The nation's information technology (IT) infrastructure, with its many interconnected computer systems, routers, and hubs, has grown phenomenally over the past decade. The IT infrastructure now is used heavily by every sector of the economy for commerce, communication, and research, and is responsible for huge gains in productivity. Many of the country's critical infrastructures—transportation, financial, power grids, military, intelligence systems, and health and safety—rely on computer and communication networks.
While both the public and private sectors are working to secure what is inherently an open network, these systems remain vulnerable. According to the Cyber Security Industry Alliance, "Cyber attacks and security breaches cost billions of dollars in direct losses, downtime, stolen identities and intellectual property. Misunderstanding or even neglect of information security can bring huge economic consequences."
Most of today's cyber security efforts are aimed at determining whether well-known security practices have been applied to particular components of the infrastructure or at identifying known vulnerabilities. Right now, there is no known way to measure the absolute security of a given system. Without the necessary metrics and measurement technologies, we can't determine the overall effectiveness of our cyber security initiatives.
Proposed NIST Program
NIST proposes to work with industry and academia to develop measurement science and technologies to identify the level of vulnerability of IT systems, assess the effectiveness of cyber security controls, test system functionality, address vulnerabilities, identify vulnerabilities in real-time, and mitigate attacks.
NIST has decades of experience in IT security; specific, statutory assignments in cyber security, most recently under the Cyber Security Research and Development Act of 2002 and the Federal Information Security Management Act of 2002; and strong links to both the private sector and government agencies.
For instance, NIST develops cryptographic standards and methods to protect the integrity, confidentiality, and authenticity of information resources, primarily for the federal government. However, they are widely used by the private sector. For example, NIST's encryption standards are estimated to have saved private industry more than $1 billion—and enable consumers and business to be confident about the security of billions of dollars worth of electronic data transactions daily.
NIST also develops services and programs to test, evaluate, and validate security products.
This work will help improve the security of our nation's IT infrastructure by developing a new generation of cyber security metrics and tools to assign security confidence levels, measure improvements in overall system security, and identify and mitigate would-be attackers. It also will speed private-sector commercialization of new security products and innovations.