The NSA Is Put on Notice Over Encryption Standards by Justin Elliott.
I was pretty excited until I read:
The amendment adopted last week by the House Committee on Science, Space, and Technology would remove an existing requirement in the law that NIST consult with the NSA on encryption standards.
In case you want to be uber precise, the amendment reads as follows:
AMENDMENT OFFERED BY MR. GRAYSON OF FLORIDA TO THE AMENDMENT IN THE NATURE OF A SUBSTITUTE
Page 101, after line 9, insert the following new section:
SEC. 411. INFORMATION SYSTEMS STANDARDS CONSULTATION
Section 20(c)(1) of the National Institute of Standards and Technology Act (15 U.S.C. 278g—3(c)(1)) is amended by striking “the National Security Agency,”.
You can imagine that the NSA wonks are rolling around on the floor after reading this news. Not out of frustration over congressional interference but gut-busting laughter that even members of Congress could be this dumb.
The section in question, presently reads:
(c) Development of standards and guidelines
In developing standards and guidelines required by subsections (a) and (b) of this section, the Institute shall–
(1) consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accounting Office, and the Secretary of Homeland Security) to assure–
The amendment takes out the mandatory requirement that NIST consult with the NSA. Or does it?
The really funny part comes when you read “…subsection (b) of the section…”
(b) Minimum requirements for standards and guidelines
The standards and guidelines required by subsection (a) of this section shall include, at a minimum—
…..
(3) guidelines developed in coordination with the National Security Agency for identifying an information system as a national security system consistent with applicable requirements for national security systems, issued in accordance with law and as directed by the President.
Assuming you would credit an agency with the intent to obey any law passed by Congress with the record of the NSA, note that NSA will still be around to slap NIST around on “national security systems.”
I don’t doubt the good faith of the folks at NIST but when talking about encryption with the NSA, they are simply out of their league. As are members of congress.
There are any number of possible solutions to government surveillance issues, but administrative slights isn’t one of them.