The Partnership Between NIST and the Private Sector: Improving Cybersecurity
02:30 PM Russell Senate Office Building 253
WASHINGTON, D.C.— The U.S. Senate Committee on Commerce, Science and Transportation will hold a hearing on Thursday, July 25, 2013 at 2:30 p.m. titled, “The Partnership Between NIST and the Private Sector: Improving Cybersecurity”. The hearing will explore the public-private partnership that the National Institute of Standards and Technology (NIST) is convening to allow private sector companies to promote cybersecurity standards and best practices to protect the nation’s most critical systems. The hearing will also explore proposals to improve cybersecurity research and development, workforce training and education, and public awareness.
THE PARTNERSHIP BETWEEN NIST AND THE PRIVATE SECTOR: IMPROVING CYBERSECURITY
Full Committee Hearing
Date: Thursday, July 25, 2013
Hearing Start Time: 2:30 p.m.
Location: 253 Russell Senate Office Building
Please note the hearing will be webcast live via the Senate Commerce Committee website. Refresh the Commerce Committee homepage 10 minutes prior to the scheduled start time to automatically begin streaming the webcast.
Individuals with disabilities who require an auxiliary aid or service, including closed captioning service for webcast hearings, should contact Collenne Wider at 202-224-5511 at least three business days in advance of the hearing date.
###
If you are having trouble viewing this hearing, please try the following steps:
- Clear your browser's cache - Guide to clearing browser cache
- Close and re-open your browser
- If the above two steps do not help, please try another browser. Google Chrome and Microsoft Edge have the highest level of compatibility with our player.
Majority Statement
-
Senator John D. (Jay) Rockefeller IV
ChairmanU.S. Senate Committee on Commerce, Science, and TransportationMajority Statement
Senator John D. (Jay) Rockefeller IV
We are going to spend a lot of time today talking about a federal agency most Americans have never heard of, the National Institute of Standards and Technology – or NIST. I can assure you that in this Committee, we have heard of NIST. And we understand and appreciate the important role NIST plays in our country’s economic success. Just as importantly, there are scientists, engineers, and technical experts all over the world who have heard of NIST, and who view NIST’s work as the gold standard.
Let me give you an example. A couple of weeks ago, this Committee was having a hearing on the very important issue of improving forensic science. One of our witnesses was the chief of the forensic science lab in the Netherlands, which is one of the top forensic science labs in the world. This Netherlands official proudly announced at the hearing that his agency had just signed a memorandum of agreement to work with NIST on improving the quality of forensic science standards. When Senator Thune asked him why his agency wanted to partner with NIST, he said it was because when it comes to standards, NIST is “absolutely the top-notch organization, the state of the art, worldwide.”
If you look up NIST’s authorizing law, you will read that NIST’s core mission is to serve as a laboratory, a “science, engineering, technology, and measurement laboratory.” I really want to stress this point for the members of this Committee and the business community who may not have worked closely with NIST before. NIST is not a regulatory agency. It’s a scientific laboratory.
NIST’s mission is to help American businesses solve tough technical problems. Whether it’s emerging technologies like the Smart Grid or cloud computing, or consumer products like flame-retardant mattresses or television screens, NIST’s job is to help American industry help itself. With its unrivaled technical expertise and its well-deserved reputation for objectivity, NIST has been working closely with the private sector for many years to help U.S. companies innovate and compete successfully with their foreign competitors.
I was very pleased – but not really surprised – when President Obama issued an Executive Order earlier this year instructing NIST to begin looking at how we can protect our critical assets from cyber attacks. I am looking forward to hearing from Dr. Gallagher and our other witnesses today about how their work on this so-called “Cybersecurity Framework” is progressing. Getting NIST involved in cybersecurity makes a lot of sense, because NIST already has decades of experience working with the private sector on computer security issues. NIST’s computer security work goes as far back as 1972, when it started working on the Data Encryption Standard.
It also makes sense because we need our country’s very best minds – in both the public and the private sectors – focused and working on this problem. Back in 2009, when Senator Snowe and I started working on cybersecurity legislation in the Commerce Committee, not everybody appreciated the seriousness of this threat. But today, four years later, I believe that we have reached a very broad consensus in this country that cyber attacks present one of the gravest threats to our national and economic security. Every new report about stolen intellectual property or a disruption-of-service attack against a large U.S. company drives this point home.
Making progress against our cyber adversaries is going to require a sustained, coordinated effort between the public and private sectors. And it is going to require the combined resources of many different government agencies and businesses. Acting alone, this Committee cannot make all of the changes needed to give our government and businesses the tools they need to make real progress on cybersecurity.
But there are some important steps we can and should take, such as promoting cybersecurity research and encouraging talented young people to work in cybersecurity. Probably the most important step we can take as a Committee is to make sure the technical experts at NIST stay engaged and working with the private sector to develop effective cybersecurity standards. If this process succeeds, our businesses and government agencies will have a powerful new tool to protect themselves against cyber attacks.
I would like to thank Senator Thune for working with me on this important issue. Since he became Ranking Member of this Committee at the beginning of this year, he has devoted a lot of time to learning about cybersecurity. Yesterday, we introduced legislation that we hope will serve as one of the cornerstones for our country’s cybersecurity strategy. I look forward to having a good conversation today about our bill, and about other things we can and should be doing to help protect our country from this threat.
###
Minority Statement
-
Senator John R Thune
SenatorU.S. Senate Committee on Commerce, Science, and TransportationMinority Statement
Senator John R Thune
Thank you, Mr. Chairman, for holding this hearing, and for your continued leadership on cybersecurity. You brought this critical issue to the fore, and you have been steadfast in your commitment to addressing the problem. No one can deny the serious threat we are confronting in cyber space. Almost daily, we learn of new cyber threats and attacks targeting our government agencies and the companies that drive our economy. We must find solutions that leverage the innovation and know-how of the private sector, as well as the expertise and information held by the federal government. And, given the escalating nature of the threat, we should look for solutions that will have both an immediate impact and that will remain flexible and agile into the future.
In keeping with that task, in March, this Committee held a joint hearing with the Homeland Security and Governmental Affairs Committee not long after the president issued his Cybersecurity Executive Order in February. Today, we are here to examine the National Institute of Standards and Technology’s (NIST) implementation of that portion of the Executive Order pertaining to the cybersecurity partnership between the private sector and the federal government to improve best practices in cybersecurity. The feedback we have heard from many in industry regarding NIST’s process has been fairly positive so far.
We are also here to examine the legislation that Chairman Rockefeller and I have introduced, after soliciting feedback from industry stakeholders and our colleagues. I think this bill strikes the proper balance to ensure that what develops is industry-led and a true partnership between NIST and the private sector. It also ensures that NIST’s involvement, and this process, are both ongoing, in order to maintain the flexibility and continued innovation that is necessary to meet such a dynamic threat.
Our proposed legislation also includes needed titles to improve research and development. We should not underestimate the value of R&D. As I have mentioned previously, I’m proud to note that South Dakota’s own Dakota State University is one of only four schools in the nation designated by the National Security Agency as a Center of Academic Excellence in Cyber Operations. Other titles of our bill improve education and workforce development, as well as cybersecurity awareness and preparedness.
I am pleased that our offices worked with industry, fellow Senate colleagues, and other stakeholders to solicit and incorporate their feedback in crafting this legislation, and will continue to do so as we move forward. By following regular order in the committees of jurisdiction, we hope to avoid the legislative impasse from last congress and ultimately enact legislation that will make real improvements to our nation’s cybersecurity. Our hearing witnesses today include the Director of NIST, and representatives from the private sector who can provide this committee with their perspectives on how the current NIST process is developing. I look forward to hearing whether our legislation is a step in the right direction to provide a partnership that is truly voluntary and industry-led.
I am also pleased that the Chairman and I both recognize that an essential component of cybersecurity is strong information sharing regarding threats. Such sharing should occur both between government and industry, and among private sector actors, with strong liability protections. It is our hope that our colleagues on the Senate Intelligence Committee will be successful in crafting bipartisan, consensus legislation that achieves these goals. As the Chair of the House Intelligence Committee has said, according to intelligence officials, allowing the government to share classified information with private companies could stop up to 90 percent of cyber attacks on U.S. networks. It is also our hope that the Senate Homeland Security Committee can similarly work in a bipartisan fashion to make needed improvements to the Federal Information Security Management Act in order to better secure our federal networks. If our committees can work to produce complementary consensus legislation, that will be a significant step forward in this area.
Again, I thank the Chairman for holding this hearing and I thank all of the witnesses for being here, and I look forward to hearing your testimony.
Testimony
-
The Honorable Patrick D. Gallagher
Acting Deputy Secretary, Under Secretary of Commerce for Standards and Technologyand Director, National Institute of Standards and Technology, U.S. Department of CommerceDownload Testimony (161.23 KB) -
Mr. Arthur W. Coviello Jr.
Executive ChairmanRSA, The Security Division of EMCDownload Testimony (122.89 KB) -
Mr. Mark G. Clancy
Managing Director, Technology Risk Management and Corporate Information Security OfficerThe Depository Trust & Clearing Corporation, on behalf of the American Bankers Association, Financial Services Roundtable, and Securities Industry and Financial Markets AssociationDownload Testimony (311.76 KB) -
Ms. Dorothy Coleman
Vice President on Tax, Technology, and Domestic Economic PolicyNational Association of ManufacturersDownload Testimony (196.58 KB)
