Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/7/2010
12:23 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Auditors Fault Slow Progress On Government Cybersecurity

A year after the Obama administration issued 24 cyber policy recommendations, few have been fully implemented, while agency roles and implementation schedules remain uncertain.




Slideshow: Next Generation Defense Technologies
(click for larger image and for full photo gallery)
The federal government is making progress in implementing the cybersecurity policy recommendations laid out by the White House in a 2009 review, but needs to better define agency roles and responsibilities and establish firmer implementation schedules, according to a report by Congressional auditors.

The Government Accountability Office report finds that, more than a year after the review was issued, the administration has fully implemented only two of the 24 recommendations in last year's Cyberspace Policy Review, although it has at least partially implemented the other 22.

Officials with the Department of Defense, Department of Homeland Security, and Office of Management and Budget (three of the agencies with broad cybersecurity responsibilities) told the GAO that agencies are moving slowly on some of these recommendations because they haven't been assigned specific roles or responsibilities, and attributed that to a seven-month vacancy in the White House's top cybersecurity position, cybersecurity coordinator, immediately after the policy review's release.

The GAO also found that many of the near-term and mid-term recommendations outlined by the policy review do not yet have milestones or implementation plans associated with them.

"Until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the report said.

The two recommendations that have been fully implemented both involve appointments of officials. The review recommended the appointment of a policy official within the National Security Council responsible for coordinating national cyber policy, and Howard Schmidt was later appointed as cybersecurity coordinator. In addition, the review recommended appointment of a privacy and civil liberties official, who was appointed in late 2009.

The report serves as a bit of a progress update on the other recommendations. For example, it notes that, pursuant to a recommendation to build a civil liberties-sensitive, cybersecurity-based ID management vision and strategy, the government plans to finalize the National Strategy for Trusted Identities this month.

In terms of a cybersecurity research and development framework, meanwhile, the White House Office of Science and Technology Policy expects to finalize its work there by next year. The report also notes that OMB plans to establish cybersecurity performance metrics by November.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.