Information Security: Coordination of Federal Cyber Security	 
Research and Development (29-SEP-06, GAO-06-811).		 
                                                                 
Research and development (R&D) of cyber security technology is	 
essential to creating a broader range of choices and more robust 
tools for building secure, networked computer systems in the	 
federal government and in the private sector. The National	 
Strategy to Secure Cyberspace identifies national priorities to  
secure cyberspace, including a federal R&D agenda. GAO was asked 
to identify the (1) federal entities involved in cyber security  
R&D (2) actions taken to improve oversight and coordination of  
federal cyber security R&D, including developing a federal	 
research agenda; and (3) methods used for technology transfer at 
agencies with significant activities in this area. To do this,	 
GAO examined relevant laws, policies, budget documents, plans,	 
and reports.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-811 					        
    ACCNO:   A61686						        
  TITLE:     Information Security: Coordination of Federal Cyber      
Security Research and Development				 
     DATE:   09/29/2006 
  SUBJECT:   Computer security					 
	     Cyber security					 
	     Government information dissemination		 
	     Information technology				 
	     Interagency relations				 
	     National policies					 
	     Research and development				 
	     Standards						 
	     Technology transfer				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-811

     

     * Results in Brief
     * Background
          * Federal Cyber Security Research and Development Policies
     * Numerous Federal Entities Involved in Cyber Security Researc
          * Federal Structure for Oversight and Coordination of Cyber Se
          * Other Groups Support Coordination on Informal Basis
               * InfoSec Research Council
               * Technical Support Working Group
               * Ad Hoc Cooperation
          * Key Agencies Fund and Conduct Cyber Security Research
               * Other Agencies Fund or Conduct Cyber Security Research and D
     * Federal Entities Have Improved Oversight and Coordination, b
          * Interagency Working Group on Cyber Security Research Provide
          * Federal Plan for Cyber Security Research and Development Has
          * Reporting of Budget Information Increases Visibility of Cybe
          * Federal Agencies and Public Could Benefit from Fully Populat
     * Federal Agencies Use Various Methods for Technology Transfer
     * Conclusions
     * Recommendations for Executive Action
     * Agency Comments and Our Evaluation
     * GAO Contacts
     * Staff Acknowledgments
     * GAO's Mission
     * Obtaining Copies of GAO Reports and Testimony
          * Order by Mail or Phone
     * To Report Fraud, Waste, and Abuse in Federal Programs
     * Congressional Relations
     * Public Affairs

Report to the Chairman, Committee on Government Reform, House of
Representatives

United States Government Accountability Office

GAO

September 2006

INFORMATION SECURITY

Coordination of Federal Cyber Security Research and Development

GAO-06-811

Contents

Letter 1

Results in Brief 2
Background 4
Numerous Federal Entities Involved in Cyber Security Research and
Development 8
Federal Entities Have Improved Oversight and Coordination, but Limitations
Remain 16
Federal Agencies Use Various Methods for Technology Transfer 22
Conclusions 23
Recommendations for Executive Action 24
Agency Comments and Our Evaluation 24
Appendix I Objectives, Scope, and Methodology 27
Appendix II GAO Contacts and Staff Acknowledgments 29

Tables

Table 1: Key Federal Government Actions on Cyber Security R&D 7
Table 2: Federal Organizations Involved in Oversight and Coordination of
Cyber Security Research 10

Figures

Figure 1: Security Vulnerabilities, 1995-2005 6
Figure 2: Organization of Federal Cyber Security R&D Oversight and
Coordination 9

Abbreviations

CERT/CC CERT(R) Coordination Center

OMB Office of Management and Budget

NITRD Networking and Information Technology Research

and Development

R&D research and development

RaDiUS Research and Development in the United States

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

September 29, 2006

The Honorable Tom Davis Chairman Committee on Government Reform House of
Representatives

Dear Mr. Chairman:

Dramatic increases in computer interconnectivity, especially in the use of
the Internet, continue to revolutionize the way our government, our
nation, and much of the world communicate and conduct business. However,
computers, networks, and their infrastructures were not always designed
with security in mind. As a result, these systems can have significant
vulnerabilities1 that can be exploited by malicious users to gain
unauthorized access to systems and obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against Web sites.

Because of concerns about these malicious attacks from individuals and
groups, protecting both the public and private systems that support
critical operations and infrastructures of the federal government has
never been more important. Federal law and policy call for critical
infrastructure protection activities to enhance the cyber2 and physical
security of the infrastructures that are essential to national security,
national economic security, and national public health and safety. These
activities include building public-private partnerships, identifying
critical infrastructure sectors, identifying federal agencies to work with
the sectors to coordinate efforts to strengthen the security of critical
infrastructures, and research and development (R&D) of cyber security
tools and techniques. Research in cyber security technology is essential
to creating a broader range of choices and more robust tools for building
secure, networked computer systems in the federal government and in the
private sector. In this regard, the National Strategy to Secure Cyberspace
recommends the development of an annual federal government cyber security
research agenda.

1A vulnerability is a flaw or weakness in hardware or software that can be
exploited, resulting in a violation of an implicit or explicit security
policy.

2Cyber security refers to the defense against attacks on the information
technology infrastructure of an organization, or, in this case, of the
federal government and agencies. Cyber security is intertwined with the
physical security of assets-from computers, networks, and their
infrastructure to the environment surrounding these systems. While both
parts of security are necessary to achieve overall security, this report
focuses on protecting software and data from attacks that are electronic
in nature and that typically arrive over a data communication link. Cyber
security is a major concern of both the federal government and the private
sector.

In response to your request, our objectives were to identify the

           o  federal agencies involved in cyber security R&D
           o  actions taken to improve oversight and coordination of cyber
           security R&D, including the development of a federal research
           agenda; and
           o  methods used for technology transfer at the agencies with
           significant activities in cyber security R&D.

           To address these objectives, we researched key reports by federal
           groups on cyber security R&D to determine which agencies are
           involved in federal cyber security R&D. We identified and
           interviewed officials at agencies that provide funding for cyber
           security R&D to determine their decision-making processes,
           examined policies and procedures, analyzed budget documentation,
           and determined the extent to which the agencies coordinate their
           activities. We conducted our work from August 2005 through August
           2006 in accordance with generally accepted government auditing
           standards. Appendix I contains additional details on the
           objectives, scope, and methodology of our review.

           Numerous entities are involved in federal cyber security research
           and development. The Office of Science and Technology Policy and
           Office of Management and Budget (OMB) in the Executive Office of
           the President provide high-level oversight for federal research
           and development, including cyber security. The Office of Science
           and Technology Policy coordinates the development of a federal
           agenda for cyber security research and oversees the National
           Science and Technology Council, which prepares R&D strategies that
           are to be coordinated across federal agencies. The council
           operates through its committees, subcommittees, and interagency
           working groups, which oversee and coordinate activities related to
           specific science and technology disciplines. The Subcommittee on
           Networking and Information Technology Research and Development
           (NITRD) and the Interagency Working Group on Cyber Security and
           Information Assurance are key entities responsible for
           coordinating federal cyber security R&D activities. In addition,
           other groups provide mechanisms for coordination of R&D efforts on
           an informal basis. Much of the government's cyber security R&D
           activities are funded or conducted by the National Science
           Foundation and the Departments of Defense and Homeland Security.
           Other agencies that also fund or conduct cyber security R&D
           activities include the Department of Energy, the National
           Institute of Standards and Technology, and agencies within the
           intelligence community.

           Federal entities have taken several important steps to improve the
           oversight and coordination of federal cyber security R&D, although
           limitations remain. Actions taken to facilitate oversight and
           coordination of cyber security research include (1) chartering an
           interagency working group to focus on this type of research, (2)
           publishing a federal plan for cyber security and information
           assurance that is to provide baseline information and a framework
           for planning and conducting this research, (3) reporting budget
           information for cyber security research separately from other
           types of research, and (4) developing and maintaining
           governmentwide repositories of information on R&D projects.
           However, a federal cyber security research agenda has not been
           developed, as recommended in the National Strategy to Secure
           Cyberspace and the federal plan does not fully address certain key
           elements. Further, the governmentwide repositories are incomplete
           and not fully populated, in part, because OMB has not issued
           guidance to ensure that agencies provide all information required
           for the repositories. As a result, key information needed for the
           effective oversight and coordination of cyber security research
           activities is not readily available.

           The three primary agencies that fund or conduct cyber security R&D
           use a variety of methods for sharing the results of the research
           (technology transfer). These methods include relying on the
           researcher to disseminate information about his or her research,
           attending conferences and workshops and working with industry to
           share information about emerging threats and research, and using
           published peer review journals to facilitate information sharing.

           We are recommending that the Director, Office of Science and
           Technology Policy, establish firm timelines for the completion of
           the federal cyber security R&D agenda. We are also recommending
           that the Director, OMB, issue guidance to agencies on reporting
           information about federally funded cyber security research
           projects to the governmentwide repositories. The Office of Science
           and Technology Policy provided technical comments on a draft of
           this report, but did not comment on our recommendation. We also
           received oral comments on a draft of our report
*** End of document. ***