The U.S. Government Accountability Office (GAO) is finalizing its report on the country's capability to protect and defend itself from cyber-attack, and its words are not kind. The primary responsibility for monitoring and securing the country's networks and digital assets falls to the United States Computer Emergency Readiness Team, or US-CERT, a partnership organization between the Department of Homeland Security (DHS) and both the public and private sectors. Founded in September 2003, US-CERT was responsible for the 2004 Einstein initiative, meant to detect and collect information on attacks at government agencies, and is currently backing the expanded (and hopefully more widely deployed) Einstein 2 program.

Unfortunately for US-CERT, the GAO report is more interested in today's events than the organization's future plans. The draft report BusinessWeek obtained states that US-CERT "still does not exhibit aspects of the attributes essential to having a truly national capability." Later in the document, GAO claims that the organization "lacks a comprehensive baseline understanding of the nation's critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance."

Not surprisingly, US-CERT has challenged this evaluation. While the organization admits there have been problems, DHS spokesperson Laura Keehner stated: "We are undertaking something not unlike the Manhattan Project. We have set a strong cyber-strategy, recently created the National Cyber Security Center, and are in the process of aggressively hiring several hundred analysts to further our mission of securing critical infrastructure." She goes on to detail DHS' commitment to working with the public and private sector in securing the nation's infrastructure, and we saw some evidence of that when new NCSC director Rod Beckstrom attended and spoke at Black Hat. Beckstrom believes that the best and brightest from both sectors will need to cooperate if the nation wishes to secure its infrastructure, and generally advocates information-sharing and cooperation.

GAO, however, has not been swayed by DHS' rhetoric, despite the agency's plans to expand the Einstein program, hire more analysts, and aggressively expand its real-time intrusion detection and response systems. From the draft report: "It is unclear whether these actions will help US-CERT—or whatever organizational structure is ultimately charged with coordinating national cyber-analysis and warning efforts—achieve the objectives" [of the security initiatives set before it].

With the Bush era drawing to a close, the issues GAO raises in its draft report will be of significant concern to the next president, whoever that may be. It's not clear when the final version of this report will be released, but an independently convened commission is due to report on its own findings, which apparently echo at least some of GAO's findings, to the next president in November. The next commander-in-chief will be presented with an up-to-date and current briefing on both the country's current and future cybersecurity initiatives, but what happens afterwards is anyone's guess.