The National Security Agency should not undermine encryption standards that are designed to protect the privacy of communications, the panel of experts appointed by President Obama to review NSA surveillance recommended in a report released today.
The recommendation, among the strongest of the many suggested changes laid out by the panel, comes several months after ProPublica, the Guardian, and the New York Times reported that the NSA has successfully worked to undercut encryption. The story was based on a set ofdocuments provided by former NSA contractor Edward Snowden.
Encryption technologies are supposed to render intercepted communications unreadable. But the NSA conducted what one secret memo described as an “aggressive, multipronged effort to break widely used Internet encryption technologies.” The agency deliberately weakened international cryptographic standards used by developers around the globe and worked with American and foreign tech companies to introduce backdoors into commercial products.
The White House said President Obama is reviewing the panel’s recommendations, which are not binding, and will make a final decision by January.
The panel said the U.S. government should not “in any way subvert, undermine, weaken, or make vulnerable generally available commercial software”:
The panel also recommended that an arm of the NSA whose mission is protecting information rather than spying be separated from the agency. The Information Assurance Directorate is charged with building secure data and communications systems for the government and also works closely with industry and academia.
The review panel submitted its report to Obama on Friday and met with the president today. The White House said Obama would speak publicly in January to disclose the “outcomes of our work” including how he will address the review group’s recommendations.
“Over the next several weeks, as we bring to a close the Administration’s overall review of signals intelligence, the President will work with his national security team to study the Review Group’s report, and to determine which recommendations we should implement,” the White House said in a statement.
Formally known as the Review Group on Intelligence and Communications Technologies, the panel was made up of five experts, including former deputy director of the CIA Michael Morrell, former counterterrorism czar Richard Clarke, and longtime Obama confidant and current Harvard Law professor Cass Sunstein.
The report was originally scheduled to be released this coming January. But in a surprise move, Press Secretary Jay Carney announced it would be published today because of “inaccurate and incomplete reports in the press about the report's content.” The move also comes one day after a federal judge tore into the administration’s defense of one NSA program.
Soon after the revelations about the NSA undermining in encryption, the National Institute of Standards and Technology, a government agency that sets standards for various technologies, issued a statement “strongly” recommending against using one of its encryption standards. Secret documents described in our encryption story revealed the NSA's role in heavily influencing the standard in question. NIST is required by law to consult with the spy agency.
Citing the importance of trust and transparency in the development of encryption standards, NIST also later announced that it is reviewing all of its previous cryptographic recommendations as well as its process for development of future standards.
In a technical appendix report released today, the NSA actually detailed its role in the creation of various widely used encryption standards.