'Be careful' working with NSA, US tech security agency warned

645X363 - No Companion - Full Sharing - Additional videos are suggested - Policy/Regulation/Blogs

A group of security experts is encouraging the U.S. agency tasked with creating technological security standards to reevaluate its relationship with the National Security Agency (NSA).

The group said the National Institute of Standards and Technology (NIST) should not defer to the NSA given reports that the NSA deliberately weakened encryption standards created by the NIST.


“NIST should be very careful in its interactions with NSA regarding standards,” wrote Ed Felten — a member of the expert panel and former Federal Trade Commission chief technology officer — in his personal recommendations to the agency.

“NIST should draw on NSA’s expertise, but NIST must not defer to NSA on security-relevant decisions.”

Last fall, the NIST came under fire after leaked documents from former NSA contractor Edward Snowden indicated that the security standards agency was including weaknesses in security measures at the behest of the NSA.

The agency — which works with private companies and groups to develop security standards — said in a statement that it “would not deliberately weaken a cryptographic standard.”

“We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large,” the agency said.

In response to the reports of weakened encryption standards, NIST announced that it would conduct reviews of its encryption standards and agency processes.

After meeting with NIST officials, the outside experts — including Google Chief Evangelist Vint Cerf — recommended that the NIST consult with but not submit anything to the NSA.

“NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted,” the report said, encouraging the NIST to involve outside experts from the cryptographic community.

The report also encouraged the agency to review “the current requirement for interaction with the NSA and request changes where it hinders its ability to independently develop the best cryptographic standards to serve not only the United States Government but the broader community.”