How a Commerce Department Standards Agency Grew Into a Cybersecurity Powerhouse
The National Institute of Standards and Technology has a hand in nearly every aspect of government cybersecurity.
The orientation for new employees of the National Institute of Standards and Technology typically includes a story about the Great Baltimore Fire of 1904.
That fire raged for 30 hours and consumed more than 1,500 buildings across 70 city blocks. When the Baltimore Fire Department proved unable to fight the blaze on its own, firefighters brought equipment to the city from Washington D.C., Annapolis, Philadelphia and as far away as New York City.
But because there were no uniform standards for the fixtures that connect fire hydrants and hoses at the turn of the last century, many of those out-of-town firefighters arrived in Baltimore to learn the equipment they’d lugged tens or hundreds of miles was useless.
“Some of the responding fire companies’ hoses fit the Baltimore hydrant connections; others did not,” NIST recalled in a 2004 publication marking the fire’s centennial. The lack of a national standard was leaving American lives and properties highly vulnerable.
NIST’s predecessor agency, the National Bureau of Standards, didn’t develop the uniform fittings for hoses and hydrants that, over the next several decades, became standard across the United States. That was done by a committee of the National Fire Protection Association.
The Bureau of Standards was on the case early, though, surveying and cataloging the roughly 600 different types of fittings that had proliferated across the country by 1904.
That story of hose and hydrant fittings has come to exemplify the way NIST views itself more than a century later, said Ari Schwartz, a former top White House cyber official who previously led internet policy at NIST.
“NIST likes to come up with definitions for things and controls, to come up with standard ways to look at things,” he said. “That’s really the basis for the security work they do.”
Speaking a Common Language
NIST’s standards work helps set the parameters for how government, industry and academia speak a common language about everything from DNA to fingerprint analysis to energy efficiency to the fat content and calories in a jar of peanut butter.
Over the last few decades, NIST has increasingly turned its passion for standards, measurements and controls to the complex problem of keeping information secure on the internet.
In the 1990s, that involved approving the basic cryptographic algorithms that keep digital information securely encoded before it is viewed by its intended recipient. By 2014, the agency had developed a cybersecurity framework that is on its way to becoming a standard model for industry.
Now NIST is working on cybersecurity standards for the internet of things, artificial intelligence and other issues on the frontier of emerging technology.
It’s also helping to develop a new set of international cryptographic standards that can withstand the decoding power of hyper-powerful quantum computers. NIST’s goal is to have those quantum-resistant crypto standards ready within three to five years, said Matthew Scholl, division chief of the institute’s computer security section.
With luck, that should be before true quantum computers -- which will use quantum mechanics to dwarf the computing power of traditional computers that rely on binary computation – actually exist, he said.
“Right now, it’s math against math,” Scholl said.
Digging Into Everything
During roughly the past decade, NIST has injected itself into nearly every aspect of computer security in the federal government through myriad publications organized with an opaque numbering system.
NIST Special Publication 800-53 describes security and privacy controls for all federal information systems. Special Publication 800-171 expands many of those requirements to contractors that handle unclassified but sensitive government information.
Other major publications deal with the security of computer clouds, mobile devices and identity verifications credentials. There are also publications that deal with controls for special infrastructure sectors such as the electric grid and medical devices.
The institute’s cybersecurity framework, which was first published in 2014 as a guidebook for industry, must now be followed by all federal agencies following a May executive order by President Donald Trump.
Even before the cyber framework was officially mandated for agencies, many of them were essentially using it, and agency inspectors general were using framework categories to assess their agencies’ cyber protections, Scholl said.
An updated draft of NIST’s Special Publication 800-37 outlines how agencies could adopt shared technology services—another major priority of Trump’s executive order—without forcing each agency to fully and independently vet a technology or service that’s shared with it. Importantly, the update does not devolve responsibility for failed shared services or technology entirely on the agency doing the sharing.
In 2012, the institute launched a Cybersecurity Center of Excellence, a testing center that’s partly run under contract by the MITRE Corporation and is the first federally funded research and development center within the Commerce Department.
“NIST plays that role of translating policy into good practices and operation,” said Dan Chenok, executive director of the IBM Center for Business and Government, who previously led NIST’s information security advisory board.
“NIST is a really interesting combination of scientific exploration with a more practical understanding of what’s working in government and industry and how do we translate that,” he said.
‘Asked To Do More and More’
With NIST’s upgraded responsibility for the cybersecurity of government and critical industry has also come renewed attention from lawmakers.
Charles Romine, the director of NIST’S Information Technology Laboratory, which includes the institute’s cyber work, has testified four times before Congress so far this year, about topics ranging from the WannaCry ransomware attack to the dangers posed by facial recognition technology.
NIST Chief Cybersecurity Advisor Donna Dodson was called before the House Science Committee last month for a hearing about a governmentwide ban on the Russian anti-virus firm Kaspersky, over which NIST has no control whatsoever.
Legislation that requires NIST to offer additional cybersecurity resources to small businesses passed in both the House and Senate last month and is awaiting action by a conference committee.
“They’re being asked to do more and more,” said Chris Boyer, an AT&T executive who now chairs the NIST Information Security and Privacy Advisory Board. “You look at the volume they’re putting out and one concern is that at some point they’re going to reach a saturation level.”
The squeeze may become even tighter next year. The White House’s proposed budget included a 13 percent cut for NIST research and a roughly 9 percent cut for the institute’s cyber research. Both the House and Senate Commerce funding bills pared that figure back substantially, but both retained some cuts.
“If they’re going to keep being asked to do more by both the administration and the Hill, then they need to have the resources to do that,” Boyer said.
NIST cyber officials insist tight budgets have not crunched their work. They point to the expanded focus on cybersecurity within the Information Technology Lab, including the elevation of the cyber mission as part of a 2010 reorganization.
Dodson also touted NIST’s expanding partnerships with private sector companies, which contribute research and feedback to the institute’s efforts.
That includes 31 firms—among them tech leaders such as Amazon, Microsoft, Intel and Symantec—that have partnered with NIST’s cyber center of excellence, either by sharing hardware and software tools or by contributing cyber experts to do work in the lab.
NIST’s cyber mission may grow faster than the institute is able to rein it in, though.
Earlier this year, the House Science Committee introduced legislation that would have directed NIST to audit individual agencies’ cyber preparedness, a massive undertaking that does not, as of yet, include any new money.
Boyer and Chenok both declined to weigh in on that specific bill but both noted that much of NIST’s value for federal agencies comes from being seen as a partner rather than an enforcer.
“The thing you hear from a lot of people is that NIST is viewed as an honest broker and more of a partner in security,” Boyer said. “So, you’d be flipping the dynamic and putting it in both the role of a partner in security and an auditor and I think that’s not a good model.”
The committee pared that bill back last month so that NIST will only be responsible for helping agency inspector generals with the audits, but it’s still not clear where the money for such work would come from.
Overall, Boyer said, NIST will fare best if it continues its core work in information security, identity verification and cryptography without expanding so much it loses focus.
“There are so many moving parts now, it’s difficult to keep up,” he said. “What I worry about is that, for these things to be successful, you need buy-in from everyone, including the private sector and the agencies. If you overwhelm them with activity, at some point, buy-in starts to go down because people don’t understand what’s going on.”