TMCnet News
NIST Review Report: NSA Has 'Undeniable Incentive' to Defeat Security of NIST Standards; NIST 'Negligent' in Security of Cryptographic Standard(Targeted News Service Via Acquire Media NewsEdge) WASHINGTON, July 16 -- Rep. Alan Grayson, D-Fla. (9th CD), issued the following news release: Reports that the National Security Agency (NSA) intentionally weakened encryption standards established by the National Institute of Standards and Technology (NIST) prompted a review of NIST's cryptographic standards and guidelines development process. NIST develops cryptographic and encryption standards, which are incorporated into widely-used software and technology products, in order to protect our privacy and cyber security. NIST's Visiting Committee on Advanced Technology (VCAT) has completed its review and released a comprehensive report, along with recommendations for improving the NIST's development process. In the report, VCAT warns that "NIST should be very careful in its interactions with NSA regarding standards." The report's findings validate the efforts of Congressman Alan Grayson (FL-09), who recently passed legislation addressing NIST and NSA's relationship. The report notes that NSA "can benefit from weaknesses in standards, especially if those weaknesses are not widely known outside NSA. Because of this, NSA has an undeniable incentive to influence [NIST's] standards in ways that allow NSA to defeat the standards' security." Grayson said the same thing last month when he passed an amendment to the Department of Defense Appropriations bill (H.R. 4870) to prohibit NSA from interfering or weakening encryption standards promulgated by NIST. Grayson called NSA's subversion of NIST's standards "extremely dangerous" and noted that NSA's efforts rendered everyone's security vulnerable to exploitation. "It's nadve to imagine that if you introduce a weakness into a system you will be the only one to use it. My amendment would address this issue by prohibiting the intelligence community [which includes NSA] from subverting or interfering with the integrity of any cryptographic standard," he explained. The amendment passed unanimously and earned support from Citizens for Responsibility and Ethics in Washington, the Sunlight Foundation, and others. VCAT's report also remarked that while NIST may consult with NSA for advice on cryptographic matters, "it must be in a position to assess it and reject it when warranted." "NIST itself, and the cryptographic community that looks to NIST's standards, must be able to conclude with confidence that NSA did not have any opportunity to undermine any NIST standard," the report explained. Grayson addressed this concern this in a Science, Space, and Technology Committee markup when he passed an amendment removing the statutory requirement for NIST to consult with NSA in developing encryption standards. The amendment allows NIST to continue to consult NSA when necessary. The Huffington Post called Grayson's effort a "landmark amendment," while ProPublica wrote that it "puts NSA on notice over encryption standards." Access said the amendment would "help support data integrity by ensuring that the standards used to protect all internet users are not artificially weakened." The Center for Democracy & Technology hailed it as a "positive step that will help to restore the credibility and scientific objectivity of NIST."https://cdt.org/blog/house-committee-moves-to-break-statutory-link-between-nsa-and-nist/ The report also describes Grayson's letter to NIST, which requested information on the allegations and observes that NIST's response "does not answer the question in the letter by Mr. A. Grayson on the response of NIST to the notidZcation of the concerns by experts and the lacking response he received....[W]e can conclude that NIST has been negligent [with regard to] the security of SP 800-90A, but we have insudZcient information to decide whether or not NIST was complicit in introducing a back door in this standard." TNS 30TacordaCheng-140717-4799856 30TacordaCheng (c) 2014 Targeted News Service |