GAO criticizes cybersecurity effort

The Government Accountability Office (GAO) on Friday said that federal agencies still lack clearly defined roles in preventing cyber attacks and that the cybersecurity program itself is ineffective.

Experts and regulators previously have raised both issues with the program, the report said.


GAO's criticisms specifically target the Comprehensive National Cybersecurity Initiative (CNCI), a 2008 program implemented by former President George W. Bush and recently declassified by President Barack ObamaBarack Hussein ObamaDemocratic Senate campaign arm outraises GOP by M in August A federal court may have declared immigration arrests unconstitutional Blunt says vote on Trump court nominee different than 2016 because White House, Senate in 'political agreement' MORE.

The initiative is composed of 12 cybersecurity programs, including proposals that assist the government in a so-called cyberwar and ways to educate the public about emerging online threats.

Some of those goals have since become part of the Obama administration's cybersecurity regime — notably, the creation of a cybersecurity adviser at the White House and the continuation of a program that monitors federal computers for dangerous hacks.

However, many other CNCI commitments remain unattended or unaddressed, and still others require serious elaboration to have any positive effect on U.S. cybersecurity, the GAO stressed in its report.
For example, the 2008 CNCI prescribed that White House officials centralize their cybersecurity efforts to facilitate information-sharing among agencies and departments. Yet the GAO reported on Friday that serious confusion over agency roles and responsibilities has made that process exceptionally difficult.

The Office of Management and Budget has since disputed that assessment, responding in a letter to the GAO that the White House had adequately laid out thorough, clear cybersecurity plans. But the GAO has stood its ground on the matter, imploring the federal government to reconsider its approach.

The GAO similarly took aim at the White House's openness with the public on its cybersecurity rules. While the Obama administration did declassify most of the CNCI this week, GAO officials expressed concern that many of its components remained secret, often without adequate explanation of why to the public.

Together, GAO watchdogs said these challenges threaten not only the CNCI's progress, but the federal government's other cybersecurity efforts, as well as the White House's ability to work with international partners on those Web security matters.

"While these issues relate directly to the projects that comprise CNCI, the federal government also faces strategic challenges in areas that are not the subject of existing projects within CNCI but remain key to achieving the initiative’s overall goal of securing federal information systems," wrote Davi M. D’Agostino, the director of Defense Capabilities and Management at GAO, in a letter to lawmakers.