Here’s how it works when a big company believes that its power is in its girth: They enter this bizarre world that leads them to believe that what comes from their PR organs is enough to float their troubles away. It’s all about denial and avoiding any potential shareholder backlash. And so we come to the sad state of affairs at RSA, the security division of EMC, one of the big-bellied enterprise kings that apparently made a deal with the National Security Agency.
It’s a deal that is now affecting the trust that people have in the company and raises questions about other technology companies and how they have profited from their relationships with the government. It’s fine enough for technology executives to sit down with President Barack Obama like they did last week and say how awful the NSA is behaving. But the RSA’s work with the NSA shows that technology companies need scrutiny as well. The reality: mistrust is spreading, writes security expert Bruce Schneier.
I think about this all the time with respect to our IT systems and the NSA. Even though we don’t know which companies the NSA has compromised — or by what means — knowing that they could have compromised any of them is enough to make us mistrustful of all of them. This is going to make it hard for large companies like Google and Microsoft to get back the trust they lost. Even if they succeed in limiting government surveillance. Even if they succeed in improving their own internal security. The best they’ll be able to say is: “We have secured ourselves from the NSA, except for the parts that we either don’t know about or can’t talk about.”
There’s proof that RSA made a deal with the NSA to use the spy agency’s random number generator as the preferred or default formula in Bsafe, its software for enhancing security on personal computers and other technologies, Reuters reports. This has put RSA in the bright light of scrutiny. The $10 million deal looks especially bad, considering the connection it has to documents released by Edward Snowden and reported by the New York Times in September. In those documents it was revealed that the NSA formula was actually flawed and had been used by the agency to create a backdoor into encryption products.
RSA said in a blog post on Monday that it does not ”ever divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.” But many in the security profession are just not buying it. Here’s a tidbit from an awesome rant and good summary of what happened from Melissa Elliott, a security analyst and novelist:
September 2013: Revelations derived from the Snowden leak show* that Dual EC is definitely deliberately backdoored by the NSA. RSA acts really surprised. RSA offers some weak excuse that elliptic curves were totally hip (literally in vogue) at the time. RSA does not mention anything about taking anyone’s money. Allegations are posted that an unspecified company accepted ten million dollars to make it their default. Everyone paying attention is pretty sure it’s RSA. (* Full disclosure: smart people disagree with the smoking-gunness of Dual EC being called out specifically by the leak. It’s complicated.)
December 2013: Reuters points to RSA specifically regarding the ten million dollars. RSA issues a non-denial of such magnitude that I’m driven to rage blog.
The denial makes their predicament worse than it now is. It has even led to a backlash. Mikko Hypponen, chief of research at F-Secure, announced this week in an open letter to EMC Chairman Joe Tucci that he would not participate in the RSA’s annual lavish conference slated for February in San Francisco. Hypponen is a well-respected security expert who had planned to lead a talk titled: “Governments as Malware Authors.”
It’s clear that the actions of RSA and EMC have cast a shadow across the IT world. Until now, it has been the NSA that has been perceived as the true force of darkness, worming its way into systems to monitor our data streams. Now we see a side of the business that is more intertwined with the NSA and by proxy, its agenda for spying.