In Intro to Cyber Policy, I heard our guest lecturer say: “The National Institute of Standards and Technology is the Rosetta Stone of cybersecurity.”
Prior to the lecture, I had only a cursory understanding of the public policy role of National Institute of Standards and Technology, or NIST. I would not have thought of it as the key for deciphering how to provide robust cybersecurity.
In my Sanford cyber policy class taught by Professor David Hoffman, we learn in depth about the fundamentals of cyber technologies and threats, as well as their relationship to governmental policy. Through class and participating in a guest lecture with Ari Schwartz, I learned in depth about NIST’s role. After the lecture, I find the phrase “the Rosetta Stone of cybersecurity” to be precisely accurate and an appropriate metaphor for NIST’s function and impact.
During the lecture, I learned a significant amount about the role and value of NIST. NIST develops and documents best practices and standards for computer, cyber and information security and privacy. Besides creating the standards and frameworks for federal systems since 1977, other countries and the private sector recently have begun using NIST frameworks. NIST truly enables cultures all across the world to speak the language of risk management and cybersecurity.
I discovered that NIST is a nonpartisan agency. Their job is not to regulate or engage in politics. Mr. Schwartz explained that cybersecurity is most often a nonpartisan issue. Although there can be public differences in the parties’ positions, behind closed doors there is considerable collaboration and cooperation as both care equally about protecting our nation's security.
I also learned about the career path of Mr. Schwartz, who has been a leader in cyber policy for over two decades. He currently leads the cybersecurity risk management group at the Venable law firm. He previously was a member of the White House National Security Council, which is where he helped NIST develop and roll out the NIST Cybersecurity Framework. It was a fortunate opportunity to be able to learn directly from the person who created the Rosetta Stone of cybersecurity, and to have him explain NIST’s critical public policy role.
Mr. Schwartz’s conversation about NIST with our class led to a discussion about how Congress engages in cybersecurity. He shared that there are 27 subcommittees which look at cybersecurity. This means that bills regarding cybersecurity have to go through all of these committees and cannot be passed until there is wide agreement. Because of this committee process, it is difficult to pass cybersecurity legislation. In the absence of legislation, there is even more importance put on NIST’s role to develop standards to increase the level of cybersecurity.
NIST creates frameworks that any organization can use to translate its own specific situation to the available standards. In the absence of legislation, it is this translation role that fosters more robust cybersecurity. The recommendations from NIST provide adaptable measures that any company or agency can fit into their own work.
I am grateful Mr. Schwartz took the time to lecture to our class, and to introduce me to the Rosetta Stone of cybersecurity.
Olivia Levine is a junior at Duke University majoring in Public Policy Studies with a certificate in Innovation & Entrepreneurship. Olivia is interested in the intersection between technological innovations, especially in the healthcare field and in policy.