The Public Eye with Eric Chabrow

Rockefeller: Be Wary of the NSA

That's the cautionary advice Sen. Jay Rockefeller gave to Patrick Gallagher at his nomination hearing to be the next director of the National Institute of Standards and Technology.

Gallagher, NIST's current deputy director, said during the hearing Thursday that NIST cybersecurity experts will collaborate closely with the National Security Agency and the Department of Homeland Security to develop new ways to secure government information systems and the nation's critical IT infrastructure.

If NIST is in a certain place in the pecking order, don't accept that. Play rough. Be aggressive ... 

"Good luck with that," Rockefeller said after Gallagher outlined NIST's working relationship with NSA and DHS. "The agencies you picked out - NSA and DHS, to be honest - are two of the toughest nuts to crack. In the raw world of intelligence, NSA, if you can get them to share anything, you've really done well. The leaders are all there for you, but where the sharing has to take place, old habits prevails."

Rockefeller encouraged Gallagher to position NIST to be the leader in developing new ways to protect crucial government IT assets, noting that another small agency - the Energy Department - overshadowed bigger government organizations in revealing the truth about weapons of mass destruction, or the lack thereof, in Iraq

"If NIST is in a certain place in the pecking order, don't accept that," Rockefeller said. "Play rough. Be aggressive, not just within the agency, but across the government because everyone is so overwhelmed with work and problems and the bureaucracy, that it takes sometimes a relatively small agency (to lead). NIST has an extraordinary opportunity in cybersecurity."

Rockefeller chairs the Senate Committee on Commerce, Science and Transportation, which provides NIST oversight. He also is sponsor of the Cybersecurity Act of 2009, which along with other measures, is being considered by Congress.

Cyber: No. 1 Security Threat

The West Virginia Democrat painted a dire picture of the current state of the nation's IT security, characterizing cybersecurity as the No. 1 national security threat. "That lifts it above dirty bombs, everything else," he told Gallagher. "We all know that a 14-year-old youngster in Indonesia can sit down at computer ... and do whatever he wants, to shut down sections of grids, he can shut down hospitals selected at random around the world and nobody will ever know. It's utterly terrifying and utterly realistic proposition. In other words, it's bound to happen in big way in our country. ...

"Since we're likely to be a major target on that, perhaps more than Al-Qaeda, for example, a more devastating attack, a subtle attack that can destroy the psyche of America, of middle America. of all America faster than anything else in the world because we're defenseless against this."

Gallagher told Rockefeller that NIST's cybersecurity experts are worried about the dangers of a cyber attack, too. "It is frightening to anyone who has heard the threat assessments and not help but to be very sobered by the threat environment that our computer systems are in and is evolving and growing every day," the nominee said.

NIST Infosec Experts Worried

"Our computer security experts do worry about this," Gallagher said. "This is not going to be solved by NIST alone. One way we're doing this is, as you know, the White House has been active in this at the conclusion of the 60-day cyber review. Congress is very interested in this. A lot of legislation is being looked at that we're very interested in. One of the things I think is most essential is that we have a number of different agencies involved in this area. We need to make sure they stick and work very effectively together because we need each other and we don't want to overlap unnecessarily."

Gallagher told the committee that as NIST deputy director he fostered a close working relationship with NSA and DHS.

"That's only a starting point," he said. "This is a big task. One of things that, if confirmed, that I would really like to focus on is to improving our ability to assess and measure the threat environment. We know of the task and we try look at specific vulnerabilities and put patches and fixes to them, and address standards to reduce vulnerabilities. But, we have a very difficult time measuring the risk that our systems are in or measuring the security of performance of these systems. You manage what you measure.

"If NIST can help support an effective way of assessing security performance, and assessing the risk environment of these system, we'll really enable federal IT managers to do a much better job."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.