National Cybersecurity

Challenges and NIST

Matthew Scholl

Chief Computer Security Division

The Importance of Standards Article I, Section 8: The Congress shall have the power to…fix the standard of weights and measures

Estimated that 80% of global merchandise trade is influenced by testing and other measurement-related requirements of regulations and standards

• National Bureau of Standards established by Congress in 1901

• Eight different “authoritative” values for the gallon

• Electrical industry needed standards

• American instruments sent abroad for calibration

• Consumer products and construction materials uneven in quality and unreliable

Nat

ion

al A

rch

ives

NIST has… … two main campuses

Boulder, CO

Gaithersburg, MD

Courtesy HDR Architecture, Inc./Steve Hall © Hedrich Blessing

© Geoffrey Wheeler

NIST Products and Services Measurement Research

~ 2,200 publications per year

Standard Reference Data

~ 100 different types

~ 6,000 units sold per year

~ 226 million data downloads per year

Standard Reference Materials

• ~ 1,300 products available

• ~ 30,000 units sold per year

Calibration Tests

• ~ 18,000 tests per year

Laboratory Accreditation

• ~ 800 accreditations of testing and calibration labs

© R

ob

ert

Rat

he

ITL Mission

Cultivating Trust in IT and

Metrology.

CSD Mission Inspire Trust and Confidence in IT.

Goals – Make effective, usable and

impactful references to reduce risks

to information and information

systems.

NIST’s Cybersecurity Core Program

Research, Development, and Specification Security Mechanisms (e.g. protocols, cryptographic, access

control, auditing/logging)

Security Mechanism Applications

Confidentiality

Integrity

Availability

Authentication

Non-Repudiation

Secure System and Component configuration

Assessment and assurance of security properties of

products and systems

Example Current Research Areas Risk Management

Focus on a complete Risk Management Framework that supports the lifecycle management of organization’s traditional information and information infrastructure as well as cyber physical systems

Configuration Baselines Standardized security configurations for operating systems and automated tools to test the configurations

Security Automation and Vulnerability Management Continue to develop tools and specifications that address situational awareness, conformity and vulnerability management compliance…

Virtualization and Cloud Support for cloud special publication and

standards activities to support security, portability

and interoperability

Key Management Foster the requirements of large-scale key

management frameworks and designing key

management systems

Support transitioning of cryptographic algorithms

and key sizes

Next Generation Cryptography Use and implementation of SHA 3Developing

new, light weight, quantum resistant

encryption for use in current and new

technologies

New modes of operation

© L

isa

F. Y

ou

ng/

Dre

amst

ime.

com

Secure Mobility Focuses on research and development in the area of

mobile security including mobile application testing

and mobile

Guidelines for Testing and Vetting Mobile

Applications

Mobile App Software Assurance Requirements

Mobile Roots of Trust

Supply Chain Work with industry, academic, and government

stakeholders to develop foundational definitions,

baseline requirements, general implementation

methodologies, and a set of supply chain risk

management best practices encompassing the

system development lifecycle

Trust Roots

Collaborate with industry to develop guidelines that identify

security properties for hardware trust roots and other trust

roots to leverage and use

Network Security

Foster requirements for secure networking technology such

as DNSSEC, IPv6 and BGP technologies

Software Assurance Identifying and reducing the software bugs that are relevant to

security, resilience and reliability. Understanding how the tools

we use affect software. Collaboration with industry, US

Agencies and international in developing, integrating, and

creating software assurance metrics, measurements and

conformance activities

Usability of Security Performing groundwork research to define factors that

enable usability in the area of multifactor authentication and

developing a framework for determining metrics that are

critical to the success of usability

Identity Management Systems Standards development work in biometrics, smart cards,

identity management, and privacy framework.

R&D: Personal Identity Verification, Match-On-Card,

ontology for identity credentials, development of a

workbench

ID Credential Interoperability

Infrastructure Support Cybersecurity for application infrastructure including Health Information Technology, Smart Grid and Voting

© P

eto

Zvo

nar

| D

ream

stim

e.co

m

© P

eto

Zvo

nar

| D

ream

stim

e.co

m

© P

eto

Zvo

nar

| D

ream

stim

e.co

m

© G

raem

e D

awes

| D

ream

stim

e.co

m

Testing and Conformance for the USG

Cryptography – Algorithms and modules. Undergoing

change to how, when and who conducts testing and

validation.

ID Credential (PIV) – USG identity in card form factor.

Undergoing change to look at new modalities.

SCAP Tools – Automated tools using standards for security information. Looking to SDOs for next set of needed information

Raise national awareness about risks in cyberspace.

Broaden the pool of individuals prepared to enter the

cybersecurity workforce.

Cultivate a globally competitive cybersecurity workforce.

NICE is "enhancing the overall cybersecurity posture of the

United States by accelerating the availability of educational and

training resources designed to improve the cyber behavior, skills,

and knowledge of every segment of the population.”

NIST, as the interagency lead for NICE, promotes the

coordination of existing and future activities in cybersecurity

education, training, and awareness to enhance and multiply their

effectiveness

National Initiative For Cybersecurity Education

(NICE)

Accelerated adoption of practical, affordable, and usable cybersecurity

solutions

Integrated cybersecurity solutions, built on commercial technologies,

designed to address a sector’s specific business needs

Increased opportunities for innovation through the identification of

technology gaps

Trusted environment for interaction among businesses and solution

providers

Further the understanding of current cybersecurity technology

capabilities and the cost of their implementation

Broader awareness of cyber security technologies and standards

National Cybersecurity Center of Excellence

(NCCoE)

Tools –Data- References National Vulnerability Database

Secure Configurations

National Software Reference Library

Combinatorial Software Testing Tools

Randomness Beacon

Security Control Catalogue

Develop Post-Quantum Cryptography Standards

Call for proposals was released December 2016

Submission deadline is Nov. 30 2017

Main activities

– Research – NIST researchers have been very productive

• 3 papers are presented at PQCrypto 2017 (and a NIST Q+A session) (A major conference in PQC)

– Outreach the community for the standardization process- presentations e.g.

• The National Academies of Science - Forum on Cyber Resilience Workshop

• Asia PQC Forum

• International Cryptography Module Conference

• Information Assurance Symposium

– Interactive with the community to discuss questions on submission requirements

Explore proper approaches for lightweight cryptography

Published NISTIR 8114 Report on Lightweight Cryptography

Call for Profiles – to characterize “lightweight”

– Profile characteristics – Physical, Performance, Security

– 20 questions for response

– Profile template includes function, design goal, and characteristics

The profile will determine the approach in selecting lightweight

cryptography algorithms and their specifications

Update existing standards To be consistent with well accepted industry

practice, e.g. SDOs

To respond advances in crypto research

The following standards are under revision

– FIPS 186-4 Digital Signature Algorithms

– Special publication A/B/C Key agreements

Outreach to user community to discuss updates

and solicit feedback

Respond to advances in cryptanalysis Triple DEA –Attack on its usage in major protocols, e.g.

https

– Revise data limit encrypted by one key set in SP 800-67 – Deprecate triple DEA for IKE (SP 800-196) and TLS (SP 800-

52) FF3 – Format preserve encryption (one of modes in

NIST SP 800-38G)

– Announce NIST plan on revise 800-38G and call for public comment

Practical SHA-1 collision

– Urge the users who haven’t complied with NIST recommendations to stop using SHA-1 in the applications where collision resistance is needed

The 20 Year Question (or 5, 10, 15) Practical Quantum Compute ?

Divergence away From the Mobile Platform ?

Data Generation Everywhere ?

Compute on Everything ? (New form HPC ? )

Bandwidth to Connect at Scale ?

Abstraction of User Interface ?

Predictive/Responsive AI ?

Resilient Products and Components ?

For Additional Information http://csrc.nist.gov

http://csrc.nist.gov/nice/

http://www.nist.gov/nstic/

http://nccoe.nist.gov

http://www.nist.gov/cyberframework/