Cybersecurity R&D efforts lack direction, leadership

Poor coordination among federal agencies and with the private sector as well as lack of leadership from the Obama administration are threatening national cybersecurity research and development initiatives, according to the Government Accountability Office.

In a report released on Tuesday, GAO said the White House Office of Science and Technology Policy and its Networking and Information Technology Research and Development Subcommittee needs to provide more strategic leadership and develop a comprehensive, detailed agenda to steer national cyber research priorities. While some guidance exists, it either is outdated or lacking in detail, GAO found.

Many organizations, both in government and the private sector, fund and conduct cybersecurity research, but without better coordination, national concerns could be overlooked, according to the report. A national cyber research agenda should address short-, mid- and long-term goals; include broader priorities beyond agencies' specific missions; incorporate efforts from both public and private sector organizations; and set milestones for completing R&D initiatives.

"Until such an agenda is developed, increased risk exists that agencies and private sector organizations will focus on their individual priorities for cybersecurity R&D, which may not be the most important national research priorities," the report said.

GAO also recommended NITRD play a more strategic role and provide direct guidance to agencies engaged in cybersecurity research. The committee in the past has facilitated discussion with stakeholders but hasn't coordinated and implemented specific research activities or programs, the audit found.

The report also raised concerns about a lack of focus on long-term initiatives that better address security vulnerabilities; a shortage of cybersecurity professionals to conduct and manage R&D; and lack of a central source of information about current projects and associated funding. The limited availability of data about research initiatives could lead to duplicative efforts, wasted government funding and missed opportunities for collaboration, GAO said.

The watchdog group in March found that federal agencies lack clearly defined roles in preventing cyberattacks and recommended the White House spell out the responsibilities of key stakeholders affiliated with the Comprehensive National Cybersecurity Initiative and establish metrics to determine whether the program is effective.

The science and technology policy office did not agree with GAO's finding. But "current OSTP actions and plans are in line with GAO's recommendations for executive action and the office can fully support these recommendations," White House officials wrote in response.