FY2009: Comprehensive National Cyber Security Initiative: Leap-Ahead Security Technologies

Challenge

This NIST request is part of the Administration's Comprehensive Cyber Security Initiative. From online shopping to telecommuting, our society and economy have become increasingly reliant on interconnected computer networks. To help foster continued economic growth, improving the security of networked computer systems must be a national priority.

Many of today's tools and mechanisms for protecting against cyber attacks were designed with yesterday's technology in mind. Information systems have evolved from room-size computer workstations shut off from the rest of the world to ubiquitous mobile devices interconnected by a global Internet. In this diverse ecology of communication devices, no cyber security solution works on all operating systems and can protect every type of computer and network component. Operating systems are now composed of millions of lines of code, rather than thousands, and have many more potential holes.

Attackers must find only one hole in a security system for success while security experts must close all potential vulnerabilities of the system.

Proposed NIST Program

NIST is a recognized world leader in the field of cyber security. Working with other federal agencies, NIST proposes an initiative in three essential elements of cyber security infrastructure:

• create technical standards for generating, distributing, using, storing and destroying secret numbers known as cryptographic keys, commonly used to grant access to authorized individuals on encrypted computer networks and systems. This effort will be conducted in technical consultation with the National Security Agency (NSA) and the Department of Defense (DoD), as well as other government agencies and non-government organizations;

• nurture the development of "multifactor authentication" methods. Such methods require users to verify their identities through multiple methods, such as passwords and iris scans, rather than just one. NIST will develop a standardized framework that ensures these methods work across different computer platforms and operating systems. The effort will be coordinated with vendors and federal departments, including the Department of Homeland Security; and

• extend the Federal Desktop Core Configuration, a set of standard security settings that optimize security, to other operating systems, applications, and network devices beyond the existing support for Windows XP and Vista.

Expected Impacts

This work will help to:

• increase the security of U.S. communications, information, and critical infrastructure;

• safeguard the confidentiality and integrity of information through the development of improved cryptographic key management methods;

• improve the interoperability of systems for authenticating individuals and machines on networks;

• help organizations establish compliance with IT security requirements by standardizing security settings for a wide range of computers, operating systems, and applications;

• lower the economic impact from identity theft; and

• increase the productivity of electronic commerce by providing reliable automated systems that protect the confidentiality and integrity of information being exchanged.