Summary

Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy. In this testimony, you asked GAO to summarize (1) key reports and recommendations on the national cybersecurity strategy and (2) the views of experts on how to strengthen the strategy. In doing so, GAO relied on its previous reports related to the strategy and conducted panel discussions with key cybersecurity experts to solicit their views on areas for improvement.

Over the last several years, GAO has consistently reported that the Department of Homeland Security (DHS) has yet to fully satisfy its responsibilities designated by the national cybersecurity strategy. To address these shortfalls, GAO has made about 30 recommendations in key cybersecurity areas. While DHS has since developed and implemented certain capabilities to satisfy aspects of its cybersecurity responsibilities, it still has not fully satisfied the recommendations, and thus further action needs to be taken to fully address these areas. In discussing the areas addressed by GAO's recommendations as well as other critical aspects of the strategy, GAO's panel of cybersecurity experts identified 12 key areas requiring improvement. GAO found these to be largely consistent with its reports and its extensive research and experience in the area. Until GAO's recommendations are fully addressed and the above improvements are considered, our nation's federal and private-sector infrastructure systems remain at risk of not being adequately protected. Consequently, in addition to fully implementing GAO's recommendations, it is essential that the improvements be considered by the new administration as it begins to make decisions on our nation's cybersecurity strategy.