[LINK] EPIC Concerns re NSA's Cybersecurity Role

Roger Clarke Roger.Clarke at xamax.com.au
Sat Dec 21 16:39:52 AEDT 2013 

[Background to the news item below:

[In the US, the still-emergent (?!) 'cybersecurity framework' is the 
responsibility of a US government agency, NIST.
[NIST is not part of the Department of Defence, and is not a natsec agency.
[However, EPIC is concerned that NIST may have permitted NSA too much 
influence over the standards it has developed.
[With good reason.  Snowden documents revealed that NSA staff claim 
to have successfully weakened NIST's cryptography standards.

[So the US position appears to be highly unsatisfactory.

[Until you compare it with the situation in Australia, that is:

[The agency responsible for the cybsersecurity framework is DSD, now ASD.

[But wait a moment.  Isn't ASD the equivalent of NSA?  It's within 
the Dept of Defence, it's part of the natsec community;  and it's 
protected against Ministers, the Cabinet and the Parliament by the 
Attorney-General's Dept.

[Keating got it right.  That's the kind of dominance by defence and 
natsec agencies over the political system that you get in a banana 
republic.]


=======================================================================
                    E P I C   A l e r t
=======================================================================
Volume 20.25                                         December 20, 2013
-----------------------------------------------------------------------

                   Published by the
       Electronic Privacy Information Center (EPIC)
                   Washington, D.C.

      <http://www.epic.org/alert/epic_alert_20.25.html>http://www.epic.org/alert/epic_alert_20.25.html

========================================================================
[5] EPIC Urges Clarification of NSA's Role in Cybersecurity
========================================================================

EPIC has submitted comments on the National Institute of Standards and 
Technology's (NIST's) preliminary proposal for a cybersecurity 
framework. Pursuant to Executive Order 13636, the federal agency is 
charged with defining a "cybersecurity framework" for the federal 
government. The Executive Order requires privacy and civil liberty 
protections based on the Fair Information Practices.

EPIC's comments praised the preliminary cybersecurity framework for its
focus on minimizing the use of Personally Identifiable Information and 
requiring transparency around cybersecurity practices. EPIC also
commended NIST's "focus on privacy and civil liberties from the outset" 
of the framework's development.

However, EPIC noted, EPIC's previous recommendations to the agency on
the development of the framework were not addressed. EPIC reiterated 
earlier comments that emphasized civilian control, adherence to the 
Fair Information Practices, and compliance with the Privacy and 
Freedom of Information Act. EPIC also urged NIST to "inform the public
of the full extent of the NSA's involvement in the Cybersecurity 
Framework."

In light of recent revelations that the National Security Agency has 
weakened key encryption security standards, NIST has re-opened several 
standards for further public comment; however, EPIC's comments state, 
"NIST has never publicly revealed the role the NSA played in setting 
these standards, or if the NSA asserted influence over any other
regularly accepted standards."

EPIC is currently involved in a Freedom of Information lawsuit against 
the NSA. That lawsuit seeks the release of National Security
Presidential Directive 54. The Directive grants broad authority over 
the security of American computer networks but has never been made 
public.


EPIC:  Comments to NIST re: Cybersecurity Framework (Dec. 13, 2013)
    <http://epic.org/redirect/122013-EPIC-NIST-comments.html>http://epic.org/redirect/122013-EPIC-NIST-comments.html

The White House:  Executive Order 13636 (Feb. 19, 2013)
    <http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf>http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf

NIST:  RFC on Preliminary Cybsercurity Framework (Oct. 29, 2013)
    <http://www.gpo.gov/fdsys/pkg/FR-2013-10-29/pdf/2013-25566.pdf>http://www.gpo.gov/fdsys/pkg/FR-2013-10-29/pdf/2013-25566.pdf

NIST:  Preliminary Cybersecurity Framework 
    122013-NIST-cyber-framework.html

NIST:  Cryptographic Standards Statement (Sept. 10, 2013)
    <http://www.nist.gov/director/cybersecuritystatement-091013.cfm>http://www.nist.gov/director/cybersecuritystatement-091013.cfm

EPIC:  EPIC v. NSA - Cybersecurity Authority
    <http://epic.org/privacy/nsa/epic_v_nsa.html>http://epic.org/privacy/nsa/epic_v_nsa.html

========================================================================
-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list