It’s looking like we might be on the brink of another crypto war. The first one, in the 90s, was a misguided attempt to limit the public’s access to strong, secure cryptography. And since then, the reasons we need the good security provided by strong crypto have only multiplied. That’s why EFF has joined 20 civil society organizations and companies in sending a letter to the National Institute of Standards and Technology (NIST) to “re-emphasize the importance of creating a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities.”
As the letter points out, in September 2013, ProPublica, the Guardian, and the New York Times revealed that the NSA had systematically “circumvented or cracked much of the encryption, or digital scrambling” that protects the Internet, “collaborating with technology companies in the United States and abroad to build entry points into their products.” As ProPublica explained,
[T]he agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.
And these broken standards appear to have led to a serious impact on U.S. technology companies, which "may lose as much as $35 billion in the next three years from foreign customers choosing not to buy their products over concern they cooperate with spy programs.”
Although NIST has taken some steps to remedy these problems, more is needed “to rectify NIST’s trust deficit.” The letter lists specific recommendations to improve transparency, strengthen NIST’s cryptography work, and increase public understanding and engagement. For example:
NIST should establish a policy wherein the Agency publicly explains the extent and nature of the NSA’s consultation on future standards and any modifications thereto made at NSA’s request.and NIST should begin a review process to ensure that wherever possible the same information is published for standards that are currently in use.
The coalition’s recommendations were “heavily echoed in the reports submitted by the members of NIST’s appointed Committee of Visitors (CoV). The CoV is a distinguished panel of experts appointed by NIST. . .” The CoV also made recommendations to NIST, several of which are emphasized in the letter:
NIST must expand to include independent full-time technical expertise and additional funding in order to decrease reliance on the NSA and other members of the Intelligence Community.
We hope that NIST will take the recommendations seriously. U.S. businesses are suffering, and the NSA’s actions have made the Internet less safe for everyone. Serious action is needed to restore trust in NIST— and to protect the public good.
You can read the full text of the letter and see the signatories here.