaluation:
In oral comments on a draft of this report, the national Cybersecurity
Coordinator and his staff generally concurred with our recommendations
and stated that actions are already being taken to address them. They
also made one point of clarification regarding the recommendation to
develop a global cyberspace strategy. From their perspective, specific
items called for by the recommendation, including performance metrics
and time frames to achieve results, would be a part of an
implementation plan. We acknowledge that the national strategy would
consist of multiple items, including an implementation plan.
Regarding our findings and conclusions, the Cybersecurity Coordinator
and staff stated that our report does not fully portray their
leadership efforts, their efforts to develop a strategy, and
improvements they have made regarding interagency coordination. For
example, they emphasized their engagement in establishing bilateral
relationships with foreign countries, which are essential to
developing international consensus on cybersecurity-related issues and
gaining wider agreement in the international community. In addition,
they stated that they continually improve the interaction,
participation, and coordination performed at the Sub-IPC. They also
stated that they are taking steps to improve the coordination within
agencies, indicating that our example of the Department of State
reorganization is one such instance. Further, these officials stated
that coordination efforts have improved since 2009, but enhancements
could be made. These efforts are consistent with our recommendations
to improve U.S. global cybersecurity and governance and increase the
likelihood that the United States will be able to promote its national
interests in the realm of cyberspace. These officials also provided
technical comments, which we incorporated, where appropriate.
We also provided a draft of this report to the Secretaries of
Commerce, Defense, Homeland Security, and State; the Attorney General;
the Chairman of the Federal Communications Commission; and the United
States Trade Representative. In written comments on a draft of this
report (see appendix II), the Secretary of Commerce concurred with our
recommendations that the national Cybersecurity Coordinator take steps
to address identified challenges, including developing a comprehensive
national strategy for global cyberspace and improving interagency
coordination. In addition, the Secretary provided detailed technical
comments that have been incorporated in the report, where appropriate.
Also, in providing technical comments via e-mail, the Director of
DHS's National Protection and Programs Directorate GAO-OIG Audit
Liaison Office neither concurred nor nonconcurred with our
recommendations; however, he stated that National Protection and
Programs Directorate officials intend to work as needed with the
Cybersecurity Coordinator to assist in the implementation of the
recommendations. We incorporated DHS's technical comments provided by
the Director, where appropriate. We also received technical comments
via e-mail from additional officials at the Departments of Commerce,
Defense, Homeland Security, Justice, and State, and the United States
Trade Representative. These comments were incorporated, where
appropriate.
We also provided relevant sections of the draft report to officials
from public, private, and not-for-profit institutions involved in this
review. We received technical comments via e-mail from some, but not
all, of these officials and incorporated their comments, where
appropriate.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to interested congressional committees; the Secretaries of Commerce,
Defense, Homeland Security, and State; the Attorney General; the
Chairman of the Federal Communications Commission; United States Trade
Representative; and other interested parties. The report also will be
available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff members have any questions about this report,
please contact David Powner at (202) 512-9286, or pownerd@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. Major
contributors to this report are listed in appendix III.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to identify (1) significant entities and efforts
addressing global cyberspace security and governance issues, (2) U.S.
entities responsible for addressing cyberspace security and governance
and the extent of their involvement at the international level, and
(3) challenges to effective U.S. involvement in global cyberspace
security and governance efforts.
To identify entities and efforts with significant influence on
international cyberspace security and governance, we collected and
analyzed documents, such as resolutions, charters, organizational
charts, policies, reports, and studies, and conducted structured
interviews with relevant federal, private sector, academic, and
foreign officials. We also considered entities involved in multiple
cross-entity cybersecurity interactions, as well as those identified
by multiple officials or other organizations. We met with officials
from public, not-for-profit, and academic institutions, including the
American National Standards Institute, the Center for Strategic and
International Studies, the European Commission, the European Network
and Information Security Agency, the Forum of Incident Response and
Security Teams, George Mason University, Georgia Institute of
Technology, the Internet Corporation for Assigned Names and Numbers,
the Organisation for Economic Cooperation and Development, and the
Organization of American States (Inter-American Committee against
Terrorism). In addition, we met with officials from private
corporations and trade groups, including Defense Group Inc., EMC-RSA,
Google, Intel, Microsoft, Symantec, and TechAmerica. We also observed
the activities occurring at the 2009 Meridian Conference for
government-to-government cooperation on global critical information
infrastructure protection issues.
To identify responsible U.S. government entities and their related
efforts, we collected, reviewed, and analyzed documents; gathered
information on key initiatives through a data collection schedule; and
conducted structured interviews with officials from responsible U.S.
government entities. We considered factors such as whether entities
were assigned responsibility for performing cyber-related activities
by a federal statute, regulation, presidential directive, or other
U.S. policy. These activities were performed, as appropriate, at the
following entities:
* Department of Commerce: National Telecommunications and Information
Administration and the National Institute of Standards and Technology.
* Department of Defense: Office of the Under Secretary of Defense for
Policy, Office of the Assistant Secretary of Defense for Global
Strategic Affairs; Office of the Assistant Secretary of Defense for
Networks and Information Integration/DOD Chief Information Officer;
and the Joint Chiefs of Staff (Strategic Plans and Policy) (J-5).
* Department of Homeland Security: National Protection and Programs
Directorate's Office of Cyber Security and Communication and the
United States Secret Service.
* Department of Justice: Computer Crime and Intellectual Property
Section, Criminal Division; the Federal Bureau of Investigation; and
the U.S. National Central Bureau of INTERPOL.
* Department of State: Bureau of Economic, Energy, and Business
Affairs, International Communication and Information Policy; Bureau of
Intelligence and Research; Bureau of International Narcotics and Law
Enforcement; and the Bureau of European and Eurasian Affairs.
* Department of the Treasury.
* Federal Communications Commission.
* United States Agency for International Development.
* United States Trade Representative.
To determine challenges to effective U.S involvement, we gathered and
analyzed relevant documents, such as our past reports and studies by
various cybersecurity-related entities. We also solicited input
regarding the challenges from private and public sector officials,
including from the Center for Strategic and International Studies,
George Mason University, Georgia Institute of Technology, Defense
Group Inc., Google, Microsoft, Symantec, and TechAmerica. On the basis
of the information received and our knowledge of the issues, we
determined the major challenges impeding U.S. ability to formulate and
implement foreign policy related to cyberspace governance and security.
We conducted this performance audit from June 2009 to July 2010, in
the Washington, D.C., metropolitan area, in accordance with generally
accepted government auditing standards. Those standards require that
we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Commerce:
United States Department Of Commerce:
The Secretary of Commerce:
Washington, D.C. 20230:
June 17, 2010:
Mr. David A. Powner:
Director, Information Technology Management Issues:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Mr. Powner:
Thank you for the opportunity to comment on the draft report from the
U.S. Government Accountability Office (GAO) entitled, Cyberspace: U.S.
Faces Challenges in Addressing Global Cybersecurity and Governance
(GA0-10-606).
We concur with the report's recommendation that the national
Cybersecurity Coordinator should take steps to address identified
challenges, including developing a comprehensive national strategy for
global cyberspace and improving interagency coordination. The
Department of Commerce's detailed response to the GAO draft report is
attached.
We welcome further communications with GAO regarding this draft, and
we look forward to receiving the final report. Please contact Rachel
Kinney at (301) 975-8707 if you have any questions regarding this
response.
Sincerely,
Signed by:
Gary Locke:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
David A. Powner, (202) 512-9286 or pownerd@gao.gov:
Staff Acknowledgments:
In addition to the person named above, Michael W. Gilmore, Assistant
Director; Rebecca Eyler; Richard J. Hagerman; Kenneth A. Johnson; Kush
Malhotra; Lee McCracken; and Justin M. Palk made key contributions to
this report.
[End of section]
Footnotes:
[1] Computer Emergency Response Team of Estonia, "Malicious Cyber
Attacks Against Estonia Come from Abroad," April 29, 2007, and Remarks
by Homeland Security Secretary Michael Chertoff to the 2008 RSA
Conference, April 8, 2008.
[2] Office of the Secretary of Defense, Annual Report to Congress:
Military Power of the People's Republic of China 2008.
[3] The New York Times, Google, Citing Attack, Threatens to Exit China
(Jan. 13, 2010).
[4] The New York Times, Suit Says 2 Chinese Firms Stole Web-Blocking
Code (Jan. 6, 2010).
[5] The New York Times, China Cyber-Spies Target India, Dalai Lama:
Report (Apr. 6, 2010).
[6] The White House, Cyberspace Policy Review: Assuring a Trusted and
Resilient Information and Communications Infrastructure (Washington,
D.C.: May 29, 2009).
[7] The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[8] The White House, Homeland Security Presidential Directive 7,
Critical Infrastructure Identification, Prioritization, and Protection
(Washington, D.C.: Dec. 17, 2003).
[9] The White House, National Security Presidential Directive 54/
Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8,
2008).
[10] Member countries include: Australia; Brunei Darussalam; Canada;
Chile; the People's Republic of China; Hong Kong, China; Indonesia;
Japan; the Republic of Korea; Malaysia; Mexico; New Zealand; Papua New
Guinea; Peru; the Republic of the Philippines; the Russian Federation;
Singapore; Chinese Taipei; Thailand; the United States; and Vietnam.
[11] ASEAN's 10 member nations are Brunei Darussalam, Cambodia,
Indonesia, Lao People's Democratic Republic, Malaysia, Myanmar, the
Philippines, Singapore, Thailand, and Vietnam.
[12] ASEAN Secretariat, Roadmap for an ASEAN Community 2009-2015
(Jakarta: April 2009).
[13] Member countries include: Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece,
Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, and the United Kingdom.
[14] The relationship between ITU and the International Multilateral
Partnership Against Cyber Threats is managed by ITU-D.
[15] NATO's member countries are: Albania, Belgium, Bulgaria, Canada,
Croatia, the Czech Republic, Denmark, Estonia, France, Germany,
Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, the
Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Turkey, the United Kingdom, and the United States.
[16] OAS member countries are: Antigua and Barbuda, Argentina, the
Bahamas, Barbados, Belize, Bolivia, Brazil, Canada, Chile, Colombia,
Costa Rica, Cuba, Dominica, Dominican Republic, Ecuador, El Salvador,
Grenada, the Grenadines, Guatemala, Guyana, Haiti, Jamaica, Mexico,
Nicaragua, Panama, Paraguay, Peru, St. Kitts and Nevis, Saint Lucia,
Saint Vincent, Suriname, Trinidad and Tobago, the United States,
Uruguay, and Venezuela.
[17] OECD member countries are: Australia, Austria, Belgium, Canada,
Chile, the Czech Republic, Denmark, Finland, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Japan, Korea, Luxembourg, Mexico,
the Netherlands, New Zealand, Norway, Poland, Portugal, the Slovak
Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and
the United States. In addition, in May 2010, Estonia, Israel, and
Slovenia were invited by OECD countries to join the organization.
[18] A December 2000 memorandum of understanding between ANSI and NIST
establishes the organizations' agreement on a unified national
approach to developing national and international standards. The
memorandum states that ANSI is the representative of U.S. interests in
international standards-developing organizations.
[19] GAO, Combating Terrorism: Evaluation of Selected Characteristics
in National Strategies Related to Terrorism, [hyperlink,
http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3,
2004).
[20] GAO, Cybersecurity: Progress Made but Challenges Remain in
Defining and Coordinating the Comprehensive National Initiative,
[hyperlink, http://www.gao.gov/products/GAO-10-338] (Washington, D.C.:
Mar. 5, 2010).
[21] Office of the United States Trade Representative, 2010 Report on
Technical Barriers to Trade (Mar. 31, 2010).
[22] China's Transitional Review Mechanism, G/TBT/W/326 (Oct. 29,
2009).
[23] Stuart Madnick, Xitong Li, Nazli Choucri, Experiences and
Challenges with Using CERT Data to Analyze International Cybersecurity
(September 2009).
[24] GAO, Cybercrime: Public and Private Entities Face Challenges in
Addressing Cyber Threats, [hyperlink,
http://www.gao.gov/products/GAO-07-705] (Washington, D.C.: June 22,
2007).
[25] [hyperlink, http://www.gao.gov/products/GAO-07-705].
[26] Center for Strategic and International Studies, Securing
Cyberspace for the 44th Presidency, A Report of the CSIS Commission on
Cybersecurity for the 44th Presidency (Washington, D.C.: December
2008).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
