A US House committee has moved to sever the tie between the National Institute of Standards and Technology (NIST) and the National Security Agency, in an effort to isolate cryptography development from the spy agency.
Rep. Alan Grayson, D-Fla., introduced an amendment to the Frontiers in Innovation, Research, Science and Technology Act, or FIRST Act, within the House Science and Technology Committee. The amendment deletes the requirement in federal law (15 U.S.C. 278g–3(c)(1)) stating that NIST must consult or coordinate with the NSA when developing information security standards. In effect, the two would now work together on a strictly voluntary basis.
About eight months ago, Edward Snowden leaked documents detailing a $250 million per year NSA project called “SIGINT Enabling,” whose goal is to secretly undermine encryption standards. The stated goal of that effort according to the documents is to “use the agency’s influence” within the peer-review process to weaken the encryption standards that NIST and other standards bodies around the world publish. Presumably, this makes it easier for NSA to gain access to sensitive information within the organizations that use those standards.
“These are serious allegations. NIST, which falls solely under the jurisdiction of the Science, Space, and Technology Committee, has been given ‘the mission of developing standards, guidelines, and associated methods and techniques for information systems’,” Grayson wrote in a letter to the House committee. “To violate that charge in a manner that would deliberately lessen encryption standards, and willfully diminish American citizens' and business' cybersecurity, is appalling and warrants a stern response by this Committee.”
He added, “Many businesses, from Facebook to Google, have lamented the NSA's actions in the cyber world; and some, such as Lavabit, have consciously decided to shut their doors rather than continue to comply with the wishes of the NSA. Changes need to be made at NIST to protect its work in the encryption arena.”
After news broke of the NSA’s crypto-meddling, NIST recommended that its elliptic curve specification no longer be used in light of how involved the NSA was in developing it. "Eventually, NSA became the sole editor,” as Infosecurity previously reported. Vendors followed suit, with RSA “strongly recommending” that its developers discontinue use of the NIST-developed cryptography. In addition, Silent Circle shut down its secure mail service, which used NIST encryption standards.
In November 2013, NIST announced that it would be conducting an internal review of all of its cryptographic standards and peer-review development process in the wake of revelations that the NSA has been able to weaken its encryption algorithms to carry out surveillance.
Documents leaked by Edward Snowden in September showed that the NSA spends $250 million a year on a project called “SIGINT Enabling” to secretly undermine encryption. A main goal of that effort is to “use the agency’s influence” within the peer-review process to weaken the encryption standards that NIST and other standards bodies around the world publish.
Shortly thereafter, NIST recommended that its elliptic curve specification no longer be used in light of how involved the NSA was in developing it. "Eventually, NSA became the sole editor,” as Infosecurity previously reported. Vendors followed suit, with RSA “strongly recommending” that its developers discontinue use of the NIST-developed cryptography. In addition, Silent Circle shut down its secure mail service, which used NIST encryption standards.
NIST also pledged to review all of its cryptographic standards and its peer-review development process. After a two-month public comment period, NIST’s primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), began that review in mid-May.
Meanwhile, the legislation will move forward. “Today’s amendment will help support data integrity by ensuring that the standards used to protect all internet users are not artificially weakened,” said Access Now's Amie Stepanovich, in a blog. “We applaud the Committee’s adoption of this amendment and hope that Congress will take this as an opportunity to further study the extent of NSA’s attempts to undermine internet security.”
The bill must be passed by the full House of Representatives and Senate before it is signed into law.
“If this amendment passes, standards will still be promulgated at the highest levels of quality by NIST, and the NSA will still be consulted when needed,” Grayson said. “But subversive actions and overreach by one agency into another will not be tolerated.”