NIST Reopens Encryption Standards For Public Comment Following NSA Revelations
NIST is reopening the public comment period on its latest standards publication, said Director Patrick Gallagher. He said that’s in light of recent revelations that the National Security Agency introduced vulnerabilities into NIST standards to advantage NSA eavesdropping (CD Sept 9 p8). Gallagher said NSA’s work appeared to attack NIST’s integrity, which he said was the “the most troubling” aspect of the revelations, speaking at an Amazon Web Services event Tuesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"NIST’s role is to support a technical understanding of the strongest, most secure computer security, including encryption, that we can,” Gallagher said. “We are not deliberately, knowingly working to undermine or weaken encryption technologies.” NIST reopened the public comment period on its 800-90 series on random bit generators. That includes recommendations for random number generation using deterministic random bit generators, for the entropy sources used for random bit generation and for bit generator constructions, said its website (http://1.usa.gov/16hSmoy). “NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible.” The comment period is open until Nov. 6, it said. “If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible,” NIST said in a statement Tuesday (http://1.usa.gov/16hTatw). NSA had no comment.
"This is a fantastic development and exactly what I expected from NIST,” Joseph Lorenzo Hall, senior staff technologist at Center for Democracy & Technology, told us. “While it will be hard to fully recover from the recent allegations, I know many very good, dedicated folks at NIST who will factor this into their work and redouble their efforts to make the most secure standards and robust recommendations possible.” The revelations highlighted issues with the statutory requirement that NIST consult with the NSA on its standards setting, he said. “We should start a conversation about eliminating that statutory requirement.” NIST said it works with the NSA partly because of the statutory requirement and “because of its recognized expertise."
Gallagher also highlighted the ongoing work at NIST to develop a cybersecurity framework, the last meeting for which takes place this week in Dallas. He encouraged industry attendees at the Amazon.com event to get involved with the drafting and implementation process for the framework, saying a successful framework would have to be the product of industry, not of the government. “If this is industry’s framework, and if this is about taking industry’s draft and making it better, that won’t happen if your companies and organizations don’t adopt it, try to use it and then participate in the corrective action and the follow up that’s there,” he said.
Gallagher also said public-private partnerships, like those used in developing the cybersecurity framework and those used in federal cloud computing initiatives, had the potential to “unleash enormous change” for the better. “This is how we can better serve our citizens, how we can address new challenges: Cure cancer, revolutionize research, provide high value at low cost, and really enable business,” he said. He said NIST is working to transform the federal government’s attitude toward security services, though the public sector presented a challenge. “It’s always harder to change an embedded culture than to create a new one,” said Gallagher. The “core touch point” of encouraging that transformation and those partnerships, he said, is trust between the public and private sectors.