New NIST director says U.S. faces "critical time in cybersecurity"

Patrick Gallagher, confirmed last month as director of the National Institute of Standards and Technology (NIST), believes the agency he is taking over has become an economic enabler for a nation increasingly dependent on information technology and the ability to securely share and use information. “I find NIST to be at a critical juncture right now,” Gallagher said. “It is 108 years old with a more important mission than ever: Ensuring trust in the exchange of data.”

GCN’s William Jackson writes that, for evidence, Gallagher points to the growth of cybersecurity as a high profile issue during the past decade and it has become a primary concern of NIST’s largest laboratory. New projects such as Smart Grid technology and health IT also have become priorities for sustainable economic development. Gallagher said this type of rapid development of technical capabilities will become more common as we increasingly depend on science and technology to solve our problems. “By aggressively jumping in to address these issues we are creating positive economic conditions by establishing a standardized environment for growth,” he said.

Gallagher, a physicist with a Ph.D. from the University of Pittsburgh, came to NIST in 1993 to work in the Center for Neutron Research. He became director of that center in 2004. He has been an agency representative on the National Science and Technology Council and became deputy director of NIST in 2008.

Moving from the lab to the executive suite was not a shock, he said. “I’ve always been drawn into management and administrative activities, so it’s not an abrupt transition,” he said. “But you also can never take the science out of your DNA.”

Jackson writes that Gallagher will be overseeing an agency with 2,900 scientists, engineers, technicians, and support staff in Gaithersburg, Maryland., and Boulder, Colorado, with a total budget of more than $1.5 billion in fiscal 2009. The bulk of that, $819 million, comes from the agency’s annual appropriation, with another $125 million coming in fees from other agencies. It also received $610 million from the economic stimulus law for building research facilities and doing work on high-priority programs such as the Smart Grid initiative and health IT.

Although his background is in physics rather than computer science, Gallagher said he sees cybersecurity as a “huge factor, and I think it will remain so. It’s a big priority to me and to the country.”

Jackson notes that the importance of the issue is demonstrated by the strong reaction to a proposal earlier this year to reorganize NIST’s IT Laboratory, distributing functions of the Computer Security Division through the lab. That division has produced standard encryption algorithms, guidance for complying with computer security requirements under the Federal Information Security Management Act (FISMA), and established standards for government use of IT. Although the agency made it clear that the reorganization would not include any reduction in force and that the goal was to strengthen cybersecurity efforts, the proposal generated enough resistance that the agency chose to shelve it for now, he said.

Gallagher said the reorganization was more an internal dialog than a formal proposal and that the idea is not dead. “One of my key jobs as a manager is to make sure the organization is optimized to carry out its responsibilities,” he said. “Reorganization should always be on the table.”

Gallagher called this a “critical time in cybersecurity,” as government responds to this year’s review of cybersecurity efforts and a number of bills addressing requirements for both government and the private sector are pending in Congress. “It is important that the agencies’ roles be well defined,” in protecting critical infrastructure, he said. “That was a major theme of the 60-day review. I think NIST has a lot to contribute as a technical, non-regulatory agency.”

NIST’s job is primarily to establish technical standards and metrics, and its cybersecurity standards take a risk-based approach. Measuring risk and security performance has always been problematic, however. “We tend to measure by check-list” when implementing FISMA requirements, he said. Gallagher said FISMA requirements and standards developed for them by NIST are sound, but that measuring compliance needs to move from the checklist to a results oriented approach. “The problem we are facing is how you meaningfully apply a standard. One of the things we are doing is talking with OMB in how we can strengthen the adoption of standards.”

Gallagher sees NIST’s role as a catalyst for the application of technology to pressing environmental, economic, and social concerns. One of the primary measures of success for NIST in the coming years will be its ability to help lay the groundwork for implementing key technologies such as the Smart Grid and health IT. “We have to be nimble and resourceful,” he said.