Morning Keynote: "Meeting National Priorities by Leveraging Innovation: NIST's Role In Cybersecurity"
Amazon Web Services Worldwide Public Sector Summit 2013: Achieving Success in the Cloud
Sept. 10, 2013
Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director
It's a real pleasure to join you this morning and help kick off this summit on public-private partnerships around the remarkable transformation that is occurring in the world of computing and IT. And I actually have a couple of quick themes that I would like to share with you.
Let me start first though by thanking Teresa and the entire Amazon team for giving me this opportunity to join you this morning. You certainly heard through some of the vignettes and stories this morning about the leading role that Amazon is playing in this space, both as technology leader but also as an early adopter and thought leader. And that's really evidenced by some powerful partnerships that you witnessed this morning, and I think really just the beginning of some of the promise that we all can expect to see.
I wanted to touch on sort of two key themes this morning: one is about transformation and the other is about public and private working together.
The transformation that we are facing is, in fact, so powerful that I think we are really only beginning to see early glimpses of its full potential. It's a transformation that has been basically enabled by enormous connectivity, and that connectivity is giving rise to some powerful shifts. One of them is architectural—cloud computing; big data, which is transforming the way we manipulate and use data; social networks and the way we actually interact with information technology; and of course, mobility, which I think again, we are already seeing the beginnings of, where you are really going to see incredible diversity in types of the devices we use to interface between this world of information and our own lives. And of course, this transformation doesn't always [inaudible] to those of us who work in the public sector. And I want to touch on some of those topics briefly, partly to give you a little update on what NIST is doing in this space, but also to share a little bit of perspective on where I think it's going.
The other topic, of course, is public-private. You've heard a little bit this morning that one of the barriers to this transformation in the public sector is culture. I think of one of the reasons that's the case is quite ironic—that the government was actually one of the earliest adopters of information technology, and it's always harder to change an embedded culture than to create a new one. So one of the barriers, of course, we face is a legacy of doing things in a particular way, so when these changes come over the horizon, it is a little bit more challenging to deal with it.
But I also want to touch on an issue that's been very much in the news lately, and that's the issue that I believe to be the core touch point between the public and private sector, and that's trust.
Let me just address the elephant-in-the-room issue. So those of you paying any attention to the newspapers over of the past several days will see more news stories resulting from presumably leaked materials by Snowden and most recently, of course, touching on the issue of encryption.
And, of course, this touches NIST because NIST is responsible for supporting two things. One is federal adoption of IT. So for all the nonclassified systems in the federal government, NIST, through the Federal Information Security Management Act (FISMA) is responsible for promulgating technical standards that have been adopted and used. Those certainly include encryption standards.
And the second role is that NIST is responsible for supporting the private-sector standards world. And it's important to keep in mind that in the United States, nearly unique around the world, standards setting is not a government function. In fact by law, the United States looks to the private sector for its standards. But NIST has been charged with providing the technical expertise to support the private sector's standards setting. So in some sense, you can think of us as industry's national lab to support that effort.
And of course, as director of NIST, what's most troubling to me in reading these news reports, is that it would appear to attack our integrity. So let me touch directly on that issue. NIST's role is to support a technical understanding of the strongest, most secure computer security, including encryption, that we can. We are not deliberately, knowingly, working to undermine or weaken encryption. And one of the ways we ensure that integrity is to make sure that our work is done in the full light of the public. So when we have a technical algorithm that we're going to look at, when we have a particular approach that we think makes sense, what we will do is publish that in a technical bulletin or in a special publication and subject it to the broadest public comment that we can. And we are committed that at any time a new issue or potential vulnerability is identified that we address that in a forthcoming way.
This happens all the time in the world of security. You have a well-established algorithm and somebody finds a new way to attack it. This is part of the business of the arms race of cybersecurity, and we are committed when that happens to basically address it in a straightforward way and open it for comment. In fact today on the NIST website, you will see that the technical bulletin has been released on some of the specific issues around our encryption standards and, in fact, we are reopening one of our publications for comment. So for those of you who are deep into that type of stuff, I encourage you to take a look.
Let me touch on these transformative areas. Cloud computing, of course, is one of the key enablers in this transformation. And one of the roles that NIST has is to work with all of the federal agencies and with the private sector to accelerate adoption of this new technology, to drop barriers. And we're doing that in a couple of ways.
One of those is to support standards setting, as we talked about. The other way is to basically support what I call the choreographed communication between the private-sector leaders in this area and, in this case, the federal customers.
We have worked to support the federal cloud computing strategy. NIST has, as many of you know, supported an effort to define a technology roadmap—adoption roadmap really—for cloud computing, which combines federal CIOs from across the federal government, defining the types of applications and information technology that are essential to their mission and then working with leaders in the cloud community to map that onto various cloud architectures, and then specifically identify the barriers to adoption—whether it's assuring security, whether it's enabling portability so that we're not locked into a given solution, or whether it's promoting widespread interoperability.
And, in addition to that sort of roadmap and standards approach, we have also been working closely with GSA and other federal partners to give the market the tools to identify those services that meet these requirements. And FedRAMP is one of those critical tools, and I am pleased to hear that you're going to be learning more about FedRAMP.
NIST at its heart and soul, though, is a measurement science agency. And so one of the areas that we have turned our attention to is the development of robust measurement tools to measure cloud services and their performance, to give users of cloud services the metrics they will need to assure that as they have adopted these tools, meet their mission needs and also meet their responsibilities to protect the integrity and availability of their federal data.
This is really exciting work, and for those of you who want to join and work with us, I encourage you to join some of the many workshops we hold over the year. Many of you know our annual cloud computing that is held every June. In addition to that annual workshop, we are also going to be hosting a series of special workshops on particular capabilities in cloud. And, in fact, in October we will be hosting three cloud-related meetings. One is on the intersection of cloud and mobility; the second one is on new frontiers in IT and measurement science, which basically looks at new methodologies for doing digital forensics in the cloud world; and also, we are going to be hosting an industry day for cloud computing so vendors can market their capabilities and we can discuss the challenges of adoption of cloud in the federal environment. I encourage all of you to mark your calendars and join us for these workshops.
NIST is also quite active in the realm of big data, including big data analytics, including defining what is meant by big data—this adoption problem that we need to define so we can manage this ... enabling revolution that is occurring that takes us well beyond the role of [inaudible] databases to very powerful techniques, this [inaudible] structure, enormous scale data. And again, with the idea of how do we unleash that potential for the public and put those tools to use in the public sector.
NIST is also supporting work to enable mobility in the adoption of mobile devices in the federal workforce. Many of those efforts focus around security to make sure that as we enable this new class of technologies, we don't, at the same time, undermine our ability to protect and secure information. And again, these are collective efforts, and they are really open to everyone to participate. So I would encourage you to think about rolling up your sleeves and joining us in some of these efforts.
And, finally, I wanted to touch on another topic that's been a major one for us this year, and it has to do with cybersecurity. Specifically, it has to do with the cybersecurity of what we call critical infrastructure. And critical infrastructure is a term of art that is used, basically, to define those assets in our country that, if they were to be compromised, would result in a catastrophic impact to our national security or our economy.
Of course, that includes a lot of things. Obviously, actual physical infrastructure like transportation infrastructure. It includes certain industrial infrastructure, power generation, telecommunication, and it does include government function. And the challenge of how to protect critical infrastructure has been an enormous policy challenge for the past several years, because most of this infrastructure is not owned or operated or controlled by the government. Most of it resides in companies of all sizes and very different levels of maturity. And the question is: how do we come up with a framework where we both protect our country—a clear public need—and respect the fact that these are companies that are operating in markets with drivers and needing to function as businesses.
And so last year—February, actually this year, I 'm forgetting my calendar—President Obama issued an Executive Order, 13636, called Improving Critical Infrastucture Capacity. And in that framework, it directed me as director of NIST, to initiate a process to develop what is called the "framework." And the framework was a term that meant some collection of things that, if put into practice, would serve to increase the security performance of these critical infrastructure entities. And when that framework was developed, it then directed a number of actions for follow up, including the creation of a voluntary program by the Department of Homeland Security to encourage adoption of this framework, and also directed regulatory agencies for those sectors that are already regulated to evaluate what they were doing in light of that framework—what I call harmonization. So I want to give you a quick status here, because this is also an interesting exercise in working together between industry and NIST.
So the way NIST approached this framework was to begin with the premise that for it to be effective—in other words, for industry and companies to want to adopt something, in a voluntary way, and put it into use—two things had to be true. This framework had to be the product of industry, not of the government. And second of all, the practices that are part of the framework had to be compatible with running a company. Good cybersecurity had to be good business.
We started by putting a challenge in front of the community to identify existing best practices, look at gaps, identify requirements from all of these different sectors. We began with a call for public information, and we've now been running a series of workshops across the United States to collect and refine the framework. The last of our major workshops begins tomorrow in Dallas, Texas—I will be leaving this afternoon—and we will be putting the final touches on our first draft, which will be issued, according to the Executive Order, next month, in October. That will be followed by a period of public comment, where again, we will be soliciting input on that draft of the framework and then finalizing it before it's released in February. And so I wanted to give you a quick status update because I think it touches on many of the things that you do or will be doing.
First of all, the framework, the way it's taking shape, is really quite interesting; it really has two parts. One is a compilation of best practices, called the compendium. We have a long list of standards and practices and guidance that have come in from industry across all these different sectors, and these are tabulated and collected into the framework. And the second part of the framework is, well it's a framework. It's a structure that helps you organize and, basically, look at adoption. If you are a company, how do I put this into practice? This has been a key focus of the framework effort from the beginning.
And so the framework from a structural perspective has a couple of features. One is it tries to segment activities according to the type of activity it is. So we have created a binning, into functions, function groups, including identifying when you look at the assets you are actually managing; protect, for those risk mitigation steps you put in place; detect and respond, which deal with the incident management; and recovery, because of course, incidents will happen, and your capacity to manage those matters as well. Tomorrow they will also be looking at another functional bin; evolve, or improve, is added. They will be looking at long-term evolutionary technology. And that's helpful if you are trying to sort of understand the different classes of work, because they may go to different parts of your organization.
The other structure in the framework has to do with maturity, and this is quite interesting. The framework does not establish a bar and say you are below it or above it. There is no Siskel and Ebert on the framework. What it lays out instead is seven-tiered levels, called implementation tiers, which describe the evolving maturity of adoption. So a low maturity organization adopting and implementing this will not have a lot of internal capacity to identify risk, put in adaptive controls. What they are going to be doing is substituting what I call a "rule-based culture." We are going to define some things we have to do and we are going to follow those rules, we are going to validate to make sure that those rules make sense and we are going to basically make sure we can execute.
And as you become a more mature organization, the idea is that as your capacity inside your organization increases that you go from being a rule-following organization to basically, an adaptive organization. That you now have the capacity to be proactive, to constantly be looking at your risk posture and be looking at the dynamic threat environment that's facing your organization. And then it's kind of embedded across your organization what the rules and responsibilities are. It's a natural risk function just like project risk management or financial risk management; it's embedded. In other words, this is describing the cultural transformation in these organizations.
So there is no risk-proofing in the framework. This is about an evolving maturity of risk management, and it's coupled with very specific tools to help the company, wherever they are, to evaluate themselves, to develop a profile that makes sense to them, and to move forward. I'm quite excited about this.
And the next few months are going to be quite interesting, because we are going to shift from the initial drafting phase of this effort to one of two tracks, and they are going to have to be parallel. One is, we are going to take this framework and we need to put it into practice. And for this to happen, it's not going to simply be the world of IT specialists, CIOs, and CISOs. It's got to engage the business leaders of these organizations, the C Suite, and everyone else in the organization as well. And so we will be looking at supporting that. It also has to be market compatible, and so we will be looking at ways in which this framework makes sense in both business-to-business in the company with its suppliers, and also business-to-consumer and business-to-government.
The second part of this is that the framework cannot be static. We envision the framework as actually, this is the beginning of a process, and the other part of the discussion is how do we keep this process moving? What is the next revision of the framework look like? How do we start addressing what were the priorities in the framework in terms of gaps that we simply have to address? Where are there major areas of overlap where we can start to harmonize and create a framework that is much more market-compatible, which will really go to scale. And that will be quite exciting and will also depend on you and your participation. If this is industry's framework, and if this is about taking our initial draft and constantly making it better, that won't happen if your companies and organizations don't adopt it, try to use it, and then participate in the corrective action and follow up that is there.
So I'd like to really suggest that you think about participating in this framework activity, if you're not already. If you can't go to Dallas tonight, it will be streamed online, all materials on the NIST website, and we really encourage you to be involved.
So, let me just finish by saying that I think, as sort of a career federal servant—somebody who came right out of postgraduate work in Boston and joined the federal government to make a difference, the transformation that is occurring in information technology holds the potential to unleash enormous change and, I believe, change for the good on how we can better serve our citizens, how we can address new challenges, curing cancer, revolutionize research, provide high-value and low-cost, and really enable businesses that drive innovation and green jobs.
That's really, in the end, what this is about. And this tool can be an incredibly powerful tool in making that happen. But doing that will require exactly the kind of partnership and joint effort that you're here today to embark on. And I just want to thank all of you for that and your commitment to this. And for NIST's part, we will continue to work as hard as we can to put the best technical information into the process, with all the integrity that we can, and to support that effort.
So, thank you all very much, and enjoy the rest of your summer.