Remarks as prepared.
Thank you to Dr. Zulfikar “Zully” Ramzan, RSA Chief Technology Officer, for the kind introduction.
This is a great forum for sharing – and just as important for me and others at NIST – for learning about the latest trends, issues, opportunities in cybersecurity.
So, thanks to RSA for the invitation to join you all on Public Sector Day and to bring you up to date on cybersecurity at NIST as well as our plans for the future.
NIST has an incredibly broad portfolio of responsibilities. As America’s laboratory for advancing innovation, we do everything from building the world’s best atomic clocks to developing standing for robots in manufacturing to helping fire fighters predict the behavior of wildfires.
A challenge we face in all of our R&D efforts is to keep up with – and even anticipate – measurement and standards needs given the accelerating pace of change.
In no area is this more true than for information technology, and cybersecurity, in particular.
We all know that the challenge is particularly acute in the public sector where we must be accountable for spending taxpayer funds wisely and for protecting the security and privacy of our citizen’s data.
That’s why collaboration at events like this one among all of us who provide services to the public is so essential in delivering trusted, high-quality products and services.
None of us in public service should ever take that trust for granted. We need to earn it and we need to maintain it every day by the actions we take.
So to give you a sense of how we are approaching these challenges at NIST, I want to share with you some of the things we’re focused on and how you can help us find practical solutions.
Collaboration: Our Core Approach
NIST was established by Congress nearly 120 years ago as an agency dedicated to helping U.S. manufacturing compete more effectively in the marketplace with European companies.
You can’t help someone you don’t know well, so unlike many government agencies collaboration with industry was written into our DNA from the beginning.
Since then effective collaboration with both the public and private sectors has become central to NIST’s identity.
It’s become our hallmark move. And like an alley oop in basketball or my favorite sport of skiing, it just as hard as it looks to pull off.
When it comes to cybersecurity, collaborating effectively means coming to the task with respect for all stakeholders and an open mind about solutions.
It means consulting early and often with the public and private sectors – in our selection and our implementation of broad programs and specific projects.
And it means consulting both formally – and informally, so that we have regular reality checks along the way.
One way we do that in cybersecurity is by consulting with a federal advisory committee, the Information Security and Privacy Advisory Board.
This group of advisors from private companies, universities, non-profits, and federal agencies shares its views about what NIST could or should be doing – or doing better. And we listen.
On the more formal side of things, we have a whole toolkit of options for assembling experts and interested parties on a wide range of topics and then soliciting advice on the best paths forward.
A few examples:
- Often, we’ll publish a Request for Information in the Federal Register like we did to launch our work on a Privacy Framework recently.
- Or we’ll announce a draft publication and ask the public for comments. That’s how we collaborated to get opinions about two new schemes useful for cryptography in a post-quantum computing world.
- Some topics need a more concentrated, hands on approach within a smaller community, so we will ask interested experts to join “communities of interest.” A case in point is our most recent project at the National Cybersecurity Center of Excellence to find partners interested in improving security for IoT sensor networks.
- We also lead and sponsor groups like the Federal Computer Security Managers Forum, an organization with regular events where many of you may have participated. If so, we appreciate your help and welcome your questions, and your ideas about topics of interest.
- And our cybersecurity team works hard to stay connected directly through one-on-one or group meetings with those who can inform, use, or might use the results of our work – just as we are doing here, today…and pretty much every day.
In all of these collaborations, we are committed to demonstrate transparency, traceability and openness in the development and application of our standards.
We know that these kinds of interactions and cooperation will result in higher quality, more appropriate and useful cybersecurity products and services.
We know that they will cultivate trust among those, like you, who are depending upon NIST’s work.
I welcome your ideas about ways in which we can collaborate better and other ways in which we can merit your trust.
Please don’t hesitate to share your ideas with me after this session.
At this point, I’d like to switch gears a bit and give you an update on some or our highest priority NIST efforts in cybersecurity.
Risk Management: A Common Thread
First and foremost, is cybersecurity risk management.
In the sea of worrisome news about threats, vulnerabilities, and breaches, I think we all can agree that there is some good cybersecurity news about an important change over the past several years.
Cyber risks are no longer considered solely the domain of the information technology specialist or cybersecurity professional. Cybersecurity and especially cybersecurity risk management issues are becoming increasingly familiar topics in C-suites and boardrooms. That’s true for businesses – and it is increasingly becoming true for federal and other government organizations, even if we still have a long way to go.
At NIST, we are striving to do our part.
Risk management is a common thread that runs through many of our activities. Like you, we understand that it’s pretty much impossible, and certainly impractical, to eliminate entirely the cybersecurity risks that organizations face every day.
With that in mind, we aim to develop and deliver technological and organizational tools to better understand and manage cybersecurity risks.
Nowhere is that more evident than in the two “frameworks” that we’ve developed for cybersecurity risk management.
Over the past year we have improved both of these approaches.
Federal agencies must pay attention to both, and we know that many state and some local government agencies are doing likewise.
While it would be nice to have a single one-size fits all framework, there is value in each of the NIST guidance documents – so long as users understand the strengths and most appropriate uses of each.
First, there’s Risk Management Framework for Information Systems and Organizations: or just RMF 800-37, to most of you.
We released this second revision in December after receiving over 500 comments from interested individuals and organizations.
This update enhances the RMF in response to a May 2017 Executive Order, OMB Circular A-130, and two OMB memoranda.
The RMF revision also begins to demonstrate how the Framework for Improving Critical Infrastructure Cybersecurity, widely known as the NIST Cybersecurity Framework, can be aligned with the RMF and implemented using established NIST risk management processes.
Initially developed with a focus on the critical infrastructure, the NIST Cybersecurity Framework has become widely popular in the five years since it was first produced with the active engagement of the private and public sectors.
Today it is having a broad, positive impact in this country and around the world.
Interest in and use of the Cybersecurity Framework is picking up speed. The original Framework and an update, Version 1.1 released in April 2018, have been downloaded more than half a million times since its initial publication in 2014.
NIST is committed to ensuring that even more organizations know about the Cybersecurity Framework and how it can help them to bolster their security and make wise, cost-effective choices in a cyber-risky world.
Expanding our efforts to engage and assist key sectors – including federal agencies as well as small businesses – in using the Cybersecurity Framework is part of NIST’s planning for the months and several years ahead.
Even though we at NIST see the RMF and the CSF as complementary risk management approaches that can be used alongside each other, we also know that it sometimes can be confusing to users and those exploring whether or how to put these frameworks to good use.
So count on hearing more from us over the coming year about how organizations like yours can put both frameworks to optimum use and how NIST will continue to evolve them in response to threat landscape and technological advancements. It’s a priority for NIST.
Like many of you, we have a responsibility to serve small businesses.
That’s why we will be helping those companies to make better use of the Cybersecurity Framework.
It’s just one activity that meets the goals of the NIST Small Business Cybersecurity Act, which became law in August. The statute directs NIST to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”
I am pleased to announce that today we are launching the “Small Business Cybersecurity Corner” website that will provide small businesses with easy access to consistent, clear, concise, and actionable information that helps them to better manage cybersecurity risks.
The law directs us to consult other agencies, but we aim to go beyond this directive. For starters, the Small Business Administration, FBI, Department of Homeland Security, and Federal Trade Commission are contributors to the website. They are providing small business-focused resources to be shared through that site, and we expect they will promote its awareness and use. The Small Business Cybersecurity Corner will be expanded and updated regularly to include more government, non-profit, and some for-profit organizations’ resources.
By all means, please consider being resource contributors.
IoT: It’s Everywhere
One of the hottest cybersecurity topics for NIST these days – as it is for many of you – is IoT, the Internet of Things.
We’ve stood up an IoT team, but it’s not a standalone initiative. NIST is drawing on experts inside and outside our agency to advance our thinking.
Our Cybersecurity for IoT program focuses on the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed.
In September 2018, after engaging with many stakeholders – including those represented here today – we released a draft report designed to help federal agencies manage IoT cybersecurity and privacy risks.
We also contributed heavily to the report delivered to the President in May 2018 on making the Internet and communications broadly more resilient against botnets and other automated and distributed threats.
Those activities enabled our staff to identify a critical gap: guidance on baselines for IoT device cybersecurity.
We recently released a discussion draft introducing our thoughts for a core, minimum set of cybersecurity capabilities that could be achieved by almost all IoT devices.
These initial capabilities come from our research in identifying common themes in existing domestic and international IoT cybersecurity guidance documents. In addition, we took into account the utility, verifiability, and feasibility of these capabilities.
Beyond the baseline IoT project, I also encourage you to consider how you might contribute to – or benefit from – multiple IoT projects being carried out at our National Cybersecurity Center of Excellence, NCCoE.
We’ve proposed the Security for IoT Sensor Networks building project that I’ve already cited because we know that those networks are especially valuable to many organizations. These networks are needed for monitoring and reacting to the physical characteristics of a building’s environment, such as temperature, pollution and humidity levels, and electrical usage.
Government agencies and companies alike are using the data taken from their IoT sensor networks for decision-making and process control. We know that the accuracy, integrity, and availability of the data being reported and monitored by a sensor network can be critical to safety.
But it is challenging to detect and prevent an attack because IoT sensor networks typically have limited processing power and a constrained ability for security monitoring and maintenance.
If successful, our findings may apply to other industry sectors.
NCCoE can also play an important role in improving IoT security. We aim to improve the resiliency of IoT devices against distributed attacks and to help make the internet more resistant to propagation of attacks across the network.
This project supports the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure or EO 13800.
NCCoE cybersecurity experts have been collaborating with stakeholders and 12 collaborating technology vendors to address this challenge.
They will produce a NIST Cybersecurity Practice Guide – a freely available example solution to help consumers and small businesses mitigate IoT-based threats that take advantage of consumers’ and businesses’ devices and networks.
These kinds of partnerships can yield immediate, practical value. A great example is the NCCoE’s project that tackled the challenge of securing wireless infusion pumps, used in hospitals everywhere to deliver intravenous medicines to patients.
This collaborative effort included 14 members of the healthcare sector and vendors of cybersecurity solutions.
As a team, we produced a Practice Guide that uses standards-based commercially available technologies and industry best practices to help Health Delivery Organizations to strengthen the security of the wireless infusion pump ecosystem within healthcare facilities.
IoT cybersecurity is a tough, tough problem, but it’s not unsolvable and it certainly merits more attention from us – and you.
Cryptography: Preparing for the Post-Quantum World
NIST takes the transparency, traceability and openness in the development of our standards very seriously. It’s a fact that the integrity of a standard is a direct function of the integrity of the process used to develop it.
Our community’s long history of working together has resulted in global use and acceptance in cryptography to secure technologies that will improve our economy, protect our personal information, and enable innovations that we only now are imagining and trying to make real.
That tradition continues today – and likely will determine success or failure – in our Post-Quantum Cryptography work.
We know that while quantum computers are still evolving, their design may eventually enable them to factor large numbers relatively quickly, rendering many of our current encryption methods obsolete and revealing government and private sector secrets. So post-quantum algorithms must be based on different mathematical constructs that can resist both quantum and conventional attacks.
Quantum computers may still be years away, but many designers are laser-focused on developing them ASAP. So, they may be a reality sooner than expected. There’s no need to panic, but we want to be – we must be – ready.
We want people to be thinking about how they will make the transition when the time comes. For NIST, that means that we need to get all of the relevant standards and technologies in place along with guidance to prepare for this migration from conventional algorithms and deployment of quantum safe algorithms.
A little over a month ago, NIST announced that the field has narrowed in the race to protect sensitive information from the threat of quantum computers.
As the latest step in developing effective defenses, our cryptography team winnowed the group of potential encryption tools – cryptographic algorithms – down to just 26.
We’ve conducted this program to maximize collaboration. After releasing a report on the status of quantum-resistant cryptography in April 2016, we followed up eight months later with a call to the public to submit post-quantum algorithms that potentially could resist a quantum computer’s onslaught.
We then spent a year collecting the submissions and another working with the larger cryptography community on a first round of review to focus on the most promising algorithms. Of the 69 submissions NIST received, these 26 algorithms made the cut.
For the next year we’re asking the cryptography community to focus on analyzing these algorithms’ performance so that we get better data on how they will perform in the real world.
This second round will focus more heavily on evaluating the submissions’ performance across a wide variety of systems, and not just in big computers and smartphones.
Many different devices will need effective encryption yet have limited processor power. That includes smart cards, tiny devices for IoT use, and individual microchips. They all need protection, and we really need quantum-resistant algorithms that can perform this sort of lightweight cryptography.
But we’re not putting all of our eggs in one basket. In addition to considering the multitude of potential device types that could use the algorithms, our team is focusing on multiple approaches to protection.
We may even have a third round of review before we announce the final post-quantum algorithms that will supplement or replace three of our standards considered to be most vulnerable to a quantum attack. Factoring into this decision will be the state of quantum computer development as the months go by.
We ask that you continue to work with us, side by side, as we develop new, usable and effective cryptography for the challenges we face in the future.
And NIST hopes that we can even exceed the $250 billion in benefits to our economy that accrued from our development of the Advanced Encryption Standard, or AES, over the past 20 years.
That’s what a study released last fall concluded after analyzing the AES approved for use by the federal government in November 2001 and widely adopted by private industry since then. Today, AES protects everything from classified data and bank transactions to online shopping and social media apps.
According to the study, NIST’s investment in AES has been repaid many times over. The study’s most conservative estimate shows a 29-to-1 benefit-to-cost ratio for the AES program. The estimated benefit-to-cost ratio for the whole economy is 1,976-to-1 over the period from 1996-2017. Not too shabby.
This return on investment exemplifies the economic value of federal research and development, for the private sector and for the broader American economy. It also demonstrates how bringing together the private and public sectors effectively to address a challenge can result in positive impacts on U.S. commerce.
I can’t leave the topic of encryption without telling you that we are redesigning and rethinking how we conduct testing and conformance for cryptographic products used by the U.S. government.
We will be putting more responsibility for generating evidence of conformance in the hands of industry. We are leveraging automated test processes that will yield big benefits: reducing time to market, slicing costs to maintain compliance, and ensuring that the Government has effective and up-to-date technologies.
If this is your area of special interest, I encourage you to watch for our update to the government testing standard, FIPS 140-3.
Cultivating Trust in AI Technologies
I am proud that NIST has a long-standing reputation for cultivating trust in technology by promoting collaboration in the development of standards.
On the rare occasions when trust has become an issue, the institution confronted it candidly and addressed it forthrightly with measures to improve our processes.
With artificial intelligence rapidly becoming one of the key battlefields of economic competitiveness and national security, it is vital that NIST contribute its expertise to ensuring public trust of AI technologies, so that we can benefit from all that this field has to promise.
As the technology advances, we will need to develop rigorous scientific testing that ensures secure, trustworthy and safe AI. We also need to develop a broad spectrum of standards for AI data, performance, interoperability, usability, security and privacy.
Last month, President Trump issued a wide-ranging Executive Order on AI. One goal in that directive is to “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
The EO directs NIST to create “a plan for Federal engagement in the development of technical standards and related tools in support of reliable, robust, and trustworthy systems that use AI technologies.”
We are committed to fulfilling that responsibility in a timely way, engaging the public and private sectors in producing a plan within 180 days. NIST staff already are reaching out to their counterparts in other agencies.
This new assignment meshes well with NIST research, which is focused on how to measure and enhance the security and trustworthiness of AI systems. That includes participation in the development of international standards that ensure innovation, public trust and confidence in systems that use AI technologies.
In addition, NIST is applying AI to measurement problems to gain deeper insight into the research itself as well as to better understand AI’s capabilities and limitations.
The recently launched AI Visiting Fellows program brings nationally recognized leaders in AI and machine learning to NIST to share their knowledge and experience and to provide technical support.
In addition, we are mindful of how AI is changing the way we look at so many issues. For example, we are including AI considerations in discussions with our many industry partners at our National Cybersecurity Center of Excellence, to see if and how that center – which focuses on very practical guidance – might address AI.
And our privacy team is exploring the implications of AI in managing privacy risk.
Privacy: Managing Risk and Cultivating Trust in Technology and Information
Speaking of privacy, I am really excited about the prospects for NIST’s work with the private and public sector to develop a privacy framework for managing risk.
Privacy, overall, is one of the pivotal issues of our times, and NIST is increasingly involved in the discussion.
It’s difficult to communicate quickly within and between organizations clearly about privacy risks.
The conversation is complex, conducted in legalese more often than English, and confusing even to experts.
What’s missing is a shared lexicon and a practical structure that brings all parties together and is flexible enough to address diverse privacy needs.
We’re now working on that.
The new NIST-organized privacy framework now being developed aims to increase the effectiveness of privacy policies and practices by enabling conscious, risk-based choices to be made by organizations based on their customers’ needs.
The framework should enable innovation through technology solutions which approach privacy by design.
The ultimate purpose of this effort is to improve trust between businesses and their customers and between organizations and the public. That includes this group here today.
In parallel with our effort, two other Commerce agencies — the National Telecommunications and Information Administration and the International Trade Administration — are creating a domestic policy approach for protecting privacy that ensures consistency with international policy needs.
The NIST team held a kick-off workshop last October, where we began in earnest the public discussion about a privacy framework.
We had a strong turnout, both in-person and online, and heard robust initial feedback on what government agencies, companies, and others wanted to see in a framework.
In November, we issued a Request for Information to hear more from all stakeholders. We received almost 80 responses, and they are all posted online, if you’d like to look at the individual submissions. I’ll touch on a few points we received:
- We heard that compatibility with existing laws, regulations, frameworks, and standards is extremely important. Depending on their sector and mission objectives, organizations already have internal policies and external regulations to comply with.
- Clearly, stakeholders want a framework that at least is compatible with these and, ideally, facilitates the compliance process. We now have a list of specific documents and tools that organizations are using.
- Stakeholders confirmed that they want a framework that is risk-based and outcome-based. We were told that an outcome-based approach will enable organizations to funnel resources where it makes most sense for their privacy practices – giving them a chance to be innovative in developing goods and services and in developing privacy solutions.
- Many organizations attested that they really are invested in protecting individuals’ privacy, beyond simply complying with the regulations.
- Likewise, multiple organizations told us very forcefully that they want to identify and manage privacy risks to individuals in the context of their individual organization, privacy posture, business objectives, and customers.
- We heard that, as with the NIST Cybersecurity Framework, a key value of the Privacy Framework will be the extent to which it can foster communications within and between organizations. That includes those who told us that they want a framework not only for privacy professionals – but one that also is useful in communicating with non-privacy professionals.
We heard a lot more than that, and I encourage you to read our summary analysis of the RFI feedback, which is available on our Privacy Framework website.
You’ll also see a draft annotated outline of the framework itself, which we built in response to the feedback provided to us.
The NIST Privacy Framework team is spending the rest of March talking with stakeholders to find out if we’re on the right track, or if there are things we should change in this outline, before we continue to the next step of developing a discussion draft.
I want to emphasize that this framework is envisioned as a voluntary tool, usable across sectors.
While government agencies are by no means singled out as potential users of the Privacy Framework, we see it as a valuable resource to add to your privacy toolkit – just as the Cybersecurity Framework complements other, existing processes in cybersecurity.
I encourage you to join us from 5-6 pm today in this room to learn more – and to share your thoughts about the framework at this still-early stage of development. It is important that we hear from all sectors, including government agencies, and now is a very good time for you to weigh in.
More on Privacy and a Collaboration Space
It should be clear by now that NIST is paying more attention to bringing privacy into greater parity with security considerations.
Another case in point: we are revising Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. In this version, privacy controls are fully integrated into the security control catalog, creating a consolidated and unified set of controls for information systems and organizations.
We are processing stakeholder feedback on an initial public draft of SP 800-53, revision 5. Expect an updated draft with another public comment period. And look for the new privacy provisions.
Before I leave the subject of privacy, I am excited to tell you that we recently launched a Privacy Engineering Collaboration Space.
This is an online venue open to the public where practitioners can discover, share, discuss, and improve upon open source tools, solutions, and processes that support privacy engineering and risk management.
As I said at the start collaboration is NIST’s wheel house. Our goal is to encourage the development of more effective and accessible solutions that help organizations to achieve privacy objectives and implement better privacy protections for individuals.
To kick off the collaboration space, we are focusing on de-identification – including differential privacy techniques – and privacy risk management in response to stakeholder interest.
We are running and moderating this space through GitHub, and more information is available on our privacy engineering website.
I hope that you’ve each heard something this morning that you didn’t already know and that I’ve piqued your curiosity about how you can contribute to some of these efforts
There is plenty of opportunity to follow up here at RSA.
We’re hosting that special session on developing the Privacy Framework right here in this room from 5-6pm today.
You’ll also find multiple NIST speakers throughout the conference on several of the topics that I referred to – and others that I didn’t have time to touch on.
And, be sure to visit NIST’s booth on the Moscone South Expo Hall at Booth #2367.
Cybersecurity is the challenge of our times. The U.S. needs everyone — public servants, contractors, vendors, and users — focused on finding solutions.
Thank you for your continuing contributions to our cybersecurity and privacy programs so that they deliver the best possible value to your organization, to taxpayers, and to the nation.