Cyber research lacks agenda, leadership, info sharing, GAO says
US advancements in cybersecurity research and development (R&D) face key obstacles, including the lack of a national R&D agenda, weak leadership, and little R&D information sharing, congressional investigators concluded recently.
The Government Accountability Office (GAO) recommended that the director of the White House Office of Science and Technology Policy (OSTP) tackle these challenges through its Subcommittee on Networking and Information Technology Research and Development (NITRD)--the interagency council that holds federal responsibility for providing leadership on R&D issues--in its report, Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development, released publicly Tuesday.
NITRD should "exercise its leadership responsibilities by taking several actions, including developing a national agenda, and establishing and utilizing a mechanism to keep track of federal cybersecurity R&D funding," the GAO report stated.
The GAO report highlighted challenges in bolstering cybersecurity R&D in the public and private sectors. First and foremost, the US government does not have a set of overarching R&D goals to guide its efforts, the agency said. Such a national R&D agenda would guide investments to solve specific problems.
NITRD also must prioritize cybersecurity R&D across all sectors of critical infrastructure to ensure national goals are met with a national R&D agenda, GAO added.
The White House itself has prescribed these activities in the National Strategy to Secure Cyberspace, which tasked OSTP with managing the production of a cybersecurity R&D agenda annually to specify near-term goals of up to 3 yeaers, mid-term goals of 3-5 years, and long-term goals of 5 or more years.
"Although OSTP has taken initial steps toward developing such an agenda, one does not currently exist," the GAO report stated. "OSTP and Office of Management and Budget officials stated that they believe an agenda is contained in existing documents; however, these documents are either outdated or lack appropriate detail. Without a current national cybersecurity R&D agenda, the nation is at risk that agencies and private sector companies may focus on their individual priorities, which may not be the most important national research priorities."
Furthermore, NITRD has not exercised its leadership responsibilities in cybersecurity R&D, the report criticized. Cybersecurity authorities and a presidential advisory committee have underscored this lack of leadership, which has led to a failure to provide federal agencies with any direction in their cybersecurity R&D efforts.
Finally, the federal government does not have a database to track federally funded cybersecurity R&D, although Congress mandated the development of one in the E-Government Act of 2002 (Public Law 107-347), the report noted.
"Without a mechanism to track all active and completed cybersecurity R&D initiatives, federal researchers and developers as well as private companies lack essential information about ongoing and completed R&D. Moreover, without a process for industry and government to share cybersecurity R&D information, the nation is at risk of having unforeseen gaps," the report said.
OSTP responded that it did indeed have a plan, known as the Federal Plan for Cybersecurity and Information Assurance Research and Development, but that it would work to update that plan in the coming months.
The office further defended NITRD's efforts to develop a federal R&D funding database and to stand up mechanisms by which to coordinate information with the private sector, saying NITRD was exploring the establishment of a funding dashboard in collaboration with the National Science Foundation and the Office of Management and Budget.
|
Columns 
