For most of its history, the National Institute of Standards and Technology has been an important, if un-sexy arm of the U.S. government. Originally the National Bureau of Standards, NIST is the U.S. government’s measurements and standards laboratory, with a mission to promote innovation and industrial competitiveness by advancing technology standards.
That reputation took a hit, however, in recent weeks, after it was revealed that one standard the Institute promoted, the Digital Signature Standard (DSS), was developed by the National Security Agency (NSA) and contained a back door that would allow the agency to subvert the encryption and view information protected with it. After initially saying little about the controversy, NIST was forced warn the technology community away from the DSS and announce that it was revisiting some of its other encryption standards.
Amidst the controversy, however, NIST has kept plugging along on one of its core missions these days: promoting standards for cyber security within the government and private sector. What’s unclear is whether the NSA scandal and the revelation of government medalling in NIST’s standards process will come back to haunt the government’s key standards body.
At the top of the list is NIST’s continuing work to bring about a framework for securing critical infrastructure in the U.S. This was one of the mandates created by President Obama’s Executive Order of Cyber Security in February of this year. That Order required NIST to publish its framework – at least in draft form – by October 10. NIST has held a number of workshops to get feedback from the technology community – the most recent was in Dallas in early September.
The framework divides cyber security activity into five functions: identify, protect, detect, respond, and recover; with organizations asked to implement “capabilities” (broadly defined) in each area. The idea is to help organizations across industries align their cyber security risk posture with their business needs and with industry peers and partners.
(Executive Summary here:
Word on the street suggests that the Institute will have its hands full even turning around another draft ahead of its early October deadline, what with hundreds of standards contained within the current draft.
Reports so far suggest that NIST is hearing from private industry representatives that its draft is too long, too complex and not sufficiently sensitive to the needs of organizations of different sizes within very different industries. Even if NIST hits its October deadline for publishing a new draft of the standard and the subsequent February, 2014 deadline for finalizing the standard, the big challenge will be getting the private sector to buy in and adopt it.
NIST, you see, isn’t a regulatory body. Its standards are voluntary and it can’t compel organizations to adopt them – though historically, many have looked to NIST as a fair and reliable arbiter of best practices. “NIST is viewed by many within the government as the best vehicle to work across industry sectors and as an honest broker,” Howard Schmidt, the former Cyber-Security Coordinator in the Obama Administration and now a partner in Ridge Schmidt Cyber LLC, told me in an interview. But, Schmidt added, “what makes (cyber security standards) work is how many people are willing to adopt them.” And that’s where NIST’s involvement (albeit unintentional) in the NSA’s efforts to spy on encrypted communications becomes so problematic.
“One of the unfortunate side effects of (the NSA incident) is that NIST is always in collaboration mode,” said Schmidt. “They have to work with government and academia. But if the government acts in bad faith, and NIST says ‘that looks good’ and publishes that work, it looks as if they were led down a path.”
Schmidt remains confident that NIST will continue to be a body that government and industry can trust in. And the agency has certainly been busy of late – releasing new guidelines this week in areas like Software Asset Management, and issuing $2 million in grants to Pennsylvania and Michigan to test new technology to improve secure access to government services and federal assistance programs.
At the end of the day, Schmidt says, NIST will continue to be vital because its role as a neutral arbiter in a highly balkanized technology space is so critical. Whether its drafting and then promoting standards or collaborating with industries and executives to help get those standards implemented, there’s a lot that NIST does that nobody else can.