Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:23 PM
Connect Directly

Auditors Fault Slow Progress On Government Cybersecurity

A year after the Obama administration issued 24 cyber policy recommendations, few have been fully implemented, while agency roles and implementation schedules remain uncertain.

Slideshow: Next Generation Defense Technologies
(click for larger image and for full photo gallery)
The federal government is making progress in implementing the cybersecurity policy recommendations laid out by the White House in a 2009 review, but needs to better define agency roles and responsibilities and establish firmer implementation schedules, according to a report by Congressional auditors.

The Government Accountability Office report finds that, more than a year after the review was issued, the administration has fully implemented only two of the 24 recommendations in last year's Cyberspace Policy Review, although it has at least partially implemented the other 22.

Officials with the Department of Defense, Department of Homeland Security, and Office of Management and Budget (three of the agencies with broad cybersecurity responsibilities) told the GAO that agencies are moving slowly on some of these recommendations because they haven't been assigned specific roles or responsibilities, and attributed that to a seven-month vacancy in the White House's top cybersecurity position, cybersecurity coordinator, immediately after the policy review's release.

The GAO also found that many of the near-term and mid-term recommendations outlined by the policy review do not yet have milestones or implementation plans associated with them.

"Until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the report said.

The two recommendations that have been fully implemented both involve appointments of officials. The review recommended the appointment of a policy official within the National Security Council responsible for coordinating national cyber policy, and Howard Schmidt was later appointed as cybersecurity coordinator. In addition, the review recommended appointment of a privacy and civil liberties official, who was appointed in late 2009.

The report serves as a bit of a progress update on the other recommendations. For example, it notes that, pursuant to a recommendation to build a civil liberties-sensitive, cybersecurity-based ID management vision and strategy, the government plans to finalize the National Strategy for Trusted Identities this month.

In terms of a cybersecurity research and development framework, meanwhile, the White House Office of Science and Technology Policy expects to finalize its work there by next year. The report also notes that OMB plans to establish cybersecurity performance metrics by November.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a service.