“It’s because I’m old”, he joked. “One accumulates these things.” Having worked in the information security field since 1966, with tenures in both the private and the public sector, Barker is a man with a lot of experience.
What brings him to the World Cyber Security Technology Research Summit? “The topics are very much of interest”, he said. Besides, “we’ve been communicating with the government here [in the UK] on a number of different cyber security issues.”
What is most useful about events like this, he explained, is the opportunity for unification and working together as an industry. “Each of our organizations has limited resources, and thus limited talents. NIST, for example, has about 100 individuals working on cyber security. The only way that we can make significant progress is by leveraging the expertise and resources of industry and our government partners.” The World Cyber Security Technology Research Summit and other similar events can help bridge this gap, Barker insisted.
Strength in Togetherness
“What does seem to be increasing”, said Barker, “is the number of touch points [people and the organisations within which they work] in the industry. Five years ago, working with the UK, there were one or two government organizations with which I might interact, and just a handful of individuals within that – so a limited set of contacts”. Now, he said, the industry has evolved to a significantly broader engagement. As a result, “the interaction between those who are doing usability research, those doing the graphic research, and the people doing biometric interoperability research has improved. People are sharing information and insights in a way that we simply weren’t doing five years ago.”
What’s fascinating, explained Barker, is the willingness of the hacking community to share their techniques with the information security community. Why? “They like talking about what they do, so long as it’s not admitting to a crime. They like to let people know what they’ve ‘accomplished’. Obviously, the broader the engagement we have, the better the understanding, and the better our ability to assign resources effectively.”
On top of his day job, Barker is also acting chief of NIST’s Information Access Division, and is the Department of Commerce Lead for the national strategy for trusted identities in cyberspace. Recently, he was also assigned to the Department of Commerce Office of policy and strategic planning as head of the cybersecurity and privacy coordination office. Infosecurity asked him how he keeps on top of so many roles and responsibilities. “Multi-tasking, primarily. I couldn’t live without my BlackBerry. There is a support organisation with technical support capability at NIST that is very accomplished. So long as I remember to reach back frequently, they keep me from appearing to be too stupid”, he laughed. “It really is a matter of engaging – and channelling – as much of the organization as possible, because they’re the people who actually know what they’re doing.”
The National Strategy for Trusted Identities
“In the cyberspace policy review, the President signed the document that identified a number of goals that needed to be met”, explained Barker. One of which is a new initiative for a trusted identities strategy. “The draft has been announced and circulated. I don’t believe the President has signed it yet, but we seem to be about there.”
The concept of the trusted identities in cyberspace, he explained, “is that it can be public sector government energised, but we want to use private sector mechanisms. What we need is to be able to facilitate these private sector organizations vouching for the authority of an individual to perform a task.
The one thing that Barker is insistent about is that the initiative should not be based on passwords. “I have more than 50 passwords that I’m supposed to remember, and I’m not that smart.” He reveals that they are looking at two factor authentication, but are undecided about the electronic mechanism. “Most aren’t practical on a very large scale. We suspect that we’ll end up using multiple form factors, but what more people seem to have is cellphones, so that’s an interesting technology to explore.”
NIST Cyber Security Program
Barker is directly responsible for planning, directing, and implementing the policies and programs of the NIST cybersecurity program. So, what exactly is that?
“It focuses primarily on the research that is necessary to develop standards and the development, co-ordination and promulgation of standards for cyber security”, explained Barker. “It focuses on a number of technical areas, including cryptography, network security, security controls and best practices, and then the development of tools, such as automated security policy enforcement mechanisms – the ability to automatically discover how your system is configured, and monitor that, are two examples.”
Interoperability is a major factor, he added. “We focus probably as much on interoperability as we do on the adequacy of the security mechanisms. We do independently initiated research into problems that we foresee. For example, we’re going to need more efficient and scalable key management standards and products going forward. We’re also trying to be responsive to national programs, and to co-ordinate those activities with their international counterparts”, he explained, giving the examples of cloud computing, and identification and authorisation, “without going to government-centric and heavy-handed activities such as national ID cards.”
NIST is also co-ordinating the work of the National Initiative on Cyber-Security Education. “We’re providing technical security expertise to people who are trying to enhance secure voting systems in response to the Help America Vote Act”, Barker explained.
That’s a lot of work for NIST’s cyber security division, which has roughly 75 staff and a further 25 contractors and other associates. “By leveraging the resources of other divisions within our laboratory, we’re able to increase the body of people that we’re applying to the cyber security. If I compare us to the US Department of Defence, we’re tiny. But if we scope our work carefully, we can usually maintain a fairly high quality output”, Barker concludes.