Former officials object to NIST plan to redistribute security work
Orginally published Aug. 19 and updated Aug. 21
A proposed reorganization of the National Institute of Standards and Technology’s IT Laboratory has drawn criticism from former NIST officials who are worried that changes in the lab’s Computer Security Division would be a step backward for computer security.
The Computer Security Division has produced standard encryption algorithms, guidance for complying with computer security requirements and established standards for government use of information technology. NIST said the purpose of the reorganization, which has a target completion date of Oct. 1, is to better match the lab’s structure to its mission.
“The proposed reorganization would not include any reduction in force, or major changes in the lab’s core competencies,” NIST said in a statement. “An additional key goal is to strengthen NIST’s cybersecurity efforts.”
But the former officials warn that the move would disrupt an organization that has worked well.
“In our opinion, this proposed reorganization breaks up an organizational component that has effectively provided computer security leadership to the government and the private sector for over 30 years,” they said Aug. 10 in a letter to acting NIST Director Patrick Gallagher. “We believe it is a major mistake to diminish NIST’s computer security program at a time when external support for the program is at an all-time high and when cybersecurity is of vital importance to the economic well-being and security of our nation.”
The letter was signed by Dr. Dennis Branstad, Dr. Stuart Katzke, F. Lynn McNulty and Miles E. Smid, who characterized themselves as founders and past leaders of the division.
NIST said the plan still is in its early stages and that details will be released after it has been approved. But IT Lab Director Cita Furlani said the concerns are baseless.
“NIST has no plans to ‘shutter’ or ‘eliminate’ its Computer Security Division, nor will it redistribute the resources of the group throughout the lab,” she said in a letter to GCN. “Quite to the contrary, my draft proposal would strengthen our cybersecurity efforts and would not ‘break up’ the highly effective team of NIST experts who currently work in the Computer Security Division. The great majority of these staff members would remain together in one unit.”
She said the concern is premature because the internal NIST discussion is in its very early stages.
The IT Lab does research on metrics and standards in a wide range of areas in information technology. Its roots date back 40 years, to the creation of the Center for Computer Science and Technology in what was then the National Bureau of Standards in 1969. The Computer Security Act of 1987 gave NBS responsibility for security unclassified computer systems, and the IT Lab was created by NIST in 1996. Its budget for fiscal 2008 was $97.9 million.
“Many of our vital programs impact national security, such as improving the accuracy and interoperability of biometrics recognition systems and facilitating communications among first responders,” the IT Lab says of its mission. The lab has mandates to provide standards and guidance to agencies under the Federal Information Security Management Act, the Computer Security Research and Development Act, the USA Patriot Act, the Enhanced Border Security Act, and the Help America Vote Act. Much of this work is done in the Computer Security Division.
Among the division’s accomplishments are the Advanced Encryption Standard, standards for Homeland Security Presidential Directive 12 for federal Personal Identity Verification cards, risk management guidance for FISMA compliance and conformance testing for the Federal Information Processing Standards.
A key element in the proposed reorganization would be relocating the chief cybersecurity adviser -- Curt Barker, also currently head of the Computer Security Division -- from the division to the IT Lab central office to provide wider authority to coordinate cybersecurity projects throughout the lab.
“The proposed draft does not change the technical program of work currently performed by the Computer Security Division,” NIST said in a statement.
The former officials said there is no reason to fix what is not broken, and that the plans have been made without public notice and without input from stakeholders outside of NIST, most of whom do not know of the proposed changes. At the least, the changes should be held off until President Barack Obama fills the new position of cybersecurity coordinator, they said.
“We firmly believe that the diffusion of responsibility and leadership that is inherent in this proposal will have a predictably negative effect upon the ultimate effectiveness of the NIST program,” they wrote.
Furlani said the plans are not being rushed and will not be made without additional input.
“Advice will be sought,” she told GCN. “Stakeholders will be consulted. No imminent changes are expected. The Oct. 1 target completion date was discussed internally only and is not a deadline of any kind.”
She said the IT Lab’s is committed to continued advances in computer security. “Cybersecurity is a vital, central mission of our laboratory. Our programs must fully reflect the complex interdisciplinary nature of today’s threats. Any changes ultimately made to management of our cybersecurity programs will be carefully designed to significantly improve and reinforce protection of the nation’s information technology resources.”