NIST is preparing guidance on how to share .zip files in a more secure way

Just because you compressed hundreds of files into a single folder doesn't mean that's secure. And now Sen. Ron Wyden is worried.
zip files email folders icons upload download
(Getty Images)

Do you ever wonder if the files you’re sending over the internet are safe from hackers’ prying eyes?

The search for how to share files in a more secure way could soon be over. The U.S. National Institute of Standards and Technology is now preparing to instruct the public, as well as government agencies, on the best ways to protect .zip files sent over the internet, according to a letter obtained by CyberScoop. NIST says its motivation is to produce “easy-to-understand guidance” on how to compress many files into a single place while protecting all of that data with strong encryption.

NIST plans to release the guidance early in the next fiscal year, said spokesperson Jennifer Huergo.

James Schufreider, director of the Congressional and Legislative Office at NIST, explained more in a July 22 letter to Sen. Ron Wyden, D-Ore.


“The need to improve practices for securing sensitive data that is shared over the Internet is one of the many challenges that our country faces as we manage our information resources,” he said. “NIST agrees that producing easy-to-understand guidance for sharing sensitive information over the Internet in a secure manner will be an essential element in addressing this issue.”

The letter comes after Wyden in June asked NIST Director Walter G. Copan to create and publish guidance on sharing files securely over the internet. Wyden raised concerns about how government employees and members of the public send .zip files under the impression that the data inside is secure thanks to .zip files’ encryption mechanisms. In fact, Wyden said, the wide availability of accessible hacking tools may mean that encryption doesn’t adequately protect their zipped files.

“Government agencies routinely share and receive sensitive data through insecure methods — such as emailing .zip files — because employees are not provided the tools and training to do so safely,” Wyden wrote. “While secure methods to protect and share data exist and are freely available, many people do not know which software they should use.”

Schufreider said NIST shares Wyden’s concerns.

One issue NIST likely will need to address is the varying forms of .zip encryption, some of which are weaker than others. Zip 2.0 legacy encryption, for instance, is weaker than Advanced Encryption Standard (AES). Even then, there are several different kinds of AES encryption, some of which may not protect users in the ways they assume.


For now, NIST’s Information Technology Laboratory (ITL) will lead research efforts into the matter before issuing guidance. Schufreider says ITL’s research will focus on understanding technologies, standards, guidelines, best practices, as well as technologies that may become available in the future for sharing files digitally.

Schufreider’s letter is available in full below.

[documentcloud url=”” responsive=true]

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts