On Monday the NSA announced a massive new reorganization of the agency’s priorities. The plan, dubbed NSA21, is slated to establish six new directorates within the agency while maintaining the core dual missions of signals intelligence (SIGINT) and information assurance (IA). The reorganization will be implemented over the coming years as a means of updating the agency’s operational effectiveness at targeting foreign terrorists and protecting American cybernetworks. But one reform that could go a long way towards achieving that level of security is conspicuously absent from the NSA21 plan: revoking the statutory mandate for the NSA to help inform encryption standards. The NSA shouldn’t have a say in setting encryption standards for public and private networks. Making sure that it doesn’t would go a long way towards restoring trust in the government’s ability to be a positive contributor to online security.
We can start moving in the right direction by reconsidering the NSA’s two competing mission mandates.
The NSA is charged with two mission goals. One is to ensure information assurance; that is, hardening the security of both public and private domestic networks by, among other methods, assisting the National Institute of Standards and Technology (NIST) in setting encryption standards. Unfortunately, the NSA has shown itself all too willing to weaken the online security of users in the attempt to fulfill its primary mission mandate: signals intelligence collection and analysis. Balancing this dual mandate, however, is a zero sum game. Prioritizing SIGINT, as the NSA clearly does, must necessarily come at the cost of ensuring strong encryption and security standards.
But it doesn’t have to be this way.
In May 2014, the House Science and Technology Committee voted to adopt an amendment that would have removed the requirement for NIST to consult the NSA before setting encryption standards. The amendment, introduced by Rep. Alan Grayson, would have removed the requirement for NIST to consult NSA on encryption standards, but would still have permitted the agency to consult with the NSA on an as-needed basis. The amendment ultimately failed to pass. Since then, there has been little discussion of the uncomfortably close relationship that persists between NIST and the NSA.
While the spirit of Grayson’s proposal is noble, the reality of the NIST-NSA relationship suggests that it would have had little practical impact. The only way to truly solve the NSA’s competing mandates problem is by removing the tension between them. The best way to do that is to eliminate NSA’s mandate to assure the security of public and private networks and allow NIST to set cryptographic standards on its own.
The intelligence community has proven itself to be very clever in reinterpreting legal statutes intended to limit its power or discretion. That’s why it is imperative that any proposal to separate NSA and NIST include two provisions. First, revoke the NSA’s IA mandate. Second, require that funds be allocated to NIST so that the agency can hire its own dedicated, independent team of qualified cryptographic experts. Indeed, NIST’s own aftermath report of the Dual_EC encryption backdoor revelation made recommendations to this effect. Aware of the NSA’s countervailing SIGINT mandate, the report suggested that “NIST should be very careful in its interactions with NSA regarding standards. NIST should draw on NSA’s expertise, but NIST must not defer to NSA on security-relevant decisions.”
And as to the second provision, NIST concurred, recommending it “continue to increase the depth and breadth of its cryptographic expertise, in order to maximize NIST’s capacity to exercise independent technical judgment on cryptographic security standards.”
In order for the cryptographic community—and the American people at large—to place a high degree of confidence and trust in the encryption standards promulgated by NIST, the NSA must be excised from the equation entirely. Perpetuating the status quo endangers the online security for average Americans, as well as government agencies and corporations. A truly independent NIST, free from its chain of NSA chagrin, is a practical and substantial reform that would go a long way towards reviving confidence in online security standards. That’s something that will benefit all Americans.