back to article Congress divorces NIST and NSA

The US Congress has passed a bill that removes the NSA's direct input into encryption standards. According to a report at ProPublica, an amendment to the National Institute of Standards and Technology act removes the requirement that NIST consult with the NSA in setting new encryption standards. Following the Snowden …

COMMENTS

This topic is closed for new posts.
  1. Sanctimonious Prick
    Megaphone

    Changes...

    NOTHING!!!

  2. Mephistro
    Flame

    Too little, ...

    ... too late.

    The cynic in me reckons this as another -not too effective- damage limitation exercise, to give the false impression that the USA govt is doing something to clip NSA's wings and give American citizens, allies and foreign IT customers the wrong impression that the issues are being fixed. Because, as Sanctimonious Prick said, this changes nothing.

    They still can subvert the NIST and/or the companies that are implementing these crypto standards. As long as they have secret laws, secret courts and NSLs, nothing the Congress does makes any fucking difference.

  3. dan1980

    @Sanctimonious Prick

    Well, it might change something.

    The biggest problem here is the MOU between the NSA and NIST (1989) which means, amongst other things, that:

    • NIST must consult with the NSA on security evaluations.
    • NIST must accept NSA evaluations of trusted systems (without needing further evaluation).
    • Disagreements between NIST and the NSA are to be arbitrated by the National Security Council.

    Remember that this (being NIST) is for encryption/security for non-classified, non-defence systems, meaning that requiring NSA involvement is very much counter to the whole purpose of NIST embodied in the Computer Security Act (1987) which was to separate defence and government in this area.

    SO, separating the NSA and NIST may well go some way to working towards that goal - even if it is 25 years late . . .

    1. Don Jefe

      My concern is that the Computer Security Act, among other similar legislation, falls under the purview of those who oversee strategic national security policy. The same lot that redefined torture, made it a crime to report government bullying, sanctified the kidnapping and relocation of foreign nationals, justified reasons to ignore certain aspects of the Constitution and treat everybody like criminals and made it legal to hide changes in the law.

      I have little doubt that the NIST/NSA connection was just deleted from publicly accessible law. I suspect this is policy theater and nothing will be different.

      1. dan1980

        @Don Jefe

        Well, yes, that is the biggest issue to come out of 'all of this' - how can the government ever be trusted again?

        The answer is that they pretty much can't.

        I suspect, somewhat cynically, that whatever influence the NSA has over NIST, it will only be strengthened - likely by broad, vaguely-worded laws ostensibly implemented to curtail activities the public find to be an overreach, but with the actual effect of making nearly anything permissible.

        With such laws there are usually provisions that restrict certain activities to situations where a certain condition has been met. The problem appears when the condition is overly vague ("national security") and/or the assessment of that condition is handled in secret and without even the potential of oversight from the courts. Which is, of course, exactly what got everyone into this mess - laws which essentially say:

        "We have the power to do anything we want, so long as we decided that it is necessary."

        That only works where the body in question is a paragon of reason and sobriety and accountability supremely in touch with the will and morals of the people. Unfortunately for all of us, the US government is more like a child demanding that they 'need' a toy or a sweet.

      2. btrower

        No question it's theater. I wonder how many of the congress critters are on stage and how many in the audience.

        Re:"made it legal to hide changes in the law"

        I am pretty sure you know better, but for the record, they cannot actually make it 'legal' without changing the constitution and even then there are limits. Ultimately, legal force comes from the body politic. Keeping a law secret until the lawmaker decides to 'do the reveal' pretty much negates the whole notion of legality.

  4. Bartholomew

    R.I.P. NIST outside of the US.

    America is stuck with it, but the rest of the world if free to move on to better standards. And the US can adopt global security standards if they are allowed to by their Government, but they will probably not, for the sake of national security - In the land of the free to be spied on by the eternal eyes, or is that England ?

    1. E 2

      Re: R.I.P. NIST outside of the US.

      Yes, B, that's all true, but the USA can and does bring enormous pressure to bear on other countries to conform to USA crypto standards.

      As well, what is good for the goose is good for the gander: Russia, China, UK, etc all have exactly the same interest as USA when it comes to influencing peoples & corp's choice of crypto. All the gov'ts want us using broken crypto - it is not solely a USA thing.

    2. tom dial Silver badge

      Re: R.I.P. NIST outside of the US.

      What US laws allow the government to exercise control over non-government cryptography? I don't mean to be snippy; however I am not aware of any such, although there may be legally established standards that companies are required to use to satisfy regulatory requirements or ensure against civil liability.

      1. Don Jefe

        Re: R.I.P. NIST outside of the US.

        Encryption is a 'dual use' technology and most of the things in that category fall under the purview of a combination of Department of Defense, Department of State and Department of Commerce oversight. Regardless of what (US) company created/owns the dual use technology or what its intended purpose is.

        I'm not sure if you remember, but it used to be that Internet Explorer with 128SSL couldn't be exported from the US without approval. Quite a few of the products we design and build require us to get approval before we start the design and build then seek approval for export before we ship (the pre-design approval isn't strictly required, but you only have to refund $1m+ because you can't deliver your product because it has been deemed dual use technology). It's kind of a pain, but at the same time it's one of the very few intrusive government policies I approve of.

        As a general guideline, you can assume that the more truly advanced and/or complex a product is the more authority our government has to dictate how, why and who is using it. Communications equipment, IT tech and weapons systems are fairly obvious, reasonable, inclusions. Less obvious are things like extremely high precision machining equipment, certain common chemicals in their stable states, some heavy equipment, some mineral exploration tech, lots of science related equipment, quite a lot of optical lens making technology, huge swaths of biomedical 'stuff', some agricultural tech as well as trade secrets and 'black patents' from many industries.

        There is definitely an element of protectionism in that trade secrets/black patents bit, but overall the system is beneficial to everyone on Earth. So very many things that are normally benign require nothing more than the willingness of a 'bad person' to use them for destruction.

        Don't know why you got downvoted. Your inquiry hits on an issue with global scope that is, with the exception of weapons, unfamiliar to the general public.

        1. tom dial Silver badge

          Re: R.I.P. NIST outside of the US.

          I don't know what might have motivated your downvote either; it seemed a clearly stated and as far as I know accurate description of some of the export control restrictions.

          My question, partly rhetorical, was intended to point to the question of controls on the use of cryptography. PGP, upon a time, was illegal to export, despite being based on non-US cryptographic tools, but as far as I know was entirely legal for US residents to use, including in communicating with foreigners once the program was available elsewhere. Some countries (Wikipedia has a list) require licensing or otherwise restrict crypto systems; the US does not appear to do so, although it seems likely that if exchanging encrypted messages with the US government you would have to do ti their way, and there could be civil liability attached to using unapproved crypto if it turned out vulnerable.

          For the US the black mark seems to be the Digital Millennium Copyright Act.

  5. E 2

    Whereas Linux is most popular OS for internet and cluster servers, and

    whereas the most popular role-based Linux security system is SELinux, and

    whereas SELinux was written by and donated to Linux kernel by the NSA;

    therefore how secure do you think the Internet is?

    1. frank ly

      After Heartbleed and other similar problems, I'd hope that many eyes are now looking over the crypto and security functions of Linux and its various distributions. At least people can do that if they want to.

  6. brooxta

    Confidence

    From the article:

    > In that light, anything that gives users confidence that their encryption isn't being backdoored can only be a good thing.

    I am not sure I agree. I think that would be a win for the NSA.

    Rather, anything that clearly demonstrates that encryption is not being backdoored can only be a good thing. Confidence comes as a result of "good things", it is not, in and of itself, a "good thing" in security terms.

    1. Anonymous Coward
      Anonymous Coward

      Re: Confidence

      As others have said the government(s) cannot be trusted. I thought that would have been pretty obvious to anyone who learned how to read.

      The interesting thing about this move is that the the government themselves is admitting that they cannot be trusted. Cue civil wa... unrest. What's that? You can't drag yourself away from the TV? Or you just can't read? Or you just don't want to? (weeps)

  7. Suricou Raven

    We can trust some algorithms. The ones the NSA recormends to the US DoD and other important government agencies.

    If the NSA could break them, then the NSA would know that China is probably well on the way to breaking them, and if the NSA knew that then they wouldn't be advising the rest of the US government to use them - especially the military side.

    Of course, civilian implimentations of those algorithms may still contain deliberate insecurity and back doors.

    1. Duncan Macdonald

      I doubt it

      The NSA probably wants to read all the DoD secrets along with those belonging to everyone else.

      1. John Smith 19 Gold badge
        Unhappy

        Re: I doubt it

        "The NSA probably wants to read all the DoD secrets along with those belonging to everyone else."

        True.

        But probably not because they have broken the crypto.

        As a recent presentation by (IIRC) a Swedish researcher put it SOP is to circumvent the crypto in the first place.

        The lock on the front door is solid.

        Too bad the door is fibreboard in a sheetroc frame.

      2. Anonymous Coward
        Anonymous Coward

        Re: I doubt it

        Yes, the NSA are also likely have acquired the master key of the EU blue-light communications system (TETRA, known as Airwave in UK)

        As the first users of Airwave in the UK were allegedly the UK Intelligence Agencies, Special Branches etc, then presumably Ft. Meade really just wants to take it all, everything, ALLES, TUTTO, Всё или ничего!

    2. Anonymous Coward
      Anonymous Coward

      Military secrets are protected with violence and disinformation - not encryption. That's too complicated for the blood thirsty DOW.

  8. Anonymous Coward
    Black Helicopters

    A step forward, but...

    A) Are there NSA operatives in the NIST? Wouldn't put it past them.

    B) Even if this is actually put in place, will there be significant pressure on the NIST to voluntarily coordinate with the NSA? The military/industrial complex has lots of friends in positions of power in DC.

    C) And what about the private IT security industry? Are they going to be influenced into watering down future encryption standards through the large number of NSA alums in the industry, or good old-fashioned awards of defense contracts in return for inserting vulnerabilities?

This topic is closed for new posts.

Other stories you might like