How a Commerce Department Standards Agency Grew Into a Cybersecurity Powerhouse

Den Rise/Shutterstock.com

The National Institute of Standards and Technology has a hand in nearly every aspect of government cybersecurity.

The orientation for new employees of the National Institute of Standards and Technology typically includes a story about the Great Baltimore Fire of 1904.

That fire raged for 30 hours and consumed more than 1,500 buildings across 70 city blocks. When the Baltimore Fire Department proved unable to fight the blaze on its own, firefighters brought equipment to the city from Washington D.C., Annapolis, Philadelphia and as far away as New York City.

But because there were no uniform standards for the fixtures that connect fire hydrants and hoses at the turn of the last century, many of those out-of-town firefighters arrived in Baltimore to learn the equipment they’d lugged tens or hundreds of miles was useless.

“Some of the responding fire companies’ hoses fit the Baltimore hydrant connections; others did not,” NIST recalled in a 2004 publication marking the fire’s centennial. The lack of a national standard was leaving American lives and properties highly vulnerable.

NIST’s predecessor agency, the National Bureau of Standards, didn’t develop the uniform fittings for hoses and hydrants that, over the next several decades, became standard across the United States. That was done by a committee of the National Fire Protection Association.

The Bureau of Standards was on the case early, though, surveying and cataloging the roughly 600 different types of fittings that had proliferated across the country by 1904.

That story of hose and hydrant fittings has come to exemplify the way NIST views itself more than a century later, said Ari Schwartz, a former top White House cyber official who previously led internet policy at NIST.

“NIST likes to come up with definitions for things and controls, to come up with standard ways to look at things,” he said. “That’s really the basis for the security work they do.”

Speaking a Common Language

NIST’s standards work helps set the parameters for how government, industry and academia speak a common language about everything from DNA to fingerprint analysis to energy efficiency to the fat content and calories in a jar of peanut butter.

Over the last few decades, NIST has increasingly turned its passion for standards, measurements and controls to the complex problem of keeping information secure on the internet.

In the 1990s, that involved approving the basic cryptographic algorithms that keep digital information securely encoded before it is viewed by its intended recipient. By 2014, the agency had developed a cybersecurity framework that is on its way to becoming a standard model for industry.

Now NIST is working on cybersecurity standards for the internet of things, artificial intelligence and other issues on the frontier of emerging technology.

It’s also helping to develop a new set of international cryptographic standards that can withstand the decoding power of hyper-powerful quantum computers. NIST’s goal is to have those quantum-resistant crypto standards ready within three to five years, said Matthew Scholl, division chief of the institute’s computer security section.

With luck, that should be before true quantum computers -- which will use quantum mechanics to dwarf the computing power of traditional computers that rely on binary computation – actually exist, he said.

“Right now, it’s math against math,” Scholl said.

Digging Into Everything

During roughly the past decade, NIST has injected itself into nearly every aspect of computer security in the federal government through myriad publications organized with an opaque numbering system.

NIST Special Publication 800-53 describes security and privacy controls for all federal information systems. Special Publication 800-171 expands many of those requirements to contractors that handle unclassified but sensitive government information.

Other major publications deal with the security of computer clouds, mobile devices and identity verifications credentials. There are also publications that deal with controls for special infrastructure sectors such as the electric grid and medical devices.

The institute’s cybersecurity framework, which was first published in 2014 as a guidebook for industry, must now be followed by all federal agencies following a May executive order by President Donald Trump.

Even before the cyber framework was officially mandated for agencies, many of them were essentially using it, and agency inspectors general were using framework categories to assess their agencies’ cyber protections, Scholl said.

An updated draft of NIST’s Special Publication 800-37 outlines how agencies could adopt shared technology services—another major priority of Trump’s executive order—without forcing each agency to fully and independently vet a technology or service that’s shared with it. Importantly, the update does not devolve responsibility for failed shared services or technology entirely on the agency doing the sharing.

In 2012, the institute launched a Cybersecurity Center of Excellence, a testing center that’s partly run under contract by the MITRE Corporation and is the first federally funded research and development center within the Commerce Department.

“NIST plays that role of translating policy into good practices and operation,” said Dan Chenok, executive director of the IBM Center for Business and Government, who previously led NIST’s information security advisory board.

“NIST is a really interesting combination of scientific exploration with a more practical understanding of what’s working in government and industry and how do we translate that,” he said.

‘Asked To Do More and More’

With NIST’s upgraded responsibility for the cybersecurity of government and critical industry has also come renewed attention from lawmakers.

Charles Romine, the director of NIST’S Information Technology Laboratory, which includes the institute’s cyber work, has testified four times before Congress so far this year, about topics ranging from the WannaCry ransomware attack to the dangers posed by facial recognition technology.

NIST Chief Cybersecurity Advisor Donna Dodson was called before the House Science Committee last month for a hearing about a governmentwide ban on the Russian anti-virus firm Kaspersky, over which NIST has no control whatsoever.

Legislation that requires NIST to offer additional cybersecurity resources to small businesses passed in both the House and Senate last month and is awaiting action by a conference committee.

“They’re being asked to do more and more,” said Chris Boyer, an AT&T executive who now chairs the NIST Information Security and Privacy Advisory Board. “You look at the volume they’re putting out and one concern is that at some point they’re going to reach a saturation level.”

The squeeze may become even tighter next year. The White House’s proposed budget included a 13 percent cut for NIST research and a roughly 9 percent cut for the institute’s cyber research. Both the House and Senate Commerce funding bills pared that figure back substantially, but both retained some cuts.

“If they’re going to keep being asked to do more by both the administration and the Hill, then they need to have the resources to do that,” Boyer said.

NIST cyber officials insist tight budgets have not crunched their work. They point to the expanded focus on cybersecurity within the Information Technology Lab, including the elevation of the cyber mission as part of a 2010 reorganization.

Dodson also touted NIST’s expanding partnerships with private sector companies, which contribute research and feedback to the institute’s efforts.

That includes 31 firms—among them tech leaders such as Amazon, Microsoft, Intel and Symantec—that have partnered with NIST’s cyber center of excellence, either by sharing hardware and software tools or by contributing cyber experts to do work in the lab.

Expanding Mission

NIST’s cyber mission may grow faster than the institute is able to rein it in, though.

Earlier this year, the House Science Committee introduced legislation that would have directed NIST to audit individual agencies’ cyber preparedness, a massive undertaking that does not, as of yet, include any new money.

Boyer and Chenok both declined to weigh in on that specific bill but both noted that much of NIST’s value for federal agencies comes from being seen as a partner rather than an enforcer.

“The thing you hear from a lot of people is that NIST is viewed as an honest broker and more of a partner in security,” Boyer said. “So, you’d be flipping the dynamic and putting it in both the role of a partner in security and an auditor and I think that’s not a good model.”

The committee pared that bill back last month so that NIST will only be responsible for helping agency inspector generals with the audits, but it’s still not clear where the money for such work would come from.

Overall, Boyer said, NIST will fare best if it continues its core work in information security, identity verification and cryptography without expanding so much it loses focus.

“There are so many moving parts now, it’s difficult to keep up,” he said. “What I worry about is that, for these things to be successful, you need buy-in from everyone, including the private sector and the agencies. If you overwhelm them with activity, at some point, buy-in starts to go down because people don’t understand what’s going on.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.