NIST Ready to Take On New Cybersecurity Tasks

Past Successes Breed More Responsibilities
NIST Ready to Take On New Cybersecurity Tasks
Among the biggest fans of the National Institute of Standards and Technology are members of Congress familiar with safeguarding government IT systems who are sponsoring legislation to give NIST even more responsibilities in developing cybersecurity metrics.

One measure increases NIST's role in developing international cybersecurity technical standards. It also charges NIST with creating IT security awareness and education campaigns for the public, improving inoperability of identity management systems and developing an IT security checklist for agencies to use before acquiring IT wares. Other legislation would have NIST develop real-time metrics to assure the safety of government IT system, something NIST is already working on.

These are challenges new NIST Director Patrick Gallagher is will to accept.

"I feel compelled to welcome these responsibilities only because the need is so critical and so urgent," Gallagher said in an interview with (transcript below). "One of the reasons cybersecurity is at the top of everyone's priority list, it is certainly at the top of mine, is that information technology is so foundational to everything else."

In the interview, conducted by's Eric Chabrow, Gallagher also discussed:

  • His reluctance to create a new NIST laboratory focused on computer security.
  • Potential reorganization of NIST (Also see NIST Restructuring Mulled by New Director).
  • His defense of NIST Information Technology Laboratory Director Cita Furlani's proposed reorganization of the IT Lab in face of objections from key NIST stakeholders.

"Every manager should be striving to make sure their organization is as effective as possible," Gallagher said. "What Cita was doing was looking at one of the major tools that a manager has, which is your organizational structure optimized for being as effective as possible. It was a very thoughtful proposal. The reality is that many of the cybersecurity activities already spread across various division within ITL, and this was the chance to try to create some synergies to make the organization more effective."

President Obama nominated Gallagher, 46, to his new post on Sept. 10. The Senate confirmed Gallagher as NIST's 14th director on Nov. 5. Gallagher has worked at NIST, part of the Department of Commerce, since 1993 as a scientist, laboratory director and deputy director. He served as interim director from September 2008 until his confirmation.

Gallagher has a Ph.D. in physics from the University of Pittsburgh. He taught high school math and science for a year after receiving his B.A. in physics and philosophy from Benedictine College in Atchison, Kan. Gallagher came to the NIST Center for Neutron Research in 1993 to pursue research in neutron and X-ray instrumentation and accompanying studies of the properties of technologically important "soft' materials such as polymers, liquids and gels.

In 2000, Gallagher was a NIST agency representative for the White House National Science and Technology Council and became active in federal. policy for scientific user facilities. At the Office of Science and Technology Policy, he served as chair of the Interagency Working Group on neutron and light source facilities. In 2006, he was awarded a Department of Commerce Gold Medal, the department's highest award, in recognition of this work. In 2004, he became director of the Center for Neutron Research, a national user facility for neutron research that is one of the most heavily used facilities of its type in the nation.

A native of Albuquerque, N.M., Gallagher lives with his wife and three sons in Olney, Md.

ERIC CHABROW: What effect did not having a full-time director for 2½ years have on NIST?

PATRICK GALLAGHER: In some ways it didn't do a lot, in the sense that an agency can continue to run itself without a political director. And, it is not entirely true that we didn't have a director; we just didn't have a Senate confirmed director in place, so the deputy directors were certainly acting in that capacity at that time.

But it is also true that it is not the same and I think one of the impacts is that everyone knows that it is transitory situation and so the ability to sort of take a longer view and to tackle some of the more longer term issues is sort of impeded when you know that this is a temporary situation.

CHABROW: Now that you are the permanent director, what challenges does NIST face and what are your major goals for the institute?

GALLAGHER: Our challenges are really challenges of opportunity. NIST finds itself at an extremely compelling time, when it's 109-year-old mission of measurements and standards and technology is as important as it has ever been. Most of our challenges has to do with living up to this expectation and doing what the country needs us to do.

I find it interesting that an agency that was sort of born at the height of the Industrial Revolution finds itself increasingly important and increasingly relevant. One of the reasons for that is NIST operates at all of the interfaces of an economy. We established the measurement basis for the transaction of good and materials, we worry about the interoperability of systems, we worry about the integrity of security of data and information. We have always done those things but our economy is more and more dependent on those things and I think that is what gives us this incredible mandate.

Most of my high-level priorities are to make NIST as effective in the face of that need as possible and I think that means being nimble and moving quickly to address critical problems, being relevant. And, that is very important for NIST because we are a very small agency working in concert with others so that these efforts are maximally leveraged; we sort of act to catalyze broader efforts.

CHABROW: When you speak of being nimble and moving quickly, can you give examples of what you mean by that?

GALLAGHER: One example that is certainly at the forefront of my thinking has been the smart-grid activity. The president has made it very clear that to address a whole set of urgent national needs, to promote energy efficiency, to promote widespread use of renewable energy technologies, to bend the load curve to improve the reliability of our system, that a technology was going to be critical. Coupled with that thinking was just not to develop technological solutions to these problems, but to turn it into economic opportunities so that at the same time we solve this problem, we are opening up new markets and creating new economic activity and creating new job.

The only way to make that happen is to move very quickly, and NIST's charge was basically to support the development of a framework of standards that would support interoperability of all of these diverse technologies. But, it had to be done very, very quickly, both because of the Recovery Act and because of the need to accelerate this so that we could open up a market.

It wasn't that working on the standards was new to NIST, but the urgency and the scope of this did force us to act in new ways and to provide some new mechanisms for interacting with a broad industry sector that had not traditionally worked closely together and I think the results have been very encouraging.

CHABROW: Obviously, one area that NIST is very important is in cybersecurity, which is of interest to our listeners. Congress is asking NIST to do more as it relates to cybersecurity. One Bill heading to the House floor increases NIST's role in developing international cybersecurity technical standards. That measure also charges NIST with creating IT security awareness and education campaigns for the public, improving inoperability of identity management systems and developing an IT security checklist for agencies to use before acquiring IT wares. Other legislation would have NIST develop real-time metrics to assure the safety of government IT system, something NIST is already working on.

Do you welcome these extra responsibilities and does NIST have enough experts on its hands to pursue these objectives and are you getting enough money from Congress to do this?

GALLAGHER: I feel compelled to welcome these responsibilities only because the need is so critical and so urgent. One of the reasons cybersecurity is at the top of everyone's priority list, it is certainly at the top of mine, is that information technology is so foundational to everything else. We were just talking about smart grid and of course, cybersecurity is very much a key component there as well.

For an economy that depends so utterly now on the safe and reliable transaction of information and movement of information, cybersecurity is absolutely essential. My view is there is a lot for everybody to do, including NIST. Many of the challenges you outlined are in response to our evolving understanding of how to manage security in this very dynamic set of technologies. They key to understanding NIST's role is to really leverage the fact that it is a technical non-regulatory agency. It really allows us to work very closely in principle with the private sector, but also with other federal agencies to develop the basis for security controls, identity management, encryption, all of the various elements of cybersecurity.

It is an incredibly important role. One of the things I like about it for NIST, and the reason I think it fits so well, is that we tend to focus on the standards development piece for NIST because of how FISMA (Federal Information Security Management Act) was written, but of course NIST is a measurement laboratory. The real goal here is to have security standards that are reduced to practice, that are put into meaningful use. Therein lies the real measurement piece, how do you measure in a meaningful way, security performance? How do you measure in a meaningful way, risk, because the NIST standards are risk-based standards? That is really where our technical activities are focused. Congress has strongly supported NIST and I expect that to continue.

As you pointed out, a lot of the legislative interest on the Hill is really focused on making sure that the right agencies are involved and that their roles are clear and that they have the resources to carry out these mandates.

CHABROW: So you feel you will get the proper funding to accomplish these mandates?

GALLAGHER: I certainly haven't spoken to anyone in Congress that is not very supportive. In fact, given the real resource constraints that they face, they have been very, very supportive. So I am optimistic. The real key for me is making sure that we don't just do as much as we can afford to do, what we do is lay out what each agency has to do and that gives us a better basis for making responsible requests so that we can carry out those roles.

So this debate about what agency does what and what roles they should carry out is very much interdependent with the discussions about how much funding is needed to carry out those roles and responsibilities.

CHABROW: In August, NIST Information Technology Laboratory Director Cita Furlani proposed a reorganization of the IT lab. Under that plan, the head of lab's computer security division would become part of the lab director's office. The organization plan would have encouraged more multidisciplinary collaboration with other NIST units in developing cybersecurity programs and guidance. But, she told a Congressional hearing in October that the reorganization plan has received mixed reviews form NIST stakeholders and was placed on hold. At that same hearing, critics of the organization plan contended that the dividing different groups supporting the computer security divisions mission throughout the lab would be detrimental to its work and ultimately would weaken its impact on cybersecurity. Where do you stand on reorganizing NIST's IT lab to better develop cybersecurity guidance?

GALLAGHER: My view on reorganization is that every manager should be striving to make sure their organization is effective as possible. And so what Cita was doing was looking at one of the major tools that a manager has, which is, is your organizational structure optimized for being as effective as possible? It was a very thoughtful proposal. I think the reality is that many of the cybersecurity-related activities are already spread across various divisions within ITL and this was a chance to try to create some synergies to make the organization more effective. But it is also true that organizations impact stakeholders. It was mixed, but we certainly had feedback in support of the change, but we also received some feedback that implied that there were some real concerns. We decided to table the proposal until we could get a chance to look at that feedback and consider it some more. The goal remains to make ITL as effective as possible, in fact that goal really applies to all of NIST, and as I said, all organizational structures. You don't ever do it lightly because it can be disruptive, but you certainly want to have an organization that is structured to be as effective as possible.

CHABROW: Among the proposals that some of the stakeholders have suggested is creating form the Computer Security Division, NIST's 11th laboratory. What are your thoughts about that?

GALLAGHER: I would be reluctant to do that. One of the concerns I have right now is we have a lot of laboratories already. Anything you do rarely fits neatly within an organizational boundary and a lot of what NIST does goes across multiple laboratories as it is. When you are managing that way, you are spending a lot of time sort of managing at these interfaces. So creating more interfaces may not be an optimal solution.

I also don't think it would address in some ways the fact that there is some deep synergies between what our Computer Security Division does and a lot of other areas that area really dependent on the same thing.

We talked about smart grid. I think that is a clear case where in that particular arena there are some very important considerations about cybersecurity where I would like to see that fully integrated into that standards effort as well.

CHABROW: Should we expect some type of new reorganization plan coming down soon?

GALLAGHER: I don't have a specific timeframe in mind for when that is done. I think it is more important to make sure there is other discussion. I certainly asked our management team to take a look at, all of them and not just Cita, all of them to take a look at their organizational structures and to give me their input as to whether these are optimal. vThis is one of the key tools in a manager's toolbox and I certainly want them to not ignore it, but there is no specific timeframe at this point for when we would do certain things.

CHABROW: Is there a possibility of merging certain existing labs together?

GALLAGHER: I think all the options should be on the table. As I said, the real objective is what is the organizational structure that makes NIST most effective in the face of some very real challenges and needs. The country really NIST to be responsive and to be capable and to work effectively with its stakeholder communities and as I said, there are a lot of ways of doing that and one of those tools is management structure but there are many others of course.

CHABROW: Is it part of your responsibility to take a serious look at the entire structure and see how that can be reshaped?

GALLAGHER: Yes, it is.

CHABROW: You don't have a timetable to when you may or may not be doing that?

GALLAGHER: As I said, I have asked our management team to start looking at it immediately, but I have not set a timeframe for when something would be done because we haven't made a decision that something should be done. I think until you have accessed and put some options on the table and decided whether your solution is better than the - you know, the cure isn't worse than the disease, that it doesn't make sense to be putting out implementation plans, which would include deadlines. So it is just premature at this point to be talking about any specific timing. You also don't want assessments like this to last indefinitely; just the fact that people are looking things like this can be disruptive within an organization. We will take a look and we will make some decisions and based on those decisions we will announce any changes at that time.

CHABROW: The current structure with the 10 different laboratories and obviously the divisions underneath that, how long has that been around?

GALLAGHER: NIST moved to a laboratory structure in the early 1990s, and by laboratory structure I mean the sort of more discipline-based set of laboratories. The number of labs has actually grown somewhat over that time, and the most recent additions would have been the two facility type laboratories, the NIST Center for Research and the Center for Nanoskill Science and Technology. I think those were added in 2007.

CHABROW: Has the environment changed today from the early '90s that a major restructuring would be necessary?

GALLAGHER: Maybe, maybe not. I think the issue isn't so much whether something specific externally has changed, the question is when you look at this set of programs and priorities that you manage across an institution, as I said, one of the realities is that there is no perfect organizational structure. As a manager what you are simply deciding is what types of things do you want to manage within a given line and which things are you going to manage across the line. The fact that we haven't looked at this for 20 years tells me that it is time to take an assessment as to whether this is the right structure and we may decide that this is exactly the right. This is one of those impacts of not having a director for any period of time. These are the kinds of discussion that can't occur when there is a lot of change.

CHABROW: We are coming to the end of our conversation, is there anything else that you would like to add?

GALLAGHER: I do want to emphasize that cybersecurity is perhaps one of the most important things that NIST is called out to do. We can talk about funding and we can talk about organizational structures and we can talk about almost anything else, but in the end I want to reassure everybody that I am as committed as anyone to making sure that NIST makes meaningful contributions and really plays an important role, the kind of important role I think it really can play, in something as critically important as cybersecurity.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.