June 10, 2014 | By Nadia Kayyali

Looks Like the NSA May Lose Its Standing Invitation to Weaken Encryption

There has been plenty of bad news when it comes to NSA spying, so it’s encouraging when the news is good. At the end of May, the House Committee on Science, Space, and Technology signaled the beginning of the end for NSA’s effort to undermine encryption, passing an amendment that extricates the NSA from the National Institute of Standards and Technology’s (NIST) work on encryption standards.

In September of last year, ProPublica, the Guardian, and the New York Times broke the story that the NSA had systematically “circumvented or cracked much of the encryption, or digital scrambling” that protects the Internet, “collaborating with technology companies in the United States and abroad to build entry points into their products.”

What’s worse, in December Reuters revealed that security giant “RSA received $10 million [from the NSA] in a deal that set [a purposefully flawed] NSA formula as the preferred, or default, method for number generation in the BSafe software.” 

 NIST is statutorily charged with developing computer security protocols, including encryption standards. Until now, the law has also required NIST to consult with the NSA on those standards. Following the revelations that the NSA had deliberately undermined NIST standards, weakening security across the Internet, it has become obvious that the NSA’s continued participation in the process would serve only to reduce trust in NIST’s work. 

The concerns about this relationship are not imagined. In fact:

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body…  Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency.

Fortunately, someone in the House is paying attention. Rep. Alan Grayson offered an amendment to HR 4186, the Frontiers in Innovation, Research, Science, and Technology Act of 2014 (FIRST Act) during markup of the bill by the House Committee on Science, Space, and Technology. The FIRST Act is primarily a science-funding bill. But at over 100 pages, the bill contains a number of substantive provisions—including this amendment.

As Grayson describes it, his amendment:

removes the mandate that NIST consult with the NSA on encryption standards. NIST is in no way precluded from interacting with the NSA as a result of this amendment, but the message will be clear—an agency that subverts the legitimate work of another agency will face consequences.

It is the last line of Rep. Grayson’s statement that deserves close attention here. He has set an example that the rest of our lawmakers would do well to follow. It’s time for Congress to take the constitutional system of checks and balances seriously again. We know that the NSA has bitterly fought any real accountability to the public and to the Hill. But there are ways in which Congress can fight back—and they should do so with every single tool available. Legislation that directly affects the NSA’s authority to spy is one. This is another.

With what we’ve learned about NSA spying over the last year, there’s simply no excuse for Congress not to take action at this point. Our hats are off to Grayson for standing up for strong encryption standards.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Kazakhstan's authoritarian government is misusing U.S. law to silence and spy on its online critics: https://eff.org/r.vekw

Aug 4 @ 4:50pm

TPP talks ended in deadlock last week, but officials are as determined as ever to conclude this anti-user deal: https://eff.org/r.n8ew

Aug 4 @ 3:49pm

A milestone in EFF’s case: The Ninth Circuit will consider whether NSA’s “Upstream” spying violates the Constitution https://eff.org/r.b1s9

Aug 4 @ 3:47pm
JavaScript license information