Public/private cybersecurity research ready for launch
NIST, DHS agree with financial services industry to cooperate on R&D
- By William Jackson
- Dec 09, 2010
The financial services industry has entered into a formal agreement with the National Institute of Standards and Technology and the Homeland Security Department’s Science and Technology Directorate to collaborate on cybersecurity research and development.
The memorandum of understanding, finalized Monday, does not specify the research programs or provide additional funding, but it is intended to ease three-way collaboration between the parties.
“We certainly could proceed bilaterally with both DHS and the financial services industry without any formal memorandum,” said Charles Romine, acting associate director for laboratory programs at NIST. “Where this adds value is in sending a strong signal” about the willingness and ability of government and private industry to work together to find security solutions.
The goal of the agreement is to speed commercialization of cybersecurity research, federal CTO Aneesh Chopra and Cybersecurity Coordinator Howard A. Schmidt said in a White House blog post.
Lack of trust still hinders public/private security efforts
Nation's cybersecurity suffers from a lack of information sharing
Industry is represented in the agreement by the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), one of a number of private-sector coordinating councils created under Homeland Security Presidential Directive 7 to work with DHS and designated industry-sector specific federal agencies in protecting critical infrastructure. The sector-specific agency for financial services is the Treasury Department, which will work with the other parties in the agreement as appropriate.
The memorandum builds on existing relationships, Romine said. “We have a history for years of working with DHS Science and Technology in security and advanced networking.” FSSCC’s Research and Development Committee also has been working with DHS and NIST for several years.
One of the first projects under the agreement will be establishing a testbed environment for testing strong authentication tools and other security technology. “We are interested in tackling that right away,” Romine said.
The agreement came about at the request of the administration, which “sent a strong signal” that the financial services sector was an attractive target for collaboration because it has a set of clearly identifiable challenges that not only are critical to the industry and to national security, but could be applicable to other industry sectors as well, Romine said. NIST and DHS have been exploring research possibilities for the past year, he said.
The industry and the administration have singled out identity management as a security priority in financial services, FSSCC said in its 2010 annual report.
“This became a focus of the new administration and working closely with our public sector counterparts we were able to prioritize and capitalize on the public sector interest in, and funding of, high priority research issues for the financial sector,” the annual report said.
After discussions with White House officials, NIST and DHS, FSSCC’s R&D committee in 2009 proposed a Financial Communications and Authentication testbed pilot as part of the National Cyber Leap Year Summit in August 2009 to create a financial sub-net within a government-controlled domain for testing very strong business-to-business and business-to-government authentication options.
NIST also has worked with DHS in establishing testbeds for advanced networking tools and security technologies such as the DNS Security Extensions (DNSSEC) and Border Gateway Protocol Security. This early work could speed the establishment of a test environment for financial services, Romine said. “A lot of the groundwork has been laid.”
One of the goals of the testbed would be to ensure usability of new security technology for customers. Security that is onerous to the end user could ultimately be counterproductive in enabling secure online transactions, Romine said.
“This agreement will accelerate the deployment of network testbeds for specific use cases that strengthen the resiliency, security, integrity and usability of financial services and other critical infrastructures,” Chopra and Schmidt said in their blog posting.
Romine described the agreement with as a starting point for public/private cooperation on R&D.
“The financial services sector has some of the more substantial activities in trying to secure their operations,” he said. Because security challenges have been identified, finding solutions is more straightforward. Those solutions also could be used in other industries. “There are many sectors that have similar challenges.”
Similar agreements with other private sector coordinating councils are possible, but none now are in the works, he said.
William Jackson is a Maryland-based freelance writer.