The federal government lacks a national agenda for research and development around cybersecurity, according to a new report from the Government Accountability Office. The report urges the Office of Science and Technology Policy, in conjunction with the national cybersecurity coordinator, to improve the state of federal cybersecurity R&D.

"Without a current national cybersecurity R&D agenda, the nation is at risk that agencies and private sector companies may focus on their individual priorities, which may not be the most important national research priorities," the GAO warns.

GAO reccomends that OSTP take four specific actions:

• Create a comprehensive national R&D agenda with near-term (1-3 years), mid-term (3-5 years), and long-term (5 years or longer) goals;
• assess human capital weaknesses among the cybersecurity research community and, with the help of cyber czar, make plans to address shortages;
• with the Office of Management and Budget, develop a system to track all ongoing and completed federal cybersecurity R&D projects and associated funding; and
• use that tracking system to make federal R&D information available to federal agencies and the private sector.

According to GAO, a governmentwide repository that tracks federally funded R&D was previously mandated by Congress--in the E-Government Act of 2002--but still does not exist.

The report reserves special criticism for OSTP's Subcommittee on Networking and Information Technology Research and Development (NITRD).

"NITRD's lack of leadership has been noted by many experts as well as by a presidential advisory committee" said the report. "Until NITRD exercises its leadership responsibilities, federal agencies will lack overall direction for cybersecurity R&D."

Five agencies--National Science Foundation, Department of Homeland Security, Department of Defence, Department of Energy and National Institute of Standards and Technology--fund and conduct much of the government's cybersecurity R&D, but 14 government entities are involved in the oversight and coordination of cybersecurity research (see a chart of the organizations and their roles here).

OSTP, in its official reaction to the GAO report, said that it has a 5-year plan for cybersecurity R&D and that is available online (.pdf). Patrick Gallagher, assistant director of the National Institute of Standards and Technology information technology laboratory, also disputed the report's findings. In a letter to the GAO, Gallagher said the report "creates the impression that there is little leadership, coordination, and planning" for cybersecurity R&D.

"We believe that OSTP and NITRD are coordinating research activities," he added.

For more:
- see the report GAO-10-466 (.pdf)
- see a chart from the report on the federal entities involved in Cybersecurity R&D oversight

Related Articles:
NIST promotes common cybersecurity controls
Cyberspace requires improved acquisition, information sharing
IG: U.S. pilots' medical data at risk from poor FAA cybersecurity
Ross: Defense only goes so far, real cybersecurity is agile