NIST orders review of its encryption standards development processes

After reports based on documents leaked by Edward Snowden raised questions about existing encryption standards, the National Institute of Standards and Technology (NIST) has launched a formal review of its processes.

NIST data encryption standards currently are used in electronic healthcare data security and exchange.

Both The New York Times and The Guardian published articles based on material from Snowden saying the National Security Agency (NSA) in the United States and the UK intel agency GCHQ have spent hundreds of millions of dollars to defeat Internet encryption.

"Trust is crucial to the adoption of strong cryptographic algorithms," NIST said in a statement. "To ensure that our guidance has been developed according the highest standard of inclusiveness, transparency and security, NIST has initiated a formal review of our standards-development efforts. We are compiling our goals and objectives, principles of operation, processes for identifying cryptographic algorithms for standardization, methods for reviewing and resolving public comments, and other important procedures necessary for a rigorous process."

It plans to invite public comment on this review and to bring in an independent outside organization to go over its standards-development approach and to suggest improvements to make sure the process "leads to the most secure, trustworthy guidance practicable."

The NSA is among the stakeholders that work with NIST in developing encryption standards. Cryptographer Bruce Schneier, who first raised questions about the NSA's role in encryption standards in a 2007 Wired article, told GovInfoSecurity that "the agency's participation in the NIST standard is not sinister in itself. It's only when you look under the hood at the NSA's contribution that questions arise."

"We cannot carry out that mission without the trust and assistance of the world's cryptographic experts," the NIST statement says. "We're committed to continually earning that trust."

NIST recommendations have been woven into the HITRUST Common Security Framework and other guidance to better protect patient data.

Patient trust was a big issue at the data security conference earlier this year sponsored by NIST and U.S. Department of Health & Human Services Office for Civil Rights.

To learn more:
- find the NIST statement
- here's the Times article
- read the Guardian story
- check out the GovInfoSecurity piece