RSA CEO Art Coviello tackled the “trust” issue during his RSA keynote presentation, telling conference attendees that the RSA feels like the NSA exploited its position of trust.
Ironically, trust is an issue to be tackled on the 27th by a group of speakers who are boycotting the RSA conference in favor of a Trustworthy Technology Conference. The TrustyCon event is being held because “Technology should not only be Secure, it should be Trustworthy.” Most security-minded folks were cool with the RSA until December 2013 when Reuters reported the RSA allegedly accepted a secret $10 million contract from the NSA to use an NSA-backdoored encryption formula as the default. The RSA categorically denied the allegations in December.
It’s probably not surprising that Coviello touched upon the sore RSA-in-bed-with-NSA subject as the allegations were like a herd of drunken screaming elephants dancing in the room that simply can’t be ignored. "Has RSA done work with the NSA? Yes,” Corviello admitted during his conference keynote before adding, “But the fact has been a matter of public record for nearly a decade." In fact, Coviello spun it as if most security firms get their bread and butter from the NSA; that most security firms have worked with the NSA, at least the part of the NSA responsible for defense.
The NSA is more or less divided into two roles and two teams, one is all about offense and the other is all about defense. Coviello said most security firms have worked with the NSA, the NSA’s defensive Blue Team, or Information Assurance Directorate (IAD), which is “responsible for NSA's defensive mission and is widely acknowledged for leading innovative security solutions.” While the IAD is supposed to harden software and cybersecurity defenses to prevent foreign adversaries from accomplishing cyber-espionage, the NSA’s offensive arm, or Red Team, does the opposite by attacking and exploiting; Signals Intelligence (SIGINT) hoovers up data, gains access to sensitive and classified info for cyber-espionage, and is responsible for America’s offensive role in cyberwarfare.
Coviello told conference attendees:
“When or if the NSA blurs the lines between its defensive and intelligence gathering roles, and exploits its position of trust within the security community, then that's a problem. Because, if in matters of standards, in reviews of technology, or in any area where we open ourselves up, we can’t be sure which part of the NSA we’re actually working with, and what their motivations are, then we should not work with the NSA at all.”
According to Reuters, “Coviello said RSA's core cryptographic patents had expired by the time of the NSA deal and that it had turned to standards put forward by industry and government groups, including the National Institute of Standards and Technology. NIST supported the NSA formula for generating random numbers, called Dual Elliptic Curve, until the Snowden documents suggested it allowed the agency a back door.”
It wasn’t just NIST that Coviello pointed out like a finger of potentially shared blame. "There is maybe a little 20/20 hindsight here," Coviello added, regarding security researchers who have questioned why the RSA kept using the Bsafe formula even after mathematicians discovered holes more than seven years ago. After all, he said, “Relatively few researchers found problems with the formula before the Snowden leaks.”
Revelations from the Snowden leaks seemed to spur most of the RSA speakers to touch upon the “trust” topic, to talk about enhancing privacy protections, hardening security, and calling for global surveillance reforms, but whether you choose to believe them or not is up to you. Take as an example the debate between former NSA Director Michael Hayden and Richard Clarke, the former White House counterterrorism and cybersecurity advisor under President George W. Bush. Hayden claimed the “White House advisory panel's report had maintained that the government did not subvert cryptography.” Clarke, who helped write the advisory panel’s report, retorted: "The report did not say that, because that would not be true."
Coviello said that the security industry should push to reverse the trend of subverting cryptography and deploying cyber weapons “because criminals ultimately benefit from such tools and the vulnerabilities in software that are left in place so that the weapons can be deployed.”
Coviello also proposed four principles to guide the security industry going forward.
1. Renounce cyber weapons.
2. Cooperate in investigation and prosecution.
3. Ensure economic activity and intellectual property rights.
4. Ensure privacy.
While I like the notion of can't we all just get along, who do you think the RSA thinks should lead this cyber-utopia? The RSA of course, at least according to Coviello, who added that many "will be skeptical or, worse, cynical that these principles could ever be adopted. Many will think I am naive." Although he added, "We must as an industry strongly advocate for the principles I laid out," ZDNet reported, "He used company history to set the company up as an agent for change."
If you buy that, then maybe you'd like to buy some cyber swampland that some black hats are trying to unload?
If an RSA-led march to cyber utopia left you choking, then how about this one? A Morgan Stanley report claims that Tesla Motors' driverless cars will bring about a utopian society by 2026.