Feds Slow in Protecting Computer Networks from Cyber-Threats, Study Finds

Federal agencies are woefully behind in achieving their goal of protecting computer networks despite President Obama's pledge to make cybersecurity a top administration priority, according to a report by the Government Accountability Office.

The report reveals that officials are making slow progress on all but two of the 24 specific goals the government outlined to shore up the nation's digital infrastructure in the president's May 2009 cyber policy review.

Those two goals, according to the report issued two weeks ago, are the appointments of a cybersecurity czar responsible for coordinating the nation's cyber policy and activities, and an official responsible for addressing privacy and civil liberties concerns.

Officials from key agencies involved in the cybersecurity efforts -- including the Department of Defense and the Office of Management and Budget -- attribute the slow implementation of the other 22 recommendations to slow-moving agencies that have "not been assigned roles and responsibilities with regard to recommendation implementation," according to the GAO report.

"Specifically, although the policy review report calls for the cybersecurity policy official to assign roles and responsibilities, agency officials stated they have yet to receive this tasking and attribute this to the fact that the cybersecurity official position was vacant for 7 months," the 66-page report reads.

That position was filled by Howard Schmidt, the so-called "cyber czar," late last year.

The GAO report found that officials from pertinent agencies stated that several midterm recommendations were too broad and will require action over multiple years before full implementation. Federal officials did report, however, that they have efforts planned or underway toward enacting the remaining 22 recommendations.

"While these efforts appear to be steps forward, agencies were largely not able to provide milestones and plans that showed when and how implementation was to occur," the report reads.

Specifically, 16 of the 22 near-term and midterm recommendations did not have milestones and implementation plans.

"Consequently, until roles and responsibilities are made clear and the schedule and planning shortfalls identified above are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk," the report reads.

In a statement to FoxNews.com, Sen. Olympia Snowe, R-Maine, said it's imperative that the Obama administration and Congress work together to address the "urgent threat" of cyber attacks.

"The administration must promptly complete the interagency cybersecurity review, and we in Congress stand ready to work with the administration to swiftly enact legislation that will protect and preserve American cyberspace," Snowe said. "We can no longer afford to wait to pass comprehensive cybersecurity reform -- our national and economic security may depend upon it."

Cybersecurity experts contacted by FoxNews.com had mixed reactions to the GAO report. Some, citing the massive scale of the 24 initiatives, said any progress advances the goal.

Darren Hayes, a professor of computer science at Pace University in New York, said part of the problem is that the United States is not producing enough specialists in information technology and security. He cited 2000 Census figures that revealed that 47 percent of all U.S. scientists and engineers with doctorates were foreign-born.

"It happens at the grassroots level," Hayes told FoxNews.com. "Sometimes it's just a matter of education. Education is really, really important. Some of these initiatives are more long-term, and just getting enough IT professionals is very difficult. We're simply not producing enough people, so trying to fix that is another long-term initiative. The government does have a difficult job to carry out."

One key recommendation contained in the GAO report that needs swift attention is the need to develop a set of threat scenarios and metrics that could be used for risk management decisions and recovery planning, according to Reza Curtmola, an assistant professor of computer science at New Jersey's Science & Technology University.

"We don't have a basic good set of metrics on how to determine how secure our systems and networks are," Curtmola said, citing the complexity of software needed to perform that task.

He said he thinks the state of the nation's overall cybersecurity is "not as bad as it sounds" in the GAO report, but there is nonetheless a need for clearly defined milestones.

Will McGill, an assistant professor of information sciences and technology at Penn State University, said he found the GAO report "fairly thin" and said any recent progress should be welcomed.

"It's not like we're going down, we're just staying the same and we're looking to do better," McGill said. "The fact that something is being done on those recommendations is still a reduction in risk."

McGill said the government is far from the only cybersecurity stakeholder. He said a degree of responsibility trickles down from the federal government to municipalities to private organizations to private individuals.

"Just looking at the big picture, I don't think they're doing anything wrong, but they're moving a bit slower than I'd like," he said. "The pace could be accelerated, but saying that by not [completing the recommendations] our risk is going up is incorrect."

In a statement to FoxNews.com, National Security Council (NSC) officials cited "significant progress" made on near-term priority items, including the approval of a National Cyber Incident Response Plan (NCIRP), the release of a draft of National Strategy for Trusted Identities in Cyberspace and an ongoing public information campaign called "Stop. Think. Connect."

NSC officials also noted that the GAO report identified many of the recommendations as long-term fixes that will require years of sustained effort.

"Cybersecurity also requires a whole of government, and, indeed, a whole of nation approach," the statement read. "The cross-cutting nature of the cybersecurity policy area is why the President appointed [Schmidt] to orchestrate activities across the federal government to achieve a more secure and resilient information and communications infrastructure."

The statement concluded, "We are more secure today than we were a year ago and we will continue to make progress and take action in this vital area."