House members want to insert an amendment barring the agency from exploiting zero day flaws.
A group of lawmakers concerned about weaknesses in the most popular surveillance reform bill circulating on Capitol Hill wants to insert an amendment that would bar the National Security Agency from weakening encryption standards or exploiting large-scale internet security vulnerabilities.
According to a report in the Guardian newspaper, Rep. Zoe Lofgren, D-Calif., and other House members want to stop the NSA from “utilizing discovered zero-day flaws,” like the Heartbleed flaw made public in April that compromised countless online systems. The proposed amendment, the report claims, would also not allow the NSA “to create them, nor to prolong the threat to the Internet” by failing to warn against vulnerabilities.
The NSA came under fire when reports surfaced last month that the agency knew about -- and exploited -- the Heartbleed bug, adding fuel to the fire of privacy advocates who were outraged to learn the NSA had also deliberately subverted encryption standards adopted and promulgated by the National Institute of Standards and Technology. NIST recently removed a cryptographic algorithm from its draft guidance on random number generators following extensive public feedback and its own tests following the revelations, which came from documents leaked by former NSA contractor Edward Snowden.
Lofgren told the Guardian she intends to attach the provision to the USA Freedom Act, which has become the consensus bill to reform surveillance following Snowden’s stream of leaks over the past 11 months. The bill could go before the House floor by next week, yet there is no guarantee the provision -- as she described it to the Guardian -- will make it into the bill, largely because agreements between various committees are tenuous.
How restrictive the process will be to add amendments remains unclear, but without stronger language, Lofgren does not believe the USA Freedom Act will curtail the exploitation of zero-day exploits or the weakening of encryption standards by the government.