Information Security: Coordination of Federal Cyber Security
Research and Development (29-SEP-06, GAO-06-811).
Research and development (R&D) of cyber security technology is
essential to creating a broader range of choices and more robust
tools for building secure, networked computer systems in the
federal government and in the private sector. The National
Strategy to Secure Cyberspace identifies national priorities to
secure cyberspace, including a federal R&D agenda. GAO was asked
to identify the (1) federal entities involved in cyber security
R&D; (2) actions taken to improve oversight and coordination of
federal cyber security R&D, including developing a federal
research agenda; and (3) methods used for technology transfer at
agencies with significant activities in this area. To do this,
GAO examined relevant laws, policies, budget documents, plans,
and reports.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-811
ACCNO: A61686
TITLE: Information Security: Coordination of Federal Cyber
Security Research and Development
DATE: 09/29/2006
SUBJECT: Computer security
Cyber security
Government information dissemination
Information technology
Interagency relations
National policies
Research and development
Standards
Technology transfer
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-811
* Results in Brief
* Background
* Federal Cyber Security Research and Development Policies
* Numerous Federal Entities Involved in Cyber Security Researc
* Federal Structure for Oversight and Coordination of Cyber Se
* Other Groups Support Coordination on Informal Basis
* InfoSec Research Council
* Technical Support Working Group
* Ad Hoc Cooperation
* Key Agencies Fund and Conduct Cyber Security Research
* Other Agencies Fund or Conduct Cyber Security Research and D
* Federal Entities Have Improved Oversight and Coordination, b
* Interagency Working Group on Cyber Security Research Provide
* Federal Plan for Cyber Security Research and Development Has
* Reporting of Budget Information Increases Visibility of Cybe
* Federal Agencies and Public Could Benefit from Fully Populat
* Federal Agencies Use Various Methods for Technology Transfer
* Conclusions
* Recommendations for Executive Action
* Agency Comments and Our Evaluation
* GAO Contacts
* Staff Acknowledgments
* GAO's Mission
* Obtaining Copies of GAO Reports and Testimony
* Order by Mail or Phone
* To Report Fraud, Waste, and Abuse in Federal Programs
* Congressional Relations
* Public Affairs
Report to the Chairman, Committee on Government Reform, House of
Representatives
United States Government Accountability Office
GAO
September 2006
INFORMATION SECURITY
Coordination of Federal Cyber Security Research and Development
GAO-06-811
Contents
Letter 1
Results in Brief 2
Background 4
Numerous Federal Entities Involved in Cyber Security Research and
Development 8
Federal Entities Have Improved Oversight and Coordination, but Limitations
Remain 16
Federal Agencies Use Various Methods for Technology Transfer 22
Conclusions 23
Recommendations for Executive Action 24
Agency Comments and Our Evaluation 24
Appendix I Objectives, Scope, and Methodology 27
Appendix II GAO Contacts and Staff Acknowledgments 29
Tables
Table 1: Key Federal Government Actions on Cyber Security R&D 7
Table 2: Federal Organizations Involved in Oversight and Coordination of
Cyber Security Research 10
Figures
Figure 1: Security Vulnerabilities, 1995-2005 6
Figure 2: Organization of Federal Cyber Security R&D Oversight and
Coordination 9
Abbreviations
CERT/CC CERT(R) Coordination Center
OMB Office of Management and Budget
NITRD Networking and Information Technology Research
and Development
R&D research and development
RaDiUS Research and Development in the United States
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
September 29, 2006
The Honorable Tom Davis Chairman Committee on Government Reform House of
Representatives
Dear Mr. Chairman:
Dramatic increases in computer interconnectivity, especially in the use of
the Internet, continue to revolutionize the way our government, our
nation, and much of the world communicate and conduct business. However,
computers, networks, and their infrastructures were not always designed
with security in mind. As a result, these systems can have significant
vulnerabilities1 that can be exploited by malicious users to gain
unauthorized access to systems and obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against Web sites.
Because of concerns about these malicious attacks from individuals and
groups, protecting both the public and private systems that support
critical operations and infrastructures of the federal government has
never been more important. Federal law and policy call for critical
infrastructure protection activities to enhance the cyber2 and physical
security of the infrastructures that are essential to national security,
national economic security, and national public health and safety. These
activities include building public-private partnerships, identifying
critical infrastructure sectors, identifying federal agencies to work with
the sectors to coordinate efforts to strengthen the security of critical
infrastructures, and research and development (R&D) of cyber security
tools and techniques. Research in cyber security technology is essential
to creating a broader range of choices and more robust tools for building
secure, networked computer systems in the federal government and in the
private sector. In this regard, the National Strategy to Secure Cyberspace
recommends the development of an annual federal government cyber security
research agenda.
1A vulnerability is a flaw or weakness in hardware or software that can be
exploited, resulting in a violation of an implicit or explicit security
policy.
2Cyber security refers to the defense against attacks on the information
technology infrastructure of an organization, or, in this case, of the
federal government and agencies. Cyber security is intertwined with the
physical security of assets-from computers, networks, and their
infrastructure to the environment surrounding these systems. While both
parts of security are necessary to achieve overall security, this report
focuses on protecting software and data from attacks that are electronic
in nature and that typically arrive over a data communication link. Cyber
security is a major concern of both the federal government and the private
sector.
In response to your request, our objectives were to identify the
o federal agencies involved in cyber security R&D;
o actions taken to improve oversight and coordination of cyber
security R&D, including the development of a federal research
agenda; and
o methods used for technology transfer at the agencies with
significant activities in cyber security R&D.
To address these objectives, we researched key reports by federal
groups on cyber security R&D to determine which agencies are
involved in federal cyber security R&D. We identified and
interviewed officials at agencies that provide funding for cyber
security R&D to determine their decision-making processes,
examined policies and procedures, analyzed budget documentation,
and determined the extent to which the agencies coordinate their
activities. We conducted our work from August 2005 through August
2006 in accordance with generally accepted government auditing
standards. Appendix I contains additional details on the
objectives, scope, and methodology of our review.
Numerous entities are involved in federal cyber security research
and development. The Office of Science and Technology Policy and
Office of Management and Budget (OMB) in the Executive Office of
the President provide high-level oversight for federal research
and development, including cyber security. The Office of Science
and Technology Policy coordinates the development of a federal
agenda for cyber security research and oversees the National
Science and Technology Council, which prepares R&D strategies that
are to be coordinated across federal agencies. The council
operates through its committees, subcommittees, and interagency
working groups, which oversee and coordinate activities related to
specific science and technology disciplines. The Subcommittee on
Networking and Information Technology Research and Development
(NITRD) and the Interagency Working Group on Cyber Security and
Information Assurance are key entities responsible for
coordinating federal cyber security R&D activities. In addition,
other groups provide mechanisms for coordination of R&D efforts on
an informal basis. Much of the government's cyber security R&D
activities are funded or conducted by the National Science
Foundation and the Departments of Defense and Homeland Security.
Other agencies that also fund or conduct cyber security R&D
activities include the Department of Energy, the National
Institute of Standards and Technology, and agencies within the
intelligence community.
Federal entities have taken several important steps to improve the
oversight and coordination of federal cyber security R&D, although
limitations remain. Actions taken to facilitate oversight and
coordination of cyber security research include (1) chartering an
interagency working group to focus on this type of research, (2)
publishing a federal plan for cyber security and information
assurance that is to provide baseline information and a framework
for planning and conducting this research, (3) reporting budget
information for cyber security research separately from other
types of research, and (4) developing and maintaining
governmentwide repositories of information on R&D projects.
However, a federal cyber security research agenda has not been
developed, as recommended in the National Strategy to Secure
Cyberspace and the federal plan does not fully address certain key
elements. Further, the governmentwide repositories are incomplete
and not fully populated, in part, because OMB has not issued
guidance to ensure that agencies provide all information required
for the repositories. As a result, key information needed for the
effective oversight and coordination of cyber security research
activities is not readily available.
The three primary agencies that fund or conduct cyber security R&D
use a variety of methods for sharing the results of the research
(technology transfer). These methods include relying on the
researcher to disseminate information about his or her research,
attending conferences and workshops and working with industry to
share information about emerging threats and research, and using
published peer review journals to facilitate information sharing.
We are recommending that the Director, Office of Science and
Technology Policy, establish firm timelines for the completion of
the federal cyber security R&D agenda. We are also recommending
that the Director, OMB, issue guidance to agencies on reporting
information about federally funded cyber security research
projects to the governmentwide repositories. The Office of Science
and Technology Policy provided technical comments on a draft of
this report, but did not comment on our recommendation. We also
received oral comments on a draft of our report
*** End of document. ***