NIST and state of Maryland establish cybersecurity lab

Center will gather computer scientists and users to test strategies for protecting e-government and e-commerce.

At NIST headquarters, Sen. Barbara Mikulski, D-Md., said, "The new enduring war is a cyberwar. Harry Hamburg/AP

The Commerce Department and state of Maryland are opening an office near the National Institute of Standards and Technology headquarters in Montgomery County to create jobs and invent ways to safeguard online transactions.

Maryland Democratic Sen. Barbara Mikulski, chairwoman of the Senate committee that funds NIST, secured $10 million to start operating the National Cybersecurity Center of Excellence this year. The goal of the facility is to turn cybersecurity research into everyday protections for workplaces and home computers. Mikulski, NIST and local government officials described the new venture during a Monday press briefing.

"America's under attack -- America's under attack right this minute," Mikulski said. "The new enduring war is a cyberwar," with successful attempts to hack into U.S. dealings on the dot-mil, dot-gov and dot-com domains. Maryland Lt. Gov. Anthony G. Brown noted that Fort Meade, Md., is home to the Pentagon's Cyber Command.

The next step, federal officials said, is to situate a computer lab in an existing building close to NIST's campus in Gaithersburg. The initiative will generate 23 new jobs in Montgomery County and is expected to help expand the e-commerce workforce.

NIST Director Patrick Gallagher said the center will not directly certify cybersecurity professionals, but the collaboration among participants could result in the launch of credentialing programs. Strengthening professional cybersecurity credentials has stirred debate between existing certification bodies and critics who believe a government-run board of examiners should be established to make the certification regime more rigorous.

Regarding the issue of computer security credentials, Mikulski said, "That's really up to professional associations."

The center, co-sponsored by NIST, Maryland and Montgomery County, will provide partnering organizations with office space, as well as basic hardware and infrastructure, federal officials said.

"You don't have to pay anything, and you'll be able to work with us to incorporate these technologies into your products," Gallagher said. "This is all about tech transfer."

NIST computer scientists, commercial product developers and researchers from nearby University of Maryland campuses and other institutions will work side by side to test strategies for securing e-government and e-commerce services, the assembled officials said.

The teams for instance, might design standard software and personnel policies for thwarting the interception of smartphone transactions. Each find will be made freely available to the average Internet user and technology vendors for real-world application, according to officials.

Company personnel who work on projects with NIST at the center will still be paid by their private employers, Mikulski explained.

To underscore the need for better protections, NIST officials cited 2011 private sector studies that found 69 percent of adults worldwide had been victims of cybercrime during their lifetimes, and the median cost of breaches for U.S. companies is $5.9 million annually, but can range from $1.5 million to $36 million.

Geopolitical intelligence provider Stratfor was dealt a $50 million lawsuit after a Christmas 2011 hack exposed sensitive data on about 100,000 government and industry subscribers, according to U.S. district court documents. The U.S.-based company already had hired an identity theft protection firm to aid customers and reportedly has called the suit meritless.

A common problem with computer security systems is they aren't really systems, but rather piecemeal antivirus tools and disjointed security measures that fail to consider all threats, some experts say. The idea is that by bringing together product users and developers, both sides of the pipeline can better identify security holes. Teams will tackle specific real-world cases, such as finding a way to let employees work on their personal smartphones without compromising business data if the device is lost or if an employee leaves a job, officials said.

Separately, a federally funded youth training program is slated to hold workshops in Washington on March 6 for government and industry executives looking to recruit the next cyberspace defenders. The U.S. Cyber Challenge, established in 2009, aims to discover 10,000 individuals with the talent and interest to stem the nation's cybersecurity workforce shortages.

The original story misstated the year the U.S.Cyber Challenge was established. It has been corrected.