The U.S. economy is a complex amalgamation of interconnected—and, often, interdependent—information systems. Besides e-commerce transactions totaling more than $200 billion annually, interconnected computer networks are essential for life-critical functions, such as air traffic control, integrated manufacturing operations, and electric power distribution. Ubiquitous and indispensable, networked systems face rising threat of malicious attack from individuals, organizations, and nation states that are targeting key information technology operations and assets. In fact, ["F]ederal agencies report increasing cyber-intrusions into government computer networks, perpetrated by a range of known and unknown actors."1
The Administration believes the reliability of U.S. cyber systems is essential to our economy, physical and information infrastructure, public safety, and national security, and has ordered a review of national cyber security efforts, which should help to guide efforts to defend against increasingly sophisticated attackers.
Proposed NIST Program
NIST has expertise and experience in fundamental security technologies, such as cryptography, risk management, biometrics, tokens, operating system security, security protocols, and authentication. Its strategic relationships with the IT community facilitate adoption of research outputs and resulting standards. This proposed initiative will:
- Develop methods to characterize the large-scale structure and dynamics of interconnected systems, including their ability to resist attacks, as well as models capable of predicting the behavior of interconnected networks under stress or as a result of changes in network components;
- Develop techniques to evaluate and improve the mobility, interoperability, security, resilience, and robustness of key network technologies;
- Work toward new encryption algorithms necessary to counter the prospect of quantum computers, which would be able to break public key algorithms now used for electronic commerce and other critical applications;
- Evaluate virtualization technologies for separating different classes of data received from external networks, which would allow rapid and dynamic adjustment of system resources in response to varying needs and situations; and
- Develop metrics for the usability of cyber security systems, facilitate integration of usability principles into product design processes, and lead research projects to investigate methods for aligning user goals with organizational security goals.
Anticipated outcomes of this cyber security initiative will include:
- Reduced vulnerability to attack;
- Increased productivity in cyber security efforts;
- Improved usability of cyber security technologies;
- Improved cryptographic key management; and
- Increased understanding of the security vulnerabilities of new networking technologies, such as cloud computing.
1J. Rollins and A.C. Henning, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations. Congressional Research Service, March 10, 2009.