NRC report urges shift in info security policies

The National Research Council, in a report likely to have a significant influence on the ongoing information security policy debate, is calling on the government to align its national cryptography policy more closely with industry trends.

The document was the second report released in May to recommend greater cooperation with industry on cryptography issues [FCW, May 27].

Although the administration already has signaled an interest in working more closely with industry, the NRC report includes other, more controversial, recommendations. For example, it recommends that the government encourage widespread use of encryption in the private and public sectors, a move that would be a sharp turn away from current administration policy.

"The idea is to use market forces rather than fight them" in developing cryptography policy, said Herb Lin, NRC's senior staff officer and director of the report.

The report, "Cryptography's Role in Securing the Information Society," calls the eventual widespread use of encryption "inevitable" and recommends a policy that encourages a "judicious transition" toward the wide use of encryption in the public and private sectors.

The report represents the first broad consensus of cryptography stakeholders in government, industry and academia. Members of the committee that compiled the report include retired National Security Agency deputy director Ann Caracristi, Stanford University professor and co-inventor of public key cryptography Martin Hellman, and Citicorp senior technology officer Colin Crook.

Government policies have hindered, not helped, the development of a cohesive national cryptography policy, according to the report.

"The government has tried to push policies and standards that have been unpopular in the marketplace," Lin said. "That has retarded the development of consensus" on issues of cryptography policy.

Specifically, the government has restricted the types of encryption federal agencies can use and heavily regulated commercial encryption export, he said.

Overall, the report promotes widespread use of cryptography in the public and private sectors, criticizes the government's role in shrouding cryptography policy in secrecy and discouraging encryption use in the public sector, and recommends that 56-bit, non-escrowed Data Encryption Standard encryption products should be exportable.

Further, it supports federal agency use of widely used off-the-shelf encryption products and suggests that federal law enforcement should put more resources into understanding how cryptography works than in limiting its use nationally.

An administration official who asked not to be named called the report "useful," saying the administration agrees with all the recommendations relating to increased federal agency use of encryption.

"We definitely agree with the report as it relates to federal use," the official said. "The government should put its money where its mouth is."

However, the official said the administration was less likely to adopt some of the other report recommendations.

Most controversial is the issue of key escrow. The administration has banned the export of strong encryption software unless law enforcement can obtain a set of "escrowed keys" that enable decryption with a court warrant.

The report calls this policy "premature." However, the report recommends the government become an early user of escrowed encryption.

"We think the government should use the working government as sort of a test bed for something that is as yet an unproven tool," Lin said.

Because government policy hinders the use of strong cryptography both within the government and in the private sector, according to the report, the government "is actually opening the nation up to malicious attacks on its information systems."

Current government policy "impedes" industry and government from using "cryptographic tools that would help remediate certain important vulnerabilities," according to the report, and that the advantages of more widespread use of cryptography "outweigh the disadvantages."


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.