U.S. doesn't have leadership, strategy to protect cyberspace globally

Federal auditors issued a report on Monday warning the United States is missing the leadership and strategy needed to protect national interests in governing and securing global cyberspace.

Neither the nation's senior-most cybersecurity official nor any interagency effort has the authority to manage cybersecurity on an international level, according to a Government Accountability Office report. "Without top-level leadership, the federal government has not forged a coherent and comprehensive strategy for cyberspace security and governance policy," the report stated.

House Homeland Security Committee leaders and Sen. Kirsten Gillibrand, D-N.Y., asked GAO to analyze the challenges preventing effective U.S. involvement in securing and supervising cyberspace worldwide, following a series of high-profile cyberattacks that reportedly originated overseas. For instance, early this year Google alleged hackers in China infiltrated files belonging to the firm, federal agencies and about 30 other U.S.-based companies.

In the wake of cyberspace threats that have expanded globally, the federal government developed policies that recognize the importance of addressing worldwide cybersecurity, the auditors acknowledged. For example, a May 2009 cyberspace policy review commissioned by President Obama called for developing an international cybersecurity policy framework and strengthening international partnerships to initiate cybersecurity activities. But there is no U.S. strategy targeting international cybersecurity, GAO said.

The review also led to the hiring of White House Cybersecurity Coordinator Howard Schmidt, who is responsible for working with international partners on guarding infrastructure systems. "However, the recently appointed cybersecurity coordinator's authority and capacity to effectively coordinate and forge a coherent national approach to cyberspace policy are still under development," the report stated. "Until the cybersecurity coordinator provides top-level leadership, there is an increased risk that U.S. agencies will not formulate and coordinate U.S. international cybersecurity-related positions as envisioned in the president's cyberspace policy review."

GAO officials said they have not seen evidence that an effort is under way to develop an international strategy for cyberspace and therefore were unable to determine what progress, if any, has been made toward accomplishing the goal. GAO's study covered the period from June 2009 through July 2010.

The report also found that federal agencies have struggled to synchronize their global cyber-related activities and to articulate clear policies. For example, the National Security Council established an interagency panel to focus on international cyberspace policies called International Sub-IPC -- Interagency Policy Committee -- in March 2009, but the Federal Communications Commission did not start participating in meetings until almost a year later.

According to the report, the cybersecurity coordinator's staff said they were working on ways to improve collaboration among all federal entities.

Gillibrand has sponsored S.1438, which would urge the secretary of State to work with foreign governments to develop safeguards for protecting privacy, free speech and commercial transactions that would be included in any cybersecurity agreements. The bill is pending in a Senate subcommittee.

A multitude of global organizations are crafting agreements for governing and securing the Internet, ranging from forums of experts who think about policies to decision-making bodies established by international treaties. The report names about 20 groups, including NATO; Interpol; Internet Corporation for Assigned Names and Numbers, a private, nonprofit U.S. corporation that manages website names and addresses; and Internet Governance Forum, a United Nations-mandated venue for discussing oversight of the Internet.

The report, however, noted there was no internationally recognized entity responsible for coordinating a global response to a cyber incident, which "has complicated efforts of U.S.-based multinational companies to respond to international cyber incidents."

The lack of instructions on how to cooperate with foreign countries in the event of an attack confounded businesses trying to thwart the 2009 Confickr worm, which installed malicious software on computers running the Microsoft operating system. An official with a large U.S. software company told auditors the firm was unsure whether it was allowed to contact providers of domain names located in countries that sponsor terrorism, the report stated.

After reviewing a draft of GAO's findings, the cybersecurity coordinator and his staff said the report did not fully portray their leadership abilities, efforts to develop a strategy or improvements to interagency teamwork.

They stressed their involvement in forging bilateral relationships with foreign countries to build international consensus on cybersecurity-related issues. Last month, in a progress report on cybersecurity efforts since the 2009 review, White House officials said an international cybersecurity policy framework was being developed and international partnerships were being strengthened. The update cited a unanimous resolution the 64th U.N. General Assembly passed that encourages nations to evaluate their efforts to protect their critical information infrastructure.

The cybersecurity coordinator and his staff, however, agreed with GAO's recommendations to complete a comprehensive U.S. global cyberspace strategy and enhance governmentwide cooperation on U.S. global cybersecurity.