Standing in front of more than 2,000 people, Patrick Gallagher addressed what he referred to as the “elephant in the room.”
Gallagher, director of the National Institute for Standards and Technology, was alluding to reports last week that the National Security Agency was building backdoor entrances into companies’ encryption systems, sometimes without their knowledge. NIST has worked with NSA to build encryption and cryptology standards, which the private sector often adopts.
But during his keynote address at the Amazon Web Services Public Sector Summit, Gallagher strongly rebuked allegations that NIST has voluntarily let NSA weaken its encryption standards.
“As director of NIST, what’s most troubling to me reading these news reports is that it appeared to attack our integrity,” Gallagher said. “NIST’s role is to support technical understanding of the strongest, most secure computer security, including encryption, when you can. We are not deliberately, knowingly, working to undermine or weaken encryption technologies.”
One of the ways Gallagher says NIST ensures its integrity is by making sure its work is being done in the full light of the public. NIST publishes its information as a bulletin or in a trade publication to maximize visibility and public feedback, he explained.
“It’s important to us to address these issues in a forthcoming way,” he said. “It’s part of the business of the arms race of cybersecurity. We’re committed when that happens to address it in a straightforward way.”
NIST did, however, reopen on Tuesday the public comment period for the three standards in question “to give the public a second opportunity to view and comment on the standards,” according to an official statement.
“If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible,” the statement added.
Security was the main reason the federal government was initially reluctant to move to cloud, according to Matt Goodrich, FedRAMP program manager at the General Services Administration.
In her opening keynote, Teresa Carlson, vice president at Amazon Web Services, reaffirmed AWS’ commitment to the cloud, especially cloud security; in the last two years, AWS has launched 80 new features on security alone.
“When you give us requirements and we step up to those security and compliance requirements and accreditations, everyone benefits,” Carlson said. “So when you push us, we push ourselves further.”