An open letter has been sent to the National Institute for Standards and Technology (NIST) and copied to the White House asking for secure and resilient encryption standards to be built.
Signed by 19 organisations, including the EFF, Liberty Coalition, New America’s Open Technology Institute, Electronic Privacy Information Center (EPIC) and vendors including Silent Circle and Cloudflare, it calls for development “free from back doors or other known vulnerabilities”, and calls on NIST to “make a strong statement ensuring independence, security and integrity” in order to restore trust and re-commit itself to the promotion of innovation and industrial competitiveness.
It said that much more must be done to restore the public’s trust in the agency and to ensure that secure communications tools and technologies are built on solid foundations, and detailed six key points on what NIST should do. These were the following:
1 – NIST should further commit, to the extent that it does not invade personal privacy interests, to transparency on the identity and affiliation of individuals and organisations that consult on the development process;
2 – NIST should establish a policy wherein the Agency publicly explains the extent and nature of the NSA’s consultation on future standards and any modifications thereto made at NSA’s request and NIST should begin a review process to ensure that wherever possible the same information is published for standards that are currently in use;
3 – NIST should attempt to maximise reach and engagement and limit barriers to access in order to conduct the best possible outreach to the public and further, in deciding on platforms, NIST should not only consider reach, level of engagement, and barriers to access, but also the ability to search for and access historical content to ensure persistence and continuity;
4 – NIST should commit to always providing a security proof for standards when the standard is put out for public comment and to explaining the justification for, origin, and means of generation for any parameters supplied in NIST standards;
5 – [NIST] should specify that, unless necessary, [the Agency] will only take into account information assurance needs of government in establishing cryptography standards, and should, under no circumstances, consider the signals intelligence needs of the NSA or any other intelligence or law enforcement need of any agency;
6 – NIST should extend [the principle of Usability] to its cryptography work to ensure that security standards are not weaker in practice than anticipated by examining only the underlying mathematics.
There were also further calls for NIST to publicly and irrefutably commit itself to independence from the NSA’s signals intelligence mission and any Government surveillance programs, activities, or authorities, expand to include independent full-time technical expertise and additional funding in order to decrease reliance on the NSA and other members of the Intelligence Community to the extent that an Act of Congress is necessary to achieve these items.
It was also encouraged that NIST should revisit and revise its Memorandum of Understanding (MOU) with the NSA, which was first entered into in 1989, and was amended in 2010. “The MOU should again be amended, not only to recognize NIST’s commitment to transparency on consultations with the NSA, but also to add express limitations on that consulting,” the letter said.
“The MOU should expressly limit NSA’s consultations to the furtherance of its Information Assurance mission, and any consultation that artificially lowers encryption standards to preserve signals intelligence capabilities must be expressly prohibited.”
The letter concluded by saying that NIST should establish and facilitate a continued dialogue with members of civil society, advocacy organisations and other experts who represent the interests of the general public and users.