Commerce.gov is getting a facelift soon. See the new design.
Syndicate content

Blog Category: Cybersecurity

NIST Celebrates World Internet Day: NIST Identifies Programs that help Private Industry and Academia Work toward better Cybersecurity

Cybersecurity (keyboard with a key silhouette on it)

On Oct. 29, 1969, the first electronic message was sent on ARPANET, the precursor to today’s Internet. Despite crashing the system, that message is the reason today is designated International Internet Day. To mark the day, and the approaching end of Cybersecurity Awareness Month, Charles Romine, Director of the Information Technology Laboratory at the National Institute of Standards and Technology, has summarized NIST’s work on improving the security of the Internet and IT systems.

NIST has been conducting cybersecurity research for as long as there has been a cyberspace to secure.  NIST issues the Federal Information Processing Standards that help to protect the federal government’s information systems and help agencies comply with the Federal Information Security Management Act. These standards and guidelines are often used by the private sector and state and local governments, and therefore have a broad impact on IT systems across the country and around the world.

Through the National Cybersecurity Center of Excellence (NCCoE), which was established in collaboration with the State of Maryland and Montgomery County, Md., we have been working directly with the private sector since 2012. The center’s goal is to accelerate the adoption of secure technologies through public-private collaborations that identify and address today’s most pressing cybersecurity challenges. We recently awarded a contract to establish the first Federally Funded Research and Development Center devoted to cybersecurity to support the NCCoE, providing needed flexibility in staffing and bringing in partners from industry and academia.

NIST Releases Preliminary Cybersecurity Framework, Will Seek Comments

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) today released its Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications. In the coming days, NIST will open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014, as called for in Executive Order 13636—Improving Critical Infrastructure Cybersecurity

In February 2013, President Obama directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks, recognizing that U.S. national and economic security depends on the reliable functioning of critical infrastructure. Through a request for information and a series of workshops held throughout 2013, NIST engaged with more than 3,000 individuals and organizations on standards, best practices and guidelines that can provide businesses, their suppliers, their customers and government agencies with a shared set of expected protections for critical information and IT infrastructure. 

The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals. 

Incentives to Support Adoption of the Cybersecurity Framework

Guest post by Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator. Cross-post from Whitehouse.gov

The systems that run our nation’s critical infrastructure such as the electric grid, our drinking water, our trains, and other transportation are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats, and protecting this critical infrastructure from cyber threats is among our highest security priorities. That is why, earlier this year, the President signed an Executive Order designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. The Order does this by focusing on three key areas: information sharing, privacy, and adoption of cybersecurity practices.

To promote cybersecurity practices and develop these core capabilities, we are working with critical infrastructure owners and operators to create a Cybersecurity Framework – a set of core practices to develop capabilities to manage cybersecurity risk. These are the known practices that many firms already do, in part or across the enterprise and across a wide range of sectors. The draft Framework will be complete in October. After a final Framework is released in February 2014, we will create a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework. 

While this effort is underway, work on how to incentivize companies to join a Program is also under consideration. While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments. As directed in the EO, the Departments of Homeland Security, Commerce, and Treasury have identified potential incentives and provided their recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

Protecting the Nation’s Critical Infrastructure

NIST logo

Guest blog post by Patrick Gallagher, Under Secretary  of Commerce for Standards and Technology and Director, National Institute of Standards and Technology

Just about everything these days—from banking to health care to the electricity powering our homes—is rooted in cyberspace. This any time, any where interconnected world unfortunately brings with it a constantly evolving set of security challenges. 

That’s why President Obama directed the National Institute of Standards and Technology (NIST) to work with industry on a voluntary cybersecurity framework for better protecting the nation’s critical infrastructure.

The idea is to use existing standards, guidelines and best practices to reduce cyber risk across sectors and develop capabilities to address the full-range of quickly changing threats. The framework will provide a flexible toolkit any business or other organization can use to gauge how well prepared it is to manage cyber risks and what can be done to strengthen its defenses.

It is vital that companies understand their digital assets and accurately assess the maturity of their cyber protections so they can properly allocate resources.  These needs stretch across a spectrum from maintaining awareness of existing threats to preventing, detecting, and responding to attacks to recovering from them.

A Chance to Comment on Commerce’s Report on Cybersecurity Incentives

Cybersecurity (keyboard with a key silhouette on it)

As part of the Executive Order  signed by President Obama last month directing agencies to use their existing authorities and work with the private sector to better protect our nation’s power, water, and other critical systems, the Commerce Department is preparing a report on ways to incentivize companies and organizations to improve their cybersecurity.  To better understand what stakeholders –  such as companies, trade associations, academics and others – believe would best serve as incentives, the Department has released a series of questions to gather  public comments in a Notice of Inquiry published today.

The national and economic security of the United States depends on the strength of our nation’s critical infrastructure. The cyber threat to critical infrastructure is growing, and represents one of the most serious national security challenges that the United States must confront. As the President stated in the Executive Order, “repeated cyber intrusions into America’s critical infrastructure demonstrate a need for improved cybersecurity.”

As a first step toward protecting critical infrastructure, the Executive Order tasks the Department of Homeland Security (DHS) to identify the systems that could be affected by a cybersecurity incident which could in catastrophic regional or national effects on public health or safety, economic security, or national security.  Second, the National Institute of Standards and Technology (NIST) will develop a framework consisting of a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. This Cybersecurity Framework will provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to improving cybersecurity, which will help owners and operators of critical infrastructure identify, assess and mange cyber risk. Third, DHS will work with sector-specific agencies to develop the Critical Infrastructure Cybersecurity Program to promote voluntary adoption of the Framework.

NIST Kicks Off New National Cybersecurity Center of Excellence

NIST’s Curt Barker, Karen Waltermire, and Henry Wixon are seen explaining how interested parties can get involved

Guest blog post by Donna Dodson, Chief, Computer Security Division and Acting Director, National Cybersecurity Center of Excellence, National Institute of Standards and Technology

This week, Commerce's National Institute of Standards and Technology (NIST) hosted a workshop to kick off the National Cybersecurity Center of Excellence (NCCoE), a new public-private collaboration that will bring together experts from industry, government and academia to design, implement, test and demonstrate integrated cybersecurity solutions and promote their widespread adoption.

IT is central to financial, communications, healthcare and physical infrastructures and even entertainment systems. It is also under constant attack by cybercriminals looking to steal business data, personal information and devices, or disrupt private and government business with malicious code, denial of service and Web-based attacks.

We were excited to bring together representatives from various industry sectors (health, utility, financial, and more), along with those from government agencies, academia and other organizations to learn how the center will operate and how the public can participate. In the photo here, NIST’s Curt Barker, Karen Waltermire, and Henry Wixon are seen explaining how interested parties can get involved.

The NCCoE will provide a state-of-the-art computing facility where researchers from NIST can work collaboratively with both the users and vendors of products and services on holistic cybersecurity approaches. NIST is hosting the center in collaboration with the state of Maryland and Montgomery County, Md.

By providing a test bed where new ideas and technologies can be tried out before being deployed, the center provides the opportunity to thoroughly document and share each solution, supporting specific industry sector business challenges. This will encourage the rapid adoption of comprehensive cybersecurity templates and approaches that support automated and trustworthy e-government and e-commerce.

National Consumer Protection Week: Spotlight on Privacy

Today, President Obama declared March 4-10, 2012 as National Consumer Protection Week, building on a coordinated effort that encourages consumers nationwide to take full advantage of their consumer rights and make better-informed decisions. The Commerce Department is using this occasion to showcase the efforts of our Internet Policy Task Force, which is leveraging the expertise of several Commerce bureaus that are aimed at ensuring continued innovation in the Internet economy and preserving consumer trust in Internet commerce and online interactions. In particular, the Task Force continues to move forward in our work to promote new efforts that will lead to improved Internet privacy protection and better security for consumers online.

 In February, the Obama administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to improve consumers’ privacy protections and ensure that the Internet remains an engine for innovation and economic growth. The president’s report called on the Commerce Department’s NTIA to begin convening companies, privacy advocates and other stakeholders to develop and implement enforceable privacy policies based on the Consumer Privacy Bill of Rights.

NTIA is now moving forward and seeking public input on what issues should be addressed through the privacy multistakeholder process and how to structure these discussions so they are open, transparent, and most productive. Today, NTIA issued a formal request for comment (PDF). The comment period will remain open until March 26, 2012.

As NTIA Administrator Lawrence Strickling illustrated last week, we hope to receive meaningful suggestions and input from a range privacy stakeholders.  Their continued involvement will be key for the future of consumer protection and we need your help to make it a success.

The report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” (PDF) resulted from a comprehensive review of Internet privacy policy and innovation in the Internet economy lead by the Commerce Department’s Internet Policy Task Force.

Maryland Governor O'Malley Urges Investment in Cybersecurity Education

Gov. Martin O'Malley on podium

Maryland Governor Martin O'Malley addressed several hundred educators,  IT experts, and others at the National Institute of Standards and Technology (NIST) yesterday as part of a workshop hosted by the National Initiative for Cybersecurity Education (NICE), a national campaign coordinated by NIST.

Calling cybersecurity an "urgent priority," O'Malley emphasized the need for government and the private sector to work together to "invest in the skills of our people" and create new jobs in the cyber field. In part, he said job creation will depend on “how quickly we move good ideas from labs to the commercial sector.”

O’Malley described a state-wide cybersecurity initiative begun three years ago that includes partnerships with Maryland-based federal labs such as NIST and the National Security Agency, enhanced technology transfer efforts, and expansion of the cybersecurity career pipeline. He also discussed several programs that the state of Maryland has implemented in Science, Technology, Engineering and Mathematics (STEM), education at the college level and in career and technical education at the high school level to improve education in cybersecurity.

He noted that "a modern economy requires modern investment," and "the single most important investment is the investment in public education."

Commerce Emphasizing Innovation and Efficiency in IT Security Operations

Simon Szyman at pdoium

Guest blog post by Simon Szykman, Chief Information Officer, U.S. Department of Commerce

You missed it! The Department of Commerce's Office of the Chief Information Officer (OCIO) hosted its inaugural Innovating Security Conference to increase knowledge and awareness of various initiatives, exchange information and ideas, and engage in discussions on ways to further protect and strengthen the security posture of the department’s information systems. Facing security threats that are evolving and growing in sophistication, while at the same time anticipating a constrained outlook for the future due to budget pressures, it is imperative for organizations across the department to pursue improvements in both efficiency and effectiveness by examining operations, collaborating on common objectives, improving information sharing, and identifying opportunities to leverage one another’s independent activities.

The two-day conference is one means of moving toward a higher level of efficiency and effectiveness by emphasizing internal collaborations and open dialogue. The conference included participation and invited speakers from Commerce, as well as from other federal agencies and the private sector, in order to leverage their best practices, lessons learned and knowledge in areas related to information system security. In addition to keynote and panel sessions, service offerings of Commerce internal service providers as well as industry vendors were highlighted during the event.

Protecting Our Electronic Main Street

Cybersecurity and the Electronic Main Street

Guest blog post by Ari Schwartz, Internet Policy Adviser at the National Institute of Standards and Technology, and member of the Internet Policy Task Force at the Department of Commerce.

As we all know, the Internet has led to incredible commercial growth and an unprecedented means for self-expression and innovation.  Some industry analysts now estimate that the Internet now carries some $10 trillion in online transactions annually.

However, each time a new technology dramatically expands the boundaries of commerce, there are dishonest, dangerous people who try to disrupt and exploit the new pathways for their own gain. Therefore, it should come as no surprise that as the Web, e-mail, and e-commerce have become the electronic version of Main Street, hackers, spammers, and cybercriminals have emerged as major threats to its welfare. An estimated 67,000 new malicious viruses, worms, spyware and other threats are released every day. 

To paraphrase Willy Sutton: It’s where the money. . . and the information is.

A new Commerce Department report issued today calls for a public-private partnership and voluntary codes of conduct to help strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector as defined by the administration’s recent cybersecurity legislative proposal.  Issued by the department’s Internet Policy Task Force, the report targets what it calls the Internet and Information Innovation Sector or the I3S.  These are businesses that range from Mom and Pop manufacturers or startups that sell most of their products and services online to social networking sites like Facebook and Twitter to cloud computing firms that provide anytime, anywhere access to applications and personal or public data.