by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : August 2014
CYBEREYE BY BRIAN ROBINSON WILL THE NATIONAL Insti- tute of Standards and Technol- ogy break its close relationship with the National Security Agency in developing cryp- tographic and cybersecurity standards? That seems very likely following a recent report by an outside panel of experts, and it will have implications for federal agencies. The report by the Visit- ing Committee on Advanced Technology (VCAT), which was released July 14, came after last year s revelation as a part of the Edward Snowden leaks that the NSA had inserted a "backdoor" into a NIST encryption standard that s used to generate ran- dom numbers. NIST Special Publication 800-90A, the latest version published in 2012, describes ways for generating random bits using a deterministic random bit generator (DRBG). That s an important step for many of the cryptographic processes used to secure computer systems and protect data. The backdoor allowed the NSA to basically circumvent the security of any system it wanted to get data from, and that could be a substan- tial number. The DRBG was used as the default in RSA s FIPS 140-2 validated BSAFE cryptographic library, for ex- ample, before that was ended in 2013. Up until then, BSAFE had been widely used by both industry and government to secure data. The main damage done by these revelations is not in whatever data the NSA managed to extract because of this, but in the confidence organizations will have in what NIST does in cyberse- curity going forward. And for government agencies that s critical, since they are re- quired by law to adhere to the standards NIST puts out. NIST removed the o end- ing DRBG algorithm from 800-90A in April and reissued the standard. It advised fed- eral agencies to ask vendors whose products they used if their cryptographic modules rely on DRBG and, if so, to ask them to reconfigure those products to use alternative algorithms. But the damage has been done. Not only do other NIST standards developed in coordination with the NSA now need critical review, ac- cording to VCAT committee member Ron Rivest, a profes- sor at MIT, but the process for developing future standards needs reassessment and refor- mulation. As Edward Felten, a profes- sor of computer science and public a airs at Princeton University and another of the VCAT members, wrote in the committee s report, if government has to conform to NIST standards, but everyone else uses something di er- ent, it "would be worse for everybody and would prevent government agencies from us- ing commercial o -the-shelf technologies and frustrate interoperation between gov- ernment and non-government systems." Simply put, that s not possi- ble. Government is no longer in the position of being able to develop systems for its own use and depends absolutely on commercial products. So, the scramble to shore up NIST s reputation is on. NIST says it has already instituted processes to strengthen oversight of its standards making, and could make more along the lines of the recommendations made in the VCAT report. Congress got in on the act a few months ago with an amendment to the FIRST Act, a bill to sup- port science and research, that strips the requirement in law that NIST consult with the NSA when developing in- formation security standards. However, it still allows NIST to voluntarily consult with the NSA, something the VCAT report also goes to some lengths to recommend. That s a tacit admission that NIST and the government overall can t do away with NSA input on security. There have been suggestions that the NSA s role in informa- tion assurance should be given over the Department of Homeland Security or the Defense Department, but that seems unlikely. The fact is that the NSA probably has the greatest depth of expertise in cryp- tography and security in the entire government, and both the DHS and DOD rely on it as much as NIST does. How to reconcile all of that while urgently repairing the trust that s needed of NIST and its standards, both in govern- ment and industry, will be one of the more fascinating things to watch over the next few years. • 16 GCN AUGUST 2014 • GCN.COM NIST's future without the NSA NSA has the most expertise in cryptography in government. How to repair the trust of NIST and its standards will be one of the more fascinating developments to watch over the next few years.