New GAO report and tips from NSA on ways to improve cybersecurity

A new report released yesterday by the Government Accountability Office (GAO) includes a reiteration of existing security issues and weaknesses across the federal government, and includes a dozen recommended actions to improve federal cybersecurity reflecting the results of panel discussions with public and private sector experts. It’s an ambitious list, but given the persistent of some of the problems, if the GAO can provide a roadmap that senior policy officials like still to-be-named cybersecurity czar can use to focus attention and direct resources to a set of priorities, there may be an opportunity to make some progress in these areas.

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy.
3. Establish a governance structure for strategy implementation.
4. Publicize and raise awareness about the seriousness of the cybersecurity problem.
5. Create an accountable, operational cybersecurity organization.
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.
7. Bolster public-private partnerships through an improved value proposition and use of incentives.
8. Focus greater attention on addressing the global aspects of cyberspace.
9. Improve law enforcement efforts to address malicious activities in cyberspace.
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts.
11. Increase the cadre of cybersecurity professionals.
12. Make the federal government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.

On a timely parallel note this week, NSA Information Assurance Director Richard Schaeffer Jr. testified before the Senate Judiciary Committee’s Subcommittee on Terrorism and Homeland Security that if agencies focused security efforts on instituting best practices, standard secure configuration settings, and good network monitoring, those actions alone can guard against the majority of threats and cyberattacks agencies face. This sort of 80/20 rule is not intended to obviate the need for risk assessments or comprehensive implementation of effective security controls in accordance with FISMA and other federal requirements, but the message from NSA seems to be a clear call to agencies to get the basics right.