Will NIST-NSA Cooperation Continue?House Bill Would No Longer Require NIST to Work with NSA
Legislation before the House to expunge from federal law the requirement that the National Institute of Standards and Technology work with the National Security Agency on cybersecurity standards wouldn't likely stop the two federal agencies from continuing to collaborate.
Experts at both agencies have developed close working relationships over the years, and a change in federal law wouldn't necessarily stop NIST computer scientists from cooperating with NSA cryptography mavens.
"There are people at NIST who have a great deal of respect for some of the cryptographic experts at the NSA," a former NIST encryption expert says. "It's more a matter of getting in contact with the right individuals instead of thinking about it as institution to institution."
An amendment introduced by Rep. Alan Grayson, D-Fla., and approved last week by the House Committee on Science, Space and Technology would excise language from Federal Information Security Management Act that requires NIST to work with the NSA on IT security guidance, which federal agencies must follow. The Grayson amendment, if enacted, would let NIST decide whether to seek NSA help.
NIST, through a spokeswoman, declined to comment on the legislation.
Last year, NIST withdrew its special publication on a random bit generator because of concerns the NSA might have tampered with cryptographic guidance (see NIST to Review Crypto Guidance Methods). The alleged meddling by the NSA in the NIST guidance prompted Grayson to introduce the amendment.
"The message will be clear - an agency that subverts the legitimate work of another agency will face consequences," Grayson says in a letter to his colleagues seeking support for his proposal. "... Standards will still be promulgated at the highest levels of quality by NIST, and the NSA will still be consulted when needed. But subversive actions, and overreach, by one agency into another, will not be tolerated."
Even those who find fault with the NSA for its conduct see value in NIST tapping the e-spy agency's cryptographic expertise. "But NSA should not receive special treatment," Joseph Lorenzo Hall, chief technologist for the advocacy group Center for Democracy and Technology, writes in a blog. "In fact, NIST should ensure that the NSA is treated, for the most part, like just another stakeholder in the standards process, albeit one for which a heightened standard for transparency should apply."
Purdue University Computer Science Professor Gene Spafford likes the idea of giving NIST a choice on whether to seek NSA advice. "Optional consultation means that expertise can be tapped, if needed, but it removes the potential for forced injection of ideas, whether real or simply perceived as such by those outside," Spafford says. "NIST does a great job of trying to be transparent and come up with solutions of widespread use. Anything that supports that is a good idea."
SANS Institute Research Director Alan Paller says NIST's cryptographic expertise is aging, and the institute needs to maintain a certain level of knowledge to ensure it can trust the advice it receives. "The principal way for NIST to protect itself is to improve its own technical expertise, so it can be a strong partner in using the NSA expertise," Paller says.
In an interview last November, a NIST official said the agency was being a little more cautious in collaborating with NSA (see NIST Review Won't Disrupt Work with NSA). "We certainly have not stopped asking them some of the hard questions that we looked at them to help us with," said Matt Scholl, deputy chief of NIST's Computer Security Division. "In the areas where we are working to produce standards guidelines, best practices, we're still collaborating."
After withdrawing the guidance last fall, NIST instituted an investigation into the matter. In February, it issued a draft report proposing changes in the way it develops cryptographic standards. Two weeks ago, an advisory group to NIST tapped seven prominent individuals - cryptographers, academics and business leaders - to provide an independent assessment of the ways the institute develops cryptographic standards and guidelines (see Experts to Address NIST Cryptographic Program).