The vast interconnectedness of the modern Internet is both its prime benefit and its central vulnerability. Threats to the security and reliability of cyberspace come from many quarters—hackers, sophisticated organized crime groups, terrorists, even nations engaged in cyber warfare.
Costs to the nation from these threats are large and growing. A national survey by Consumer Reports estimated that spam, viruses, spyware, and phishing cost U.S. consumers almost $5 billion in 2010. In a study of 45 medium and large organizations (those with more than 500 employees), the Ponemon Institute found cyber crime cost them an average of about $3.8 million annually. This figure does not even include routine practices such as purchases of antivirus software, but only the cost to cope directly with problems like stolen intellectual property, viruses, malware, theft from bank accounts, and other problems. The growing importance of online transactions demands that the nation's cyber infrastructure be secure. The Administration's Cyberspace Policy Review acknowledges the importance of a robust cyber infrastructure and lays out a set of initiatives to address them. The Review makes the case that strong federal leadership is needed now. Government must coordinate with the private sector to reduce cybercrime-related losses and increase confidence in IT communications systems.
NIST plays a leading role with the Department of Commerce in assuring that e-commerce continues to foster innovation, bolster industrial competitiveness and enhance economic growth and security. The Institute is a world leader in the development of improved cybersecurity practices and technologies. Its cybersecurity publications, protocols, and best practices are used extensively by both the public and private sectors to protect against cyber threats. The Computer Security Resource Center, the National Vulnerability Database, and an extensive series of publications that implement the Federal Information Security Management Act are just a few of NIST's many products used by literally millions of organizations and individuals to protect their cyber assets.
However, the current investment in NIST cybersecurity research and development is not commensurate with the problem. In response, the President's FY 2012 budget calls for a $43.4 million increase to NIST's cybersecurity efforts to fund new initiatives and accelerate progress in established programs. The effect of this increase will be to more than double funding for NIST R&D in this area with benefits many times the dollar value of the investment through improved protection of the nation's cybersecurity infrastructure.
Proposed NIST Program
NIST will apply its IT research and standards expertise and its strong track record for industry collaboration to significantly improve the security and interoperability of the nation's cyberspace infrastructure.
Scalable Cybersecurity for Emerging Technologies and Threats (+$14.9 million)
- Develop improved security techniques, support the creation of consensus security standards, increase the interoperability and usability of security technologies, and expedite the secure adoption of emerging information technologies.
- Targeted areas supported include cryptographic technologies and capabilities, multi-factor authentication for assuring online identities, security automation, usability of security, security measurement and modeling of large-scale systems, critical infrastructure testbeds, cloud computing cybersecurity standards, and secure adoption of virtual technologies.
National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the NSTIC Grant Program (+$24.5 million)
- Coordinate the execution and implementation of a national strategy to improve both the privacy and the security of sensitive online transactions.
- Work with the private sector and other federal agencies to encourage development of standards, technologies, and mechanisms for interoperable methods to authenticate the identities of individuals, organizations, and the underlying infrastructure for the purposes of enhanced trust, security, and privacy in online transactions.
- Provide $17.5 million in grants and other funding programs to conduct pilot projects of trusted authentication systems for various applications such as government services, e-commerce, and health IT.
National Initiative for Cybersecurity Education (+$4 million)
- Expand this program from one that trains the federal workforce to a larger national education program focused on identifying gaps in cybersecurity education, developing metrics to determine the effectiveness of cyber training efforts, deploying cybersecurity training tools through a Web-based portal, and coordinating with existing Science, Technology, Engineering, and Mathematics education programs.
Benefits and impacts expected to result from these initiatives include:
- Development of better management tools for strengthening cybersecurity in Internet-based cloud computing and increasing use of automation, producing improved competitiveness for the U.S. IT industry and greater cost-effectiveness for both business and government operations.
- The emergence of privacy-enhancing, trusted authentication solutions provided by the private sector that increase productivity and innovation while reducing losses for business and better protect individuals from cybercrime.
- Enhanced dissemination of more effective cybersecurity education materials resulting in an educated workforce better equipped to consistently use best practices that protect themselves and their organizations.