From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Assessing the Nation's Cybersecurity Strategy

Description: Audio interview by GAO staff with Greg Wilshusen,
Director, Information Technology

Related GAO Work: GAO-13-187: Cybersecurity: National Strategy, Roles,
and Responsibilities Need to Be Better Defined and More Effectively
Implemented

Released: February 2013

[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news
and information from the U.S. Government Accountability Office. It's
February 2013. Cyber attacks on the nation's computer systems and
networks have the potential to disrupt the operations of government and
business as well as the lives of private individuals. A group led by
Greg Wilshusen, a director in GAO's Information Technology team,
recently reviewed the government strategy for dealing with
cybersecurity. GAO's Jeremy Cluchey sat down with Greg to talk about
what they found.

[ Jeremy Cluchey: ] Threats to the government's IT systems have
increased quite a bit just over the last 6 years as you note in this
report. Can you talk a little bit about this growth?

[ Greg Wilshusen: ] Sure. Cyber threats to federal systems, as well as
those systems supporting critical infrastructure, are growing and
evolving. These threats come from a variety of sources and they vary in
terms of the types and capabilities of the actors, their willingness to
act, and their motives. Particularly menacing is the emergence of
advance persistent threats and these are those where advisories possess
sophisticated resource.. or sophisticated skills, levels of expertise,
significant resources, and patience to pursue their objectives. Now
attendant with this increasing threat is also the dramatic increase in
the number of security incidents that federal agencies are reporting.
This has increased over 780 percent during the 6-year period that you
mention, rising from about 5,500 incidents to over 48,500 in FY 2012.
While some of this increase is no doubt due to the agency's increased
detection and reporting capabilities, it also reflects that cyber
threats are clear and present danger.

[ Jeremy Cluchey: ] This is by no means GAO's first cybersecurity
report and GAO's identified a range of challenges the government faces
when it comes to tackling these threats over the years. Can you talk
about some of those?

[ Greg Wilshusen: ] Sure. We have identified a number of challenges.
One of these; we and agency IG's have consistently identified
shortcomings in the agency's programs for assessing risks, developing
and implementing security controls, and monitoring results. Another
challenge is their ability to detect, respond to, and mitigates cyber
incidents. The Department of Homeland Security which has overall
responsibility for managing and overseeing the nation's critical
infrastructure protection efforts, while it has made some incremental
progress in coordinating the federal response to cyber incidents,
challenges remain in sharing information among federal agencies and key
private sector entities, including those owning critical
infrastructures.

[ Jeremy Cluchey: ] What's the status of the government strategy for
dealing with these challenges?

[ Greg Wilshusen: ] Well that's part of the problem, Jeremy. While the
government has developed various strategy-related documents over the
years that address aspects of these challenges, it has not yet
developed an overarching cybersecurity strategy that articulates policy
actions, assigns responsibilities for performing them, and establishes
time frames for their implementation. In addition, those existing
strategy documents often do not address key characteristics that we
have identified that can enhance their usefulness in allocating
resources, defining policies, and helping to ensure accountability.

[ Jeremy Cluchey: ] Can you talk about some of the recommendations that
GAO is making in this report?

[ Greg Wilshusen: ] Sure. We are recommending that the White House
Cyber Security Coordinator develop a federal cybersecurity strategy
that includes all the key elements of a desirable characteristics of a
national strategy. This strategy should also be used to better insure
that federal government departments and agencies are held accountable
for making significant improvements in cybersecurity challenge areas
by, among other things, clarifying how oversight will be affected. We
also believe that Congress should consider legislation to better define
the roles and responsibilities for implementing and overseeing federal
information security programs and protecting the nation's critical
cyber assets.

[ Jeremy Cluchey: ] Finally, for taxpayers concerned about the
potential vulnerability of sensitive government information as well as
personal information, what's the bottom line here?

[ Greg Wilshusen: ] Well, the federal agency and federal government are
taking steps to try to improve the security and the protection of the
sensitive information. But at the same time, vulnerability still exists
in those systems and in their controls, and that information is still
vulnerable to compromise either from an integrity or confidentiality
perspective.

[Background Music]

[ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to
the next episode of GAO's Watchdog Report for more from the
congressional Watchdog, the U.S. Government Accountability Office.