On May 21, 2014, by voice vote the House Science and Technology Committee adopted an amendment to the FIRST Act removing the requirement that NSA be consulted on encryption standards. The Amendment was authored by Congressman Alan Grayson.
The National Institute for Standards and Technology, or NIST, a federal agency that develops cryptographic standards used to protect internet communications around the world, has been required by US federal law to work with NSA on all such standards since 1987. The connection between the two organizations was strengthened in a 2002 law, the Federal Information Systems Management Act.
The FIRST Act – or “Frontiers in Innovation, Research, Science, and Technology” – is intended to authorize programs and increase funding in research fields. Representative Grayson’s amendment removes the requirement in federal law that NIST consult with NSA, instead allowing NIST to request NSA assistance on an as-needed basis.
The NSA’s efforts to keep the internet secure often takes a back seat to the NSA’s now-infamous role in mass surveillance and foreign intelligence gathering. Late last year, the Guardian, the New York Times, and ProPublica reported that the NSA used its position to weaken encryption standards and preserve its surveillance capabilities, thereby putting internet users around the world at risk.
Earlier this year, NIST published a new draft document which sets out principles to guide its cryptography standards-setting processes going forward. The document relies on six core principles: transparency, openness, technical merit, balance, integrity, and continuous improvement. Access, joined by others, sent a letter responding to the document in April, asking that NIST strengthen the principles “to provide greater transparency and access.” The letter asked that NIST pledge to publicly explain the extent and nature of the NSA’s consultation on future standards and any modifications made at the NSA’s request.
Access continues to work to ensure the integrity of communications and systems – one of the 13 International Principles on the Application of Human Rights to Communications Surveillance. Building off this principle, Access’ Data Security Action Plan attempts to provide seven basic steps through which companies can help raise the floor on acceptable data protection practices. Today’s amendment will help support data integrity by ensuring that the standards used to protect all internet users are not artificially weakened. We applaud the Committee’s adoption of this amendment and hope that Congress will take this as an opportunity to further study the extent of NSA’s attempts to undermine internet security.