A presidential advisory committee today recommended that the US government stop any efforts to undermine encryption standards or attack commercial software.
The panel's report (full text at Whitehouse.gov) comes in response to the National Security Agency leaks of Edward Snowden and makes 46 recommendations. Number 29 should please IT security researchers:
We recommend that, regarding encryption, the US Government should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and
(3) increase the use of encryption, and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
We reported in September on the NSA's uneasy relationship with encryption researchers, detailing how the agency has helped improve the encryption standards that secure Internet communications while in other cases undermining them. Government officials have routinely joined security researchers at technology conferences—this year, they were asked to stay away from DefCon, one of those annual events.
While the White House isn't obligated to accept the advisory panel's recommendations, doing so could end any current or future efforts to insert backdoors into encryption standards. Security experts, including Bruce Schneier, have warned that the NSA's work has undermined the security of the Internet.The recommendations wouldn't prevent the US from creating malware to attack its enemies (as it did with Stuxnet) but it would at least prevent the government from weakening commercial software. This could change how the NSA does business. One NSA program, revealed in the New York Times, seeks to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets."
In some instances, the committee said, it would be OK for the government to take advantage of zero-day vulnerabilities in order to collect intelligence. Zero-day attacks are known as such "because developers have had zero days to address and patch the vulnerability," the report noted. "US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments."
The panel also said the United States should work with other countries to create international agreements that "increase confidence in the security of online communications." The US and other governments "should not use surveillance to steal industry secrets to advantage their domestic industry," and they "should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems."
Governments should also "promote transparency about the number and type of law enforcement and other requests made to communications providers," which is something US technology companies have been advocating. Microsoft, Google, Facebook, and others have called upon the US government to end bulk collection of Americans' communications data, and they have asked for the right to reveal more information about the data requests they receive from the government.
You can check out our coverage on the rest of the panel's recommendations here.
reader comments
54