The National Institute of Standards and Technology (NIST) should remain a neutral broker in developing standards to support public and private sector cyber security efforts and should not take on the role of an auditor to ensure federal agencies are complying with an existing cyber-risk management framework as called for in proposed congressional legislation, the former chief information security officer (CISO) of the United States told a House panel last week.

Greg Touhill, who served as the U.S. CISO during the last five months of the Obama administration, said he’s all for auditing and compliance of federal agencies adherence to the three-year old NIST Cybersecurity Framework that is being voluntarily adopted by private sector entities to help them understand and manage their cyber security risks.

Greg Touhill, former U.S. chief information security officer. Touhill currently teaches at Carnegie Mellon Univ. as adjunt faculty. Photo from Touhill's Linkedin account.
Greg Touhill, former U.S. chief information security officer. Touhill currently teaches at Carnegie Mellon Univ. as adjunct faculty. Photo from Touhill’s Linkedin account.

But NIST isn’t the “best place” to house the auditing and compliance function as “it doesn’t have the culture, it doesn’t have the mission, it doesn’t have the personnel to do it as effectively as the existing inspector general and auditing functions,” he told a panel of the House Science and Technology Committee that brought together its oversight and technology subcommittees.

In his prepared remarks, Touhill said that directing NIST to audit agencies “changes their writ and perceptions about NISTs current and future roles,” and cited one of his “senior colleagues” in government as saying the move would have “’a chilling effect’ many of the relationships NIST has within the government and industry.”

The NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R. 1224) introduced in the House in February contains section 20B, which directs NIST to audit federal agencies’ compliance with the 2014 NIST Cybersecurity Framework. The bill also contains section 20A, which calls for NIST to promote the framework across federal civilian agencies as part of their information security risk management efforts.

The bill exempts National Security Systems from the framework although Touhill said this is a mistake as the standards and best practices “apply equally to all systems.” Touhill, who worked on cyber security operations at the Department of Homeland Security before taking on the CISO job, is currently on the adjunct faculty of Carnegie Mellon Univ.

NIST is part of the Commerce Department.

The hearing was held to learn lessons from the recent WannaCry ransomware attack that mostly hit computer systems in foreign countries. While initial reports have put the infected computers and networks in the hundreds of thousands, Salim Neino, CEO of the cyber security firm Kryptos Logic, said between one and two million systems may have been affected before a kill switch was activated.

It was a Kryptos Logic employee in early May that discovered the kill switch found within the virus. Still, Neino told the panel, the virus is still attempting to infect systems worldwide, pointing to a hospital in the East Coast of the U.S. that was the target of about 275,000 infection attempts over two days earlier in June. Those attempts and others have been thwarted, because the kill-switch is still in effect, Neino said, adding that the WannaCry virus is self-propagating.

North Korea is reportedly behind the WannaCry virus although Neino said that the attack showed that “vulnerabilities exist at virtually every level of our computer infrastructure, ranging from operating systems to browses, from media players to Internet routers” and the barriers to entry in exploiting these vulnerabilities are “surprisingly low.” He said “rogue teenagers, nation states, and everyone in between” can exploit these security gaps.