Eight months after an explosive revelation that encryption standards developed and evaluated by the National Security Agency were allegedly subverted by the intelligence outfit, a House committee has moved to sever the NSA’s involvement in the standards process.
An amendment to the Frontiers in Innovation, Research, Science and Technology Act, or FIRST Act, was passed by the House Science and Technology Committee late last week that strikes a requirement that the NSA and the National Institute of Standards and Technology (NIST) work hand-in-hand on encryption standards.
Documents taken by former NSA contractor Edward Snowden allege that the NSA had deliberately weakened or inserted backdoors crypto standards and libraries used by government agencies, private companies and software vendors worldwide in order to conduct surveillance on Internet traffic.
The bombshell came last September when it was revealed by the New York Times, the Guardian and ProPublica that the Dual EC DRBG algorithm, long suspected by cryptography experts, contained a NSA backdoor. Soon NIST recommended developers move away from using the algorithm, and then security vendor RSA Security followed suit, revealing that Dual EC was the default algorithm in its BSAFE crypto libraries. RSA came under massive scrutiny three months later when a Reuters report alleged that RSA had a secret $10 million contract to make Dual EC the default random number generator in BSAFE.
Rep. Alan Grayson, D-FL, offered the amendment to the committee on May 20 asking that the requirement that NIST consult with the NSA be stricken from the FIRST Act.
“If this amendment passes, standards will still be promulgated at the highest levels of quality by NIST, and the NSA will still be consulted when needed,” Grayson wrote in his letter to the House committee. “But subversive actions and overreach by one agency into another will not be tolerated.”
ProPublica reported that Grayson will continue to pursue reforms related to NIST’s relationship with the NSA. The bill must be passed by the full House of Representatives and Senate before it is signed into law.
The Snowden revelations about the alleged NSA subversion of crypto standards kicked off speculation and worry that NIST had lost the trust of technology companies and implementers and that regional standards could pop up, damaging interoperability and security.
“The U.S. has had an enormous influence on crypto around the world because we have NIST,” Johns Hopkins professor and cryptography expert Matthew Green told Threatpost in September. “You could see people break away from NIST, which would hurt everyone, and move to regional standards. That stuff is a problem.
“We trust NIST because there are a lot smart people there. If you split up into regions, it’s possible things could get less secure,” Green added. “You could end up with more vulnerabilities; standards get weaker the less effort you put into it.”
Bruce Schneier agreed at the time that scrutiny would tighten on NIST.
“The fact is, NIST has been tarnished badly, and we really need them,” he said. “This is the biggest problem: The NSA has broken the fundamental social contract of the Internet.”
NIST, however, has been actively cleaning up its own house since the revelations. In November, the standards body said it was initiating a review of its cryptographic standards development processes, and last month removed Dual EC DRBG from NIST’s draft guidance on random number generators.