Several years ago, when he worked in the private sector, Jeff Greene attended the ribbon-cutting for the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence. Now, he’s just over two months into his new job as the director of the government-industry collaboration hub.
Greene talked with Fifth Domain by phone on April 10 about some of his goals for the NCCoE as well as a few projects he’s most excited about.
What are some of your short-term goals for NCCoE?
I’d say the biggest thing is, in the simplest terms, I don’t want to mess anything up. The center — they’ve done a lot of good work, continue to do good work. So whatever I do there in my current role, I want to make sure that it is an evolution and complementary.
You know, I was not brought in to blow things up because the place is going well. Also, I’m taking my time to make sure I get to know [NCCoE]. I knew the NCCoE well from the outside because my company was a partner and we worked closely. I was at the ribbon-cutting at this building six years ago, but everything is always different on the inside. And it’s easy to say: “Hey, why do they do that?” But you have to believe there’s a reason and learn why.
So I’m taking my time to understand how we got where we are. I would say probably the biggest single thing that — and this is something I thought going in, it was affirmed at the RSA [cybersecurity conference where] I met with a bunch of partners — there’s a strong desire for us to move more quickly, whether it is to put the practice guides that we’re doing now to put them out more quickly to try to get them out in an agile format, or to come up with new types of products that we can push out more quickly.
Also a push for simplicity. Forty-page documents are hard to digest, even for the security professional. There’s a definite need for them, particularly if we’re going to describe a build down into the very technical details. Those will always be needed. But to see if we can distill down some of the key points into shorter documents, maybe look at multimedia, other ways. So all of that, again, I think is built on top of the work that the center is doing.
Probably the biggest short-term thing from my perspective is trying to develop some new types of products and get some thinking out there if we need to be a little more nimble and responsive to immediate, pressing needs. You know, recently we put up a couple of blog posts on telework and virtual meeting security because we thought there’d be a demand. And we’ve seen really good traffic and interest in that. So I’ve been happy to be able to get those things going. But the folks at the center and at NIST more broadly have been really open, excited about all these ideas. So it’s made it really easy.
When you say new products, what do you mean?
Traditionally we put out Special Publication 1800 series; these are our practice guides, looking at whether we can do more whitepapers, even blogs. NIST has an incredibly high standard and a very well-earned reputation for precision and accuracy. We don’t want to rush anything out.
I talked about multimedia: Just take the virtual meetings security blog that we put out. You know, we reached out to our partners to get their feedback on whether they thought something was needed and then what some best practices are. So we did a quick literature survey and put together [a document]. It’s not NIST guidance, it’s not a mandate, but it’s: “Hey, here are some things you really need to think about for doing virtual meetings.” We got that out in blog format pretty quickly. NIST put together video to go along with it.
What other projects are you most excited about in the next year?
The zero-trust architecture piece. I think that is incredibly exciting from a security standpoint. Zero trust basically is the idea of you’re constantly validating, it is designing a system where you assume compromise and you’re always checking. We put out, I think, the project description on the zero trust that’s gone public now for feedback. And that’s something that when I was in the private sector, my old company [was] very focused on — a lot of companies are. It was a big topic of discussion at RSA, and I think the government is looking at it closely.
So for NIST through the NCCoE to step in and say, “Here is one, and there are many meanings to it,” we can say, “Here’s how we’ve used your own trust, and here’s how we’ve shown how you can do it across the federated system.” I think it could be really useful. I don’t know that anyone will build exactly what we built, but there will be pieces of it that they can take and use.
I think we’re starting up some artificial intelligence security efforts, I think that’s going to be important. We just published a notice on our 5G project. 5G is coming, there’s a lot of work to be done. It’s going to touch every corner of our lives. It’s not just going to give you faster videos on your phone. That’s what most people will see, but that’s the smallest part of it. It’s driverless cars and everything.
The other big thing is quantum. We’re going to be putting up something soon. We’re working on post-quantum encryption. And the big thing there is, you know, we don’t know what the algorithms are; big NIST is working on that, and it’s made some great progress. But introducing new crypto algorithms is a lengthy process. So there are things that organizations can start doing now. So we’re looking at whether we can do a project or build some guidance on: “Here’s what you can do now to short-circuit what historically has been a 10- to 15-year process.” Because once [quantum] hits, it’s important to transition over — [otherwise] you’re not going to have secure communications. And the simple thing is identifying where you’re using crypto throughout all the facets of your system, [which is] important. So we have some of our really smart folks digging into that right now. That’s not particularly sexy, but that is a foundational piece that I think is going to be essential to security and privacy going forward.
Is there anything that you’ve learned or has surprised you about your new job so far?
Any organization, particularly one that’s been around for a little bit, in my experience is very resistant to change. I’ve been really surprised how not just open but how excited about new ideas the NIST leaders I’ve worked with and the NCCoE managers are. Maybe it’s the science because they’re all scientists, but there has been very little of the: “We’ve always done it that way.” And it’s been more: “Huh, let’s think about that. How do we do that?” So the things that I think that I want to do going forward, people are excited about trying things out. So that’s been really exciting to me.
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.