'Aggressively non-regulatory' NIST offers a cyber helping hand
- By Mark Rockwell
- Sep 09, 2015
The tidal wave of cyberattacks and electronic snooping by criminals and other bad actors threatens the commercial and government sectors. Both could learn to navigate that wave, but they have to coordinate their courses.
Charles Romine, director of the National Institute for Standards and Technology’s Information Technology Laboratory, said his organization is uniquely positioned to help both embattled parties.
“We’re aggressively non-regulatory,” Romine in opening remarks at the 2015 Cybersecurity Innovation Forum in Washington, D.C., on Sept. 9. The forum gathered hundreds of federal and private industry attendees to talk cyber defense technologies, strategies and policy.
What Romine meant was that NIST and the ITL can aid private-sector firms in developing ideas and technical frameworks to come up with innovative technologies that both commercial companies and federal agencies might be able to use.
“We can’t compel industry to do anything,” he said. But, far from making the agency impotent, he said the non-regulatory stance is an “amazingly powerful” tool that can bring industry and government together on real-world approaches and solutions. He pointed to NIST’s close work with industry in developing the Advanced Encryption Standard and the Risk Management Framework over the years as evidence of its effectiveness.
Romine called on attendees to collaborate with NIST on finding more effective solutions to the surging, changing wave of cyberattacks on federal agencies and companies.
Industry is receptive to NIST’s approach, but one of the experts speaking at the conference urged some caution in dealing with the government on sharing threat information.
“Cybersecurity cuts across Wall Street and Main Street,” Zulfikar Ramzan, chief technology officer at RSA, said in his keynote address. Building cyber protections into business operations, including those of critical infrastructure companies like banks and energy corporations, requires collaborating with the federal government on how to protect commercial networks is crucial, he said.
However, too much reliance on the federal government to prevent cyberattacks on the private sector can “lead to a sense of helplessness” about how to stop or recover from an attack, he said.
Commercial industry, he said, ultimately has to take responsibility for its own network protections and response. “The elephant in the room” when it comes to government/commercial industry collaboration, he said, “is a lack of trust” that is rooted in undefined rules and responsibilities.
To be most effective, he said, companies have to set internal parameters and take stock of realistic protection capabilities. Government, he said, can share critical details with industry about the source of attacks and the threat environment, while offering advice on the best protective measures.
Commercial industry, he said, can develop technology and drive rapid innovation to counter threats. It can also be a more active participant in cyber strategy and policy debates.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.