U.S. approach to global cybersecurity falls short, GAO says

The Obama administration should take steps to improve and better coordinate the United States’ approach to international cyberspace policy, the Government Accountability Office has said.

According to a report released today by GAO, global aspects of cyberspace “present key challenges to U.S. policy.” GAO said U.S. involvement in the many organizations that are involved in developing international agreements and standards “is essential to promoting our national and economic security to the rest of the world.”

U.S. law enforcement attempts to prosecute cyber crime have been complicated by differing legal systems and the United States has been unable to define cyberspace-related norms that may be necessary for guiding incident response, the auditors found. GAO said “challenges in U.S. leadership, strategy, and coordination have hampered the nation’s ability to promote cyberspace-related technical standards and policies and establish global cyber incident response capabilities consistent with our national economic and national security interests.”

Do we need a U.N. cybersecurity council?

GAO identified 19 organizations considered by experts as key for global cyberspace policy. The organizations that are identified vary in scope and purpose, and include the European Union, the United Nations, the Internet Engineering Task Force, and the North Atlantic Treaty Organization.

Auditors also identified multiple U.S. government organizations that participate in programs that can affect cyberspace policy and governance. The organizations that are involved include the National Security Council, as well as the Commerce, State, Defense, Justice and Homeland Security departments.

GAO said the government faces several impediments to formulating and putting in place a coherent approach to addressing the global aspects of cyberspace that include:

• Providing top level leadership.
• Developing a coherent and comprehensive strategy.
• Coordinating across all relevant federal entities.
• Ensuring cyber space-related technical standards and policies don’t put unnecessary barriers on U.S. trade.
• Participating in international response for cyber incidents.
• Differing legal systems and enforcing U.S. criminal and civil laws.
• Defining international norms for cyber space.

“Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace,” the report said.

GAO recommended White House Cybersecurity Coordinator Howard Schmidt:

• Make recommendations agencies and coordination committees about necessary changes to more effectively coordinate and develop a coherent national approach to cyberspace policy.
• Develop with relevant federal agencies, a comprehensive U.S. global cyberspace strategy.
• Enhance the interagency coordination mechanisms.
• Work with DHS, State and other organizations to establish protocols for working on cyber incident response globally.
• Determine with Defense, State and others which, if any, cyberspace norms should be defined to support U.S. interests in cyberspace.

GAO said that in response to a draft of the report, Schmidt and his staff generally concurred with the auditors’ recommendations and stated actions they’ve already taken to deal with them.

However, regarding GAO’s findings and conclusions, GAO said Schmidt and his staff said the report doesn’t fully portray their leadership, efforts to develop a strategy, or improvements made in interagency coordination. The administration officials emphasized their engagement in establishing bilateral relationships with foreign countries and continued improved coordination.