TheConversation

Blog archive

How deep does NSA incursion at NIST go?

keyhole digital

FCW published an article Sept. 6 in which sources questioned the integrity and trustworthiness of the National Institute of Standards and Technology following the release of  top-secret documents showing the National Security Agency weakened a set of encryption standards adopted for worldwide use in 2006.

Readers expressed concern at the news, questioning whether the NSA's intervention was a one-time event or a frequent occurrence.

So if our computer security standards are open to, let's call it "tweaking", I wonder what other standards that NIST regulates are "tweaked?" remarked one reader.

Another said, So much for NIST's credibility. I noticed they ignored the good stuff brought to them, now we know why.

A reader identifying himself as William Frazier questioned why government agencies even bother to compare each other's security protocols when they're all apparently operating with subverted encryption standards promulgated by NIST and used in IT solutions mass-produced by vendors.

Another reader wondered how far down the rabbit hole NSA-tweaking extends beyond encryption standards.

Frank Konkel responds: NIST responded to the criticism on Sept. 10, reopening the standards for public scrutiny and stating "NIST would not deliberately weaken" standards it approves for adoption.

However, the key word here is "deliberately," and I agree with readers who believe NIST's credibility is now open to question. When a top-secret NSA document – leaked by former NSA contractor Edward Snowden – states directly that the NSA "became the sole editor" of the weakened encryption standards in question, what does that say about NIST?

Nobody has come out and claimed responsibility for the apparent weakness in standards, and it's unlikely anybody will. What is more likely is that the cryptographic community will work hard to expose the vulnerabilities– if any – and work to correct them in a widespread, yet sensitive endeavor. If vulnerabilities exist, patches will be made. But as several cryptographers have noted, the time between when a vulnerability is found and a patch is implemented is key.

Regardless, the revelations uproot the image of NIST as a "just the facts, ma'am" agency based on scientific principles, which is sad for federal agencies and worldwide commercial organizations that adhere their security standards to NIST recommendations. What role did NIST play in adopting the weakened standards?

The agency says none at all, and that raises questions in itself. How many other standards were adopted in the same fashion? Was NIST handcuffed by the NSA from discussing any kind of potential sabotage? How often does the NSA take the lead on standards for unclassified systems?

NIST regularly exposes its standards to public scrutiny in an effort to be a transparent organization, but if anyone at the agency knew the NSA deliberately or even inadvertently messed with standards, they sure didn't make a public fuss about it.

While the whole issue got lost in the NSA leaks story, the NSA's efforts to defeat encryption by any means necessary is one of the biggest stories to come from Snowden's flash drives. Perhaps there is more to come on that front, and if it involves more collaboration between NIST and the NSA, it may be more bad news for feds.

Posted by Frank Konkel on Sep 11, 2013 at 9:33 AM


The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Thu, Sep 12, 2013

While it is easy to speculate or fantasize about NIST collaborating with NSA, the point that is being missed is that NIST's statement is actually a bit of a middle finger to the NSA. When one agency is accused of weakening a standard and another says there is no way they'd ever do anything to support that, it suggests that there is a pretty big schism here and a real violation of the boundaries that the two have generally had in place. That may be the bigger story here.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group