NIST Review Won't Disrupt Work with NSA

NIST Cyber Leader: 'We're Being a Little More Cautious'
NIST Review Won't Disrupt Work with NSA

The National Institute of Standards and Technology continues to collaborate with the National Security Agency on its IT security guidance even as NIST investigates whether the spy agency meddled with one of its special publications.

See Also: Cyber Insurance Assessment Readiness Checklist

NIST announced late last week that it had launched a formal review of how it develops cryptographic standards because of concerns that the NSA might have corrupted a series of its cryptographic reports, SP 800-90A, B and C (see NIST to Review Crypto Guidance Methods).

Asked whether the trust NIST computer scientists have with the NSA staff has diminished, Matt Scholl, deputy chief of NIST's Computer Security Division, answers: "It's around the same."

"We're being a little more cautious, but we certainly have not stopped any of our engagements," he says in an interview with Information Security Media Group. "We certainly have not stopped asking them some of the hard questions that we looked at them to help us with, as well with everybody else. In the areas where we are working to produce standards guidelines, best practices, we're still collaborating."

Scholl, citing NIST Director Patrick Gallagher, says one reason NIST collaborates with the NSA on cryptography standards is that the NSA employs some of the smartest mathematicians in the world. "Collaborating and working with them in this space is both appropriate and beneficial to us," Scholl says.

Collaboration is Required

NIST, by law and policies, is required to collaborate with the NSA, other federal agencies, industry and academia in developing its array of IT security best practices.

In 2006, NIST issued Special Publication 800-90 (now SP 800-90A), Deterministic Random Bit Generators, guidance that specifies mechanisms for the generation of random bits using deterministic methods, an algorithm which, given a particular input, will always produce the same output.

A year later, cryptographer Bruce Schneier, writing in Wired, suggested the random-number standards might contain a backdoor to allow the NSA to spy on organizations employing the random bit generators.

Scholl says he believes NIST looked into Schneier's allegations at the time. "I'm not sure what the exact deliberations were, which is why I think a process review is important to assure that all these comments are considered and looked at," he says.

NIST decided to conduct the review after The New York Times and ProPublica published an article in September that reported the NSA had cracked or circumvented much of the encryption that shields global commerce and banking systems, trade secrets and medical records and Internet communications (see Report: NSA Circumvented Encryption).

Applying Lessons Learned

Though the review is focused on how NIST develops its cryptographic standards, the lessons learned from the examination could be applied to the way NIST develops other IT security standards, Scholl says. "The information that we gather definitely will be informative and impactful to the NIST 800 series [which addresses IT security and information risk management] and the cybersecurity standards that we produce in general," he says.

NIST doesn't have a timetable for when the review will be completed. Scholl says NIST is more concerned about achieving milestones than adhering to a schedule. The milestones include understanding goals and objectives, principles of operation, processes for identifying algorithms for standardizations and methods for reviewing and resolving public comment.

Meanwhile, the deadline for public comments on the reopened random bit generator guidance Nov. 6. Scholl wouldn't commit to a time when NIST would decide whether it would issue revised guidance on the random bit generator. "That will really be dependent on the comments that we receive and whether they're cogent and consistent," he says. "A lot of it is really going to be driven on the type of feedback we receive as far as what the turnaround time is going to be."

Assuring trust with the cryptographic community is a major reason behind NIST's review. NIST seeks to be transparent, "open for everyone to see," as Scholl puts it, on how the processes it employs to create guidance. "More than anything else, this is about ensuring the trust and confidence in people so that they use crypto," he says. "NIST's work in the end is NIST's work. We stand by and believe in the technical merits of what we put out."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.