Bryan Choi on NIST's Software Un-Standards
The Lawfare Podcast
The Lawfare Institute
4.7 • 6.4K Ratings
🗓️ 7 March 2024
⏱️ 47 minutes
🧾️ Download transcript
Summary
Everyone agrees that the United States has a serious cybersecurity problem. But how to fix it—that's another question entirely. Over the past decade, a consensus has emerged across multiple administrations that NIST—the National Institute of Standards and Technology—is the right body to set cybersecurity standards for both the government and private industry. Alan Rozenshtein, Associate Professor of Law at the University of Minnesota and Senior Editor at Lawfare, spoke with Bryan Choi, who argues that this faith is misplaced. Choi is an associate professor of both law and computer science and engineering at The Ohio State University. He just published a new white paper in Lawfare's ongoing Digital Social Contract paper series exploring NIST's history in setting information technology standards and why that history should make us skeptical that NIST can fulfill the cybersecurity demands that are increasingly being placed on it.
Support this show http://supporter.acast.com/lawfare.
Hosted on Acast. See acast.com/privacy for more information.
Transcript
Click on a timestamp to play from that location
| 0:00.0 | The following podcast contains advertising. |
| 0:04.0 | To access an ad-free version of the Lawfair Podcast, |
| 0:08.0 | become a material supporter of Lawfair at Patreon.com slash Lawfair. That's Patreon.com |
| 0:16.4 | slash Lawfair. Also check out Lawfair's other podcast offerings, rational security, chatter, lawfare no bull, and the aftermath. Hello everybody my name is |
| 0:39.6 | my name is Jacob Collier and I just wanted to quickly let you know that my brand new album |
| 0:43.0 | Jesse volume 4 is out now. See you're all out for the battle. |
| 0:53.0 | I don't think about. |
| 0:55.0 | I don't think about. That's the basic framework that NIST has adopted for cyber security, software security, and AI. They've said, you shall |
| 1:15.8 | plan out, right, what are the risks? You shall then measure or detect when the |
| 1:22.3 | risks occur, |
| 1:24.1 | and then you shall remedy or mitigate |
| 1:28.0 | the harm that arises once these events happen. |
| 1:32.2 | And it's a dramatic shift, right? |
| 1:34.6 | It's a pivot from where the types of standards |
| 1:38.0 | that NIST was pushing out in the 60s and 80s, |
| 1:41.5 | where they were really trying to standardize and unify the way that |
| 1:45.4 | software developers did their jobs. Now it feels like it's a pluralistic do |
| 1:51.5 | whatever you want to do and we're going to try to come up with |
| 1:54.7 | vocabulary that unifies what you're doing but it's not actually trying to tell you |
| 1:59.2 | to do the same thing. I'm Alan Rosenstein, associate professor of Law at the University of Minnesota and Senior Editor at Lawfair, and this is the Lawfair Podcast for March 7, 2024. |
| 2:10.0 | Everyone agrees that the United States is a serious cybersecurity problem, but how to fix it, that's another question entirely. |
| 2:17.0 | Over the past decade, a consensus has emerged across multiple administrations that NIST, the National Institute of Standards and |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from The Lawfare Institute, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of The Lawfare Institute and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.