Skip to main content

Obama's cybersecurity initiative mired in 'shortfalls,' audit says

By Michael Martinez, CNN
STORY HIGHLIGHTS
  • New: One expert calls the findings "disturbing"
  • New: October is National Cybersecurity Awareness Month
  • Report: 22 of 24 recommendations for cybersecurity remain to be fully acted upon
  • A lack of assigned roles and plans for implementation are among the problems cited

(CNN) -- More than a year after President Barack Obama called for improved national cybersecurity, only two of his recommendations have been fully implemented, while the remaining 22 have been only partially implemented, a federal audit has found.

Delays stem from federal agencies "moving slowly because they have not been assigned roles and responsibilities," the Government Accountability Office said in a report this month. Also, a new White House cybersecurity coordinator position remained vacant for seven months, auditors said.

Most of the recommendations also failed to have milestones and plans for implementation, the report found.

"Consequently, until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the report said.

On Thursday, one expert in computer forensics and security said he found the audit's findings "disturbing" because the United States continues to be at risk for cyber attacks on targets such as the infrastructure of the banking system or utilities.

"It's disturbing because we are vulnerable in the meantime. Many of the recommendations in this report are not short-term fixes," said Darren Hayes, a lecturer and program chairman at Pace University's Seidenberg School of Computer Science and Information Systems in New York. "Research has shown that we are vulnerable right now."

The report comes in a month Obama has proclaimed to be National Cybersecurity Awareness Month, in which the president said protecting the country's digital infrastructure from cyber attacks is "a national security priority."

The only two fully implemented recommendations were the eventual hiring last December of the cybersecurity coordinator -- Howard Schmidt, who also is special assistant to the president -- and a privacy and civil liberties official, the audit said.

But officials in the Departments of Defense and Homeland Security and the Office of Management and Budget told auditors that they had yet to be assigned roles and responsibilities, largely because of the seven-month vacancy in the cybersecurity coordinator's post, the report said.

Federal agency officials also told auditors that several mid-term recommendations were quite broad and will actually take several years to be fully implemented, the report said.

While the agencies have been working on the 22 partially implemented recommendations, they were unable to provide methods to measure progress, the report said. In fact, 16 of those recommendations didn't specify plans for implementation, the GAO report said.

Obama initiated a review of government cybersecurity in early 2009, shortly after he took office, and a subsequent White House report listed 24 near- and mid-term action items to address threats.

As of last July, auditors found that among the partially implemented initiatives were developing a framework for research-and-development strategies and building a cybersecurity-based identity management strategy that protects privacy and civil liberties.

In an October 6 letter accompanying the audit's findings, David Powner, the GAO's director of information technology management issues, told congressional leaders that "federal agencies appear to be making progress toward implementing the recommendations but lack milestones, plans, and measures that are essential to ensuring successful recommendation implementation."