The summary at https://www.congress.gov/amendment/114th-congress/house-amen..., and the bill it is attached to, imply that only funding from only NIST to consult with the NSA/CIA is blocked. Wouldn't this sort of thing be coming out of the NSA's budget anyway? Seems like an easy loophole.
Edit: the loophole is even bigger than that! I listened to the discussion (http://www.c-span.org/video/?326244-2/us-house-debate-fy-201... around 3:16) where Massie says that the bill doesn't prevent collaborating with the NSA to strengthen encryption, only to weaken it. But the NSA can just claim they are helping to strengthen encryption... in fact that's probably exactly what they did when they first introduced DUAL_EC_DRBG to NIST in the first place.
This is actually (as far as I can tell) the normal way that Congress buts into the actions of an agency.
NSA would be covered on a separate budget, and in any event there are at least theoretical reason why you'd want the foreign intelligence arm of the nation to be able to weaken encryption abroad, especially when that foreign intelligence agency has the statutory duty to be able to break the codes of the U.S.'s adversaries.
NIST has no such statutory duty, and their budget is handled as part of the normal public Congressional budget process. So what this would do is to prevent the use of NIST-funded activities (e.g. crypto competitions, labor time of NIST employees, etc.) to consult with NSA to deliberately weaken encryption standards.
Even though NSA could fund such actions internally to them, they wouldn't be able to publish such a subverted standard under the imprimatur of NIST the way that Dual EC DRBG was done.
As far as the loophole, the option "Agency A could just claim to be doing legal thing X instead of illegal thing Y" applies to almost all agencies for nearly all illegal things. Fraud is still a crime, even for the NSA; if you're going to assume that NSA will simply break the law then legal changes as a way to stop NSA are irrelevant anyways.
In the case of Dual EC DRBG it appears to have been obvious early on that it was weak and even probably backdoored. Schneier wrote as much about it in a Wired article back in 2007. It's notable that NIST complicity was evident here, which is why something like this amendment is needed. But I can't find anything that claims NSA flat-out lied either, and much of Snowden's own leaks have revealed an NSA studiously trying to stay within (but only barely within) the lines.
> Fraud is still a crime, even for the NSA; if you're going to assume that NSA will simply break the law then legal changes as a way to stop NSA are irrelevant anyways.
> Wouldn't this sort of thing be coming out of the NSA's budget anyway?
In the grand scheme of things, yeah. NSA was spending $250M to undermine cryptography [0]... fucking rats.
But back when all of this was happening, I suspect that NIST actually was the one paying NSA. Reminisce back to when we all assumed that NSA weren't bad actors, do you think that NSA would be able to politically explain funding a partnership with NIST?
Consider that the entire point of spending tax payer money on NIST is that they do research into standards. How could NSA explain to NIST that they randomly feel like spending money from their own budget to help them out? I could be wrong, it's hard to find information on who NIST contracts with, but I think it'd be a very odd situation for NSA to have paid NIST for the opportunity to do their job for them.
The normal operation of NIST is that they give money to consultants in exchange for working on standards, it's unlikely to think it would be the other way around.
> NSA can just claim they are helping to strengthen encryption... in fact that's probably exactly what they did when they first introduced DUAL_EC_DRBG to NIST in the first place.
Nope. NIST was consulting with both NSA and RSA, figuring that they were getting unique opinions from both. Behind the scenes, though, NSA paid RSA $10M to begin using DUAL_EC_DRBG in a few of their products, which is kind of unprecedented because RSA sells a lot to government and NIST approval is required by software used by government. NSA then turned around and pointed at the fact that RSA was already using it, bolstering the argument they'd been trying to make to NIST the whole time. NIST then put it in.
So while Massie's bill doesn't stop NIST from being infiltrated by NSA via NIST contractors, it does stop NIST and NSA from directly consulting and that's a step in the right direction.
Yes, to the best of my knowledge the limitations placed on use of funds are only for the funds being appropriated by the current bill. In fact amendments that do otherwise may be removed under procedural rules, but it also seems that if no one raises a point of order then it is not enforced.
I actually got curious and looked at a bunch of other amendments[0]. Another one that was agreed to was "An amendment to prohibit the use of funds by the Department of Justice in violation of the Fifth and Fourteenth Amendments to the United States Constitution; or to repeal the guidance provided in the memorandum issued by the Attorney General on March 31, 2015."[1] That makes me wonder what was in the referenced memorandum.
This one was withdrawn by unanimous consent; make of that what you will: "An amendment to prohibit use of funds to transfer cell site simulators, or IMSI Catcher, or similar cell phone tower mimicking technology to state and local law enforcement that haven't adopted procedures for the use of such technology that protects the constitutional rights of citizens."[2]
There were also a whole bunch of amendments that had this form: "An amendment to reduce and then increase funding for NOAA Operations, Research, and Facilities by $70 million."[3] That one passed but there were at least seven others failed or withdrawn (both before and after this one) which were identical in all but the cash amount, and a few more for agencies other than NOAA. Does anyone know what the point of these amendments are?
This seems to imply that the following could be a plausible chain of events:
1. some of the NSA Suite A ciphers get reverse-engineered by foreign citizens;
2. isomorphic algorithms with equivalent guarantees to those Suite A ciphers are developed, again out-of-country;
3. those algorithms are put into a piece of open-source software and posted online, allowing anyone to use them;
4. industry across the world decides that these "new" ciphers are really good and widely adopts them (e.g. incorporating the code into OpenSSL et al), to the point that they become a de-facto standard;
5. flaws are found in other current ciphers, such that the isomorphic-to-Suite-A ciphers we now have access to become the only conscionably recommendable choices;
Then, at that point, it seems like NIST could now choose to put these isomorphic-to-Suite-A ciphers into a standard, and the NSA couldn't say no. Is that right?
That would be nice. But it seems like US diplomacy has been deployed against anyone claiming to be more secure than US tech companies. It's just crickets out there. Certainly all the Five Eyes's tech companies have been nailed down.
It might happen, but it won't come from a major established tech company in the Americasphere.
That's not as true anymore, plenty of news coverage in the past month of the last NSA limiting bill mentioned how the younger republicans are now more libertarian leaning and anti-surveillance. While the older republicans are still the hardcore national security hawks.
There is some hope for the younger generations it seems, The people who have a better grasp of technology than the older crowd.
And what is the penalty when NSA continues to do so, assuming they're even found out? Especially when they can just retroactively claim that the people doing so were on overhead for other projects. Or if they simply fund those type of projects through shell companies with reserves from drug running / insider trading?
The only way to fix this mess is to defund and dismantle the whole damned agency.
Who are the 43 people who voted against and why? Are there any good sites for public discourse with house & senators about why they vote a certain way?
Wow, that's a great site. Wish there was an open community discussion where I could say.. send messages to my representative who then sends them to the Congress person after filtering messages from a voting group.
I understand that's what representatives are supposed to do, but there's an awful lot of people with opinions..
Close to 90% of the no-voters are Democrats. The only reason I can imagine is that they oppose even a tiny measure that would hinder the growth of Leviathan.
The 383-43 vote represents a victory for electronic privacy advocates. Massie's amendment would prevent the National Institute of Standards and Technology (NIST) from cooperating with the NSA to weaken encryption standards for the purpose of facilitating electronic surveillance.
“When our government weakens encryption software to spy on citizens, it puts everyone at risk. Hackers can exploit weak encryption to gain access to Americans' confidential health records and financial information," said Congressman Massie. "The NIST charter is to establish dependable standards, not to compromise standards for the purpose of spying."
Edit: the loophole is even bigger than that! I listened to the discussion (http://www.c-span.org/video/?326244-2/us-house-debate-fy-201... around 3:16) where Massie says that the bill doesn't prevent collaborating with the NSA to strengthen encryption, only to weaken it. But the NSA can just claim they are helping to strengthen encryption... in fact that's probably exactly what they did when they first introduced DUAL_EC_DRBG to NIST in the first place.