This past Wednesday, the House Committee on Science, Space, and Technology approved an amendment to a bill that, if enacted, would remove the statutory requirement that the National Institute of Standards and Technology (NIST) consult with the National Security Agency (NSA) in developing information security standards. This is a positive step that will help to restore the credibility and scientific objectivity of NIST.
The amendment (PDF), offered by Rep. Alan Grayson (D-FL), came as an addition to the FIRST Act, a bill to support science and research. The amendment deletes the requirement in federal law (15 U.S.C. 278g–3(c)(1)) that NIST must consult or coordinate with the NSA when developing information security standards, effectively making such consultation voluntary.
It is especially crucial that NIST be independent from the NSA given recent revelations.
It is especially crucial that NIST be independent from the NSA given recent revelations. Last September, the computing and cryptographic communities were dismayed to learn that the NSA had been working to undermine encryption products and their underlying standards, including planting a backdoor in a NIST cryptographic standard. The NSA has historically played a crucial role in supporting NIST’s cryptographic standards process with mathematical analysis and computation from NSA’s world-class cadre of mathematicians and cryptographers. However, the NSA has apparently abused this relationship and compromised key standards. In the face of past subversion by the NSA, NIST must be wary of NSA participation in standards processes and certainly there should be no statutory requirement to work with the NSA any more than NIST works with other stakeholders.
There is a subtle distinction made here that we are glad to see: the Grayson amendment does not prohibit NIST from working with NSA but removes the requirement that NIST consult with NSA on future standards. Not all interactions between NIST and NSA are by definition problematic; in fact, there are certain kinds of expertise within NSA to which NIST should have access as NIST develops guidance and standards. But NSA should not receive special treatment; in fact, NIST should ensure that the NSA is treated, for the most part, like just another stakeholder in the standards process, albeit one for which a heightened standard for transparency should apply, as we have argued in recent comments to NIST on its cryptographic standards review process.
Moreover, to ensure that NIST’s collaboration is focused on strengthening, and not undermining, cryptographic standards, NIST needs an information assurance partner in the government and not a cyberspy partner. Right now, NSA is both. NSA’s information assurance function should be removed from the NSA and placed at the Department of Homeland Security, a civilian agency that already has a significant cybersecurity mandate from Congress. This would give NIST a civilian partner, with strong expertise and a mission focused on cybersecurity. This would help build trust in its collaborative efforts. The President’s Review Group made a similar recommendation to split off from NSA its information assurance function, but the Review Group would have placed it within an element of the Department of Defense, as opposed to DHS (see p. 179 of the Review Group’s report).
The Grayson amendment passed Wednesday to remove requirements that NIST work with the NSA is definitely a step in the right direction. NIST’s reputation for unfailing precision and freedom from bias has been eroded, and amending FISMA in this manner will compliment recent efforts at NIST to re-evaluate all of NIST’s cryptographic standards with help from an independent committee of the world’s leading cryptographers and computer security experts. We believe only an independent NIST can focus on creating the most efficient, strong, and versatile cryptographic standards possible.