NIST is looking for a few good cryptographers

The National Institute of Standards and Technology wants to hire more than a dozen cryptographers to deal with a growing portfolio, said Matthew Scholl, chief of NIST's Computer Security Division.

Scholl told FCW the plan is to add about 15 cryptographers to his division over the next five years to tackle emerging areas such as quantum and lightweight cryptography. Cryptography is the backbone of Internet security, and NIST develops standards widely relied on by the private sector.

The fiscal 2016 appropriation for NIST's Scientific and Technical Research Services program includes $7 million for cryptography and "privacy capabilities," according to NIST spokeswoman Jennifer Huergo. Some of that money could go toward hiring cryptographers.

The government has long struggled to retain top IT security talent, partly because the private sector often pays much more. Scholl said that although there is stiff competition for new cryptographers, NIST does not have a high turnover rate. "The joke at NIST is you work here three years or you work here [for] 30," he said.

Scholl spoke with FCW on the sidelines of a March 25 Information Security and Privacy Advisory Board (ISPAB) meeting, where NIST officials updated attendees on how their work is shaping and supporting the IT security industry.

NIST's reputation as an independent body took a hit after documents leaked by former National Security Agency contractor Edward Snowden showed evidence that NSA had subverted a NIST-approved algorithm known as Dual_EC_DRBG. Such algorithms make it more difficult for attackers to decrypt messages.

The episode "called into question our trust," Scholl told FCW. "We're a non-regulatory agency, so the only currency we have is that people trust us and that the work we do is good."

He said NIST made a conscious effort to address the allegation and pointed to a panel of independent advisers convened by NIST's Visiting Committee on Advanced Technology.

"NIST may seek the advice of the NSA on cryptographic matters, but it must be in a position to assess it and reject it when warranted," the committee wrote in a July 2014 report assessing NIST standards.

NSA's cryptographic expertise continues to be a resource for NIST, but it is one of many resources that include industry and government, Scholl said. "We're going to continue to work with NSA, which is different than saying we're going to be dependent on them," he added.

Passing the baton

At the ISPAB meeting in Washington, Scholl said NIST plans to keep looking for ways to help secure the Internet of Things, the explosion of connected devices that has bedeviled security experts.

Ron Ross, a fellow in NIST's Cyber Security Division, has gone so far as to say the IoT will always leave certain IT systems vulnerable, regardless of the security controls implemented by federal officials.

NIST analysts are interested in studying the security properties of the individual sensors that make up the IoT and their aggregate effects, Scholl said. Software assurance, or making software more stable and less bug-prone throughout its life cycle, is also on his radar.

This week NIST published an analysis of industry feedback it received on the Cybersecurity Framework, a voluntary set of guidelines for defending critical infrastructure. One of the themes of the feedback was that NIST should eventually consider ceding stewardship of the framework to a trusted third party, such as an international standards organization.

Scholl said it was important to hand off custody of the framework and with it the responsibility to keep the document updated so that it is not misperceived as a U.S. government project.

"Over time, if this is going to scale to the size that it needs to, it's bigger than NIST," he said.

The agency will host a workshop next month that will help determine the future governance of the framework.