Congress on verge of major cuts to key cryptography agency


Update June 11: The Senate Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies has approved an increase in NIST funding above last year’s allocation, but below the amount requested. While Access would like to see NIST fully funded, we applaud the Subcommittee for recognizing the important role NIST plays in network security.

The U.S. House of Representatives passed a new funding bill yesterday that could undermine the development of internet security and privacy standards while increasing funding for the Federal Bureau of Investigation (FBI), which has advocated for weakening encryption. It next goes to the Senate.

The bill, known as the Commerce, Justice, Science, and Related Agencies Appropriations Act (“CJS Appropriations”), funds the National Institute of Standards and Technology (NIST) well below the amount requested, and even below last year’s budget. NIST, among other duties, has branches that establish cryptographic standards critical to cybersecurity, conduct research on privacy engineering and risk analysis, and oversee the U.S. federal strategy on internet identity authentication. The lack of funding could directly impact the agency’s ability to operate these programs.

Fortunately, the bill also includes a number of new limitations to restrict intelligence agencies from weakening technology — potentially the first post-USA FREEDOM Act limits to surveillance. However, the overall makeup of the bill reflects the fact that there isn’t yet consensus in Congress for supporting security standards that are critical for protecting our privacy online.

The increased funding for the FBI is troubling. FBI leadership has called for companies to place “backdoors” in otherwise encrypted technologies and products, a practice that would make everyone less secure in their interactions and communications. One FBI leader went so far as to claim at a recent congressional hearing that strong encryption standards are hindering the ability to track members of the Islamic State of Iraq and Syria (ISIS). The problem [PDF], of course, is that weakening encryption impacts everyone, including journalists, activists, and everyday people using banking, health, and communication applications online.

There are a number of positive amendments included in the CJS Appropriations bill that appear as a bright spot on an otherwise dark security horizon. An amendment offered by Representatives Zoe Lofgren and Ted Poe restricts the use of funds for the FBI to insert vulnerabilities in technology to enable surveillance. Representative Massie advanced another amendment [PDF] to prohibit NIST consulting with the NSA or Central Intelligence Agency (CIA) that would effect a weakening of encryption or computer standards.

The amendments come in response to reports that intelligence agencies have worked to weaken encryption standards. In one case, the NSA paid security firm RSA $10 million to use a vulnerable cryptography system. The NSA has also interfered to weaken NIST standards. Though NIST is required by law to consult with the NSA, NIST leadership has called the inclusion of weak standards a “mistake.” The NSA has dual missions, to defend information systems and to produce intelligence, and those two missions often come into conflict.

A new report by David Kaye, the UN Special Rapporteur for the Promotion and Protection of the Right to Freedom of Opinion and Expression, shows how encryption is fundamental for security and privacy online, and strongly rejects the intentional weakening of cryptographic standards. In the report, Special Rapporteur Kaye says, “[g]iven its widespread and indiscriminate impact, back-door access would affect, disproportionately, all online users.“ The report speaks directly to efforts in the U.S., calling on lawmakers to consider legislation to protect encryption against interference from intelligence agencies.

When the Senate takes up to bill, representatives should vote not only to fully fund NIST, but also to expand its resources in light of the observations that have been made about other agencies exerting undue influence over its important work. Congress should work as whole to permanently limit interferences with security standards by passing a law outside of the budget process. This would ensure that the provisions won’t need to be reconsidered every year. It is impressive that lawmakers passed the USA FREEDOM Act to improve privacy protections, but there is much more to done and Congress must be diligent in continuing the work of protecting our privacy and security online.