Senators want agencies to encrypt data before sharing with new NSF database
Sens. Ron Wyden, D-Ore., and Rob Portman, R-Ohio, are urging the National Science Foundation to require encryption to protect sensitive data shared via a powerful new platform being stood up by the U.S. government for cross-agency collaboration.
The pair argue in a letter sent Tuesday to NSF Director Sethuraman Panchanathan that encryption is the best technology to ensure that data shared through the new National Secure Data Service stays out of reach of foreign adversaries and malicious hackers. Wyden and Portman want the encryption protections applied to any data that could be used to infer the identity of an individual.
Established as part of the $280 billion CHIPS and Science Act passed this summer, the National Secure Data Service aims to provide a transparent and consolidated data infrastructure to share, combine and use government data for cross-agency research. The CHIPS Act tasks the NSF with setting up a prototype for the service and to determine whether it might be scaled more broadly.
The letter, which was shared first with CyberScoop, urges NSF to require agencies submitting data to the database to encrypt the information using a key only they control so that “individuals who appear in that data are protected in the event of a hack or breach of the NSDS system.”
“The NSDS platform will enable government agencies to collaborate by using data for research projects. This research will help policy makers to improve government programs, and will shed light on the effectiveness of federal policies,” Wyden and Portman write. “However, the NSDS program will only live up to its promise if it facilitates research while protecting Americans’ data from hackers, foreign spies and misuse by government agencies.”
The use of encryption would fulfill a privacy provision in the CHIPS Act authored by Wyden and Portman requiring the database to prevent any individual’s data from appearing in an identifiable form.
“And, by avoiding holding a ‘master key’ that can access all of the data, NSF will remove a massive cyber-target from its back,” the Senators add.
Failure to protect Americans’ sensitive data has become a recurring issue for the U.S. government. In 2014, the Office of Personnel Management breach allowed alleged Chinese hackers to steal sensitive personal data on 22 million current and former federal employees. The breach was a major wake-up call for the need for better data security in federal agencies. Nonetheless, agencies continue to be poor stewards of Americans’ information. For instance, just last week the IRS disclosed that it had accidentally published confidential data of 112,000 taxpayers, Bloomberg Tax reported.
Portman and Wyden warn NSF against alternative methods, such as data de-identification, a technique that many researchers warn is reversible and has often been used by businesses to mislead consumers about the anonymity of their data, as the FTC has warned. Instead, they urge NSF to set up collaboration through multi-party computation, a form of cryptography that allows multiple parties to make calculations using their combined data without revealing any individual part. The technology is already being used in limited government case studies and by companies such as Google and Microsoft
In addition to keeping out hackers and adversaries, encrypting data also prevents misuse by other government agencies with access to the system.
“It was important to Congress that Americans be able to trust that their data won’t be used for any purpose that hasn’t been reviewed by NSF and publicized on the program’s website,” the pair write. “NSF must use encryption technology to back up that trust with hard technical guarantees.”
The letter requests Panchanathan to answer if commits to requiring agencies to encrypt their own data by Jan. 20.