Blog archive

How deep does NSA incursion at NIST go?

keyhole digital

FCW published an article Sept. 6 in which sources questioned the integrity and trustworthiness of the National Institute of Standards and Technology following the release of  top-secret documents showing the National Security Agency weakened a set of encryption standards adopted for worldwide use in 2006.

Readers expressed concern at the news, questioning whether the NSA's intervention was a one-time event or a frequent occurrence.

So if our computer security standards are open to, let's call it "tweaking", I wonder what other standards that NIST regulates are "tweaked?" remarked one reader.

Another said, So much for NIST's credibility. I noticed they ignored the good stuff brought to them, now we know why.

A reader identifying himself as William Frazier questioned why government agencies even bother to compare each other's security protocols when they're all apparently operating with subverted encryption standards promulgated by NIST and used in IT solutions mass-produced by vendors.

Another reader wondered how far down the rabbit hole NSA-tweaking extends beyond encryption standards.

Frank Konkel responds: NIST responded to the criticism on Sept. 10, reopening the standards for public scrutiny and stating "NIST would not deliberately weaken" standards it approves for adoption.

However, the key word here is "deliberately," and I agree with readers who believe NIST's credibility is now open to question. When a top-secret NSA document – leaked by former NSA contractor Edward Snowden – states directly that the NSA "became the sole editor" of the weakened encryption standards in question, what does that say about NIST?

Nobody has come out and claimed responsibility for the apparent weakness in standards, and it's unlikely anybody will. What is more likely is that the cryptographic community will work hard to expose the vulnerabilities– if any – and work to correct them in a widespread, yet sensitive endeavor. If vulnerabilities exist, patches will be made. But as several cryptographers have noted, the time between when a vulnerability is found and a patch is implemented is key.

Regardless, the revelations uproot the image of NIST as a "just the facts, ma'am" agency based on scientific principles, which is sad for federal agencies and worldwide commercial organizations that adhere their security standards to NIST recommendations. What role did NIST play in adopting the weakened standards?

The agency says none at all, and that raises questions in itself. How many other standards were adopted in the same fashion? Was NIST handcuffed by the NSA from discussing any kind of potential sabotage? How often does the NSA take the lead on standards for unclassified systems?

NIST regularly exposes its standards to public scrutiny in an effort to be a transparent organization, but if anyone at the agency knew the NSA deliberately or even inadvertently messed with standards, they sure didn't make a public fuss about it.

While the whole issue got lost in the NSA leaks story, the NSA's efforts to defeat encryption by any means necessary is one of the biggest stories to come from Snowden's flash drives. Perhaps there is more to come on that front, and if it involves more collaboration between NIST and the NSA, it may be more bad news for feds.

Posted by Frank Konkel on Sep 11, 2013 at 9:33 AM

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Thu, Sep 12, 2013

While it is easy to speculate or fantasize about NIST collaborating with NSA, the point that is being missed is that NIST's statement is actually a bit of a middle finger to the NSA. When one agency is accused of weakening a standard and another says there is no way they'd ever do anything to support that, it suggests that there is a pretty big schism here and a real violation of the boundaries that the two have generally had in place. That may be the bigger story here.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group