ITL Newsletter January - March 2023

National Institute of Standards and Technology (NIST) sent this bulletin at 03/02/2023 12:16 PM EST

View As Web Page

Information Technology Lab (ITL) at NIST

January - March 2023 Newsletter

N. Hanacek/NIST

NIST Risk Management Framework Aims to Improve Trustworthiness of Artificial Intelligence

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released its Artificial Intelligence Risk Management Framework (AI RMF 1.0), a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies.

The AI RMF follows a direction from Congress for NIST to develop the framework and was produced in close collaboration with the private and public sectors. It is intended to adapt to the AI landscape as technologies continue to develop, and to be used by organizations in varying degrees and capacities so that society can benefit from AI technologies while also being protected from its potential harms.

CULTIVATING TRUST IN IT AND METROLOGY

FEATURE STORIES

Phishing Resistance – Protecting the Keys to Your Kingdom

If you own a computer, watch the news, or spend virtually any time online these days, you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself.

Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple channels or even across channels; from the more traditional email-based attacks to those using voice – vishing – to those coming via text message – smishing. Regardless of the type or channel, the intent of the attack is the same – to exploit human nature to gain control of sensitive information (citation 1). These attacks typically make use of several techniques, including impersonated websites, attacker-in-the-middle, and relay or replay to achieve their desired outcome.

Data Analytics for Small Businesses: How to Manage Privacy Risks

Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications. You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience problems or adverse effects simply from the way organizations use data for business purposes. These “privacy events” can result in a range of problems from customer embarrassment if information is revealed that they didn’t anticipate, to more tangible harms, such as discrimination or economic loss.

STAFF SPOTLIGHT

Dr. Danielle Middlebrooks

Congratulations to Dr. Danielle Middlebrooks (ACMD), who has been named an MGB-SIAM Early Career Fellow. Established in 2021 as a joint program of Mathematically Gifted and Black and the Society for Industrial and Applied Mathematics, the program selects Fellows based on their exemplary achievements; support of diversity, equity, and inclusion in their community; and commitment to industrial and applied mathematics, computational science, and data science. Fellows organize minisymposia at SIAM conferences and give featured talks at SIAM events, with the goal of helping the Fellows experience continued success in the research community.

ITL IN THE NEWS

Zero Trust Model: How to Implement This Security Framework | G2 Guest Post
Bitdefender 2023 Predictions: With IoT Expected to Rise in 2023, Device Makers and Security Pros Must Learn to Work Together | VM Blog
CISA to Set Up New Office for Supply Chain Security | Bank Info Security
NIST Releases Voluntary AI Risk Management Framework | Government Technology
Future NIST AI Guidance Could Take Industry-Specific Approach | Nextgov
Listen to EqualAI's signature podcast—In AI We Trust? | Equal (Podcast)

PUBLICATIONS

LOOKING AHEAD

CONFERENCES & EVENTS

On March 15^th-16^th, NIST will host 3rd High-Performance Computing Security Workshop

On March 16^th, NIST will host Digital Identity Guidelines Webinar (3): The Future of Authentication

SUCCESS STORIES

NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices

Lightweight electronics, meet the heavyweight champion for protecting your information: Security experts at the National Institute of Standards and Technology (NIST) have announced a victor in their program to find a worthy defender of data generated by small devices. The winner, a group of cryptographic algorithms called Ascon, will be published as NIST’s lightweight cryptography standard later in 2023.

The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators. They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles. Devices like these need “lightweight cryptography” — protection that uses the limited amount of electronic resources they possess. According to NIST computer scientist Kerry McKay, the newly selected algorithms should be appropriate for most forms of tiny tech.

NOTABLE QUOTES

”Small devices have limited resources, and they need security that has a compact implementation. These algorithms should cover most devices that have these sorts of resource constraints.”

-Kerry McKay, NIST computer scientist, ITL