Cyber hackers [illustrative].
(photo credit: REUTERS)
What was an American government expert in cyber security for US infrastructure-related companies doing at a conference in Israel? Nathan Lesser, deputy director of the relatively new US National Cybersecurity Center of Excellence (NCCoE), is all about security and efficiency.
He and his agency, a unique laboratory for innovation, recognize that the US and Israel can benefit from each other’s expertise in the cyber arena.
Lesser said recently that on one hand, “Israel is using many of the new standards” in cyber security that his agency originated, and that on the other hand, for the US, it is “bad not to look outside your own borders for cutting edge” ideas.
Developing standards “to address intractable problems is an international effort,” he said.
What kinds of ideas does the NCCoE develop and where do they come into play? The agency, a division of the National Institute of Standards and Technology within the US Department of Commerce that has its “ancient” roots in working on railroad technologies, over time has become a standard setter for all government nonnational security-related systems as well as covering much of the US’s critical infrastructure.
Whereas the National Institute is the umbrella for setting standards, the relatively new NCCoE spin-off focuses on making standards more user-friendly and in making technology more friendly to complying with standards.
NCCoE’s cyber security standards are enforced by the Department of Homeland Security and the Office of Management and Budget across the nonnational security organs of the US government.
“Because companies like the standards, they also have been being adopted in the real world” outside of government, such as in the utilities, water, chemical, financial and healthcare sectors, Lesser said.
NCCoE tries to explore where the public and private sector are overwhelmed by the pace of change, the number of upgrades being offered in cyber security and technology generally, and to provide solutions to “barriers to adoption.”
Put differently, NCCoE tries to help groups upgrade in a way that fits their specific infrastructure and sector-specific dynamics while helping them understand which cyber technologies work best with those unique issues.
Many of these ideas could be exported to Israel.
An example from the US context would be cyber security solutions for addressing security and privacy of patients’ healthcare data on mobile devices when the devices must interact with other networks and electronic healthcare record systems.
The initial problem is that doctors could email or otherwise transfer data without fully internalizing the security pitfalls involved in data transfers.
To combat this issue, hospitals normally buy a particular system, which usually ties them down into a variety of applications.
Lesser said this setup of tying applications and add-ons to the system makes market pricing less efficient and makes it harder for hospitals to upgrade technologically in a new direction.
So if they want to upgrade, hospitals face three barriers: they are often not sufficiently educated to know how to judge what companies are selling them; installed technology and firewalls can handicap adapting new technologies; and hospitals worry that new technologies will not interface properly.
NCCoE would build a mirroring environment using similar technology and infrastructure used by the hospital, to test and troubleshoot cyber security measures that the hospital might be interested in, so that the hospital can play out any issues risk free and overcome the above barriers to advancement.
Lesser’s first cyber contact with Israel came through Israel’s Export Institute; he met with its representatives when Israeli Embassy and export institute officials visited NCCoE’s headquarters in Rockville, Maryland.
Ofer Sachs, CEO of the institute, thanked Lesser for his participation and invited him back for next year’s conference and for continued collaboration.