Why did security firm RSA accept $10 million from the National Security Agency in 2004?
That unanswered question is behind the decision by at least nine leading information security and privacy experts to boycott next month's RSA Conference in San Francisco.
Contacted via email, a spokesman for EMC -- which purchased RSA in 2006 -- declined to offer further details about the nature of the NSA's $10 million payment to RSA, and declined to comment on conference speakers' threatened boycott of the RSA conference, which is owned by EMC but independently run. (Full disclosure: InformationWeek's parent company, UBM LLC, owns the Black Hat security conferences.) RSA conference program committee chairman Hugh Thompson -- who is CTO of Blue Coat and not an RSA employee -- didn't immediately respond to an emailed request for reaction to the threatened boycott.
The NSA's previously secret $10 million contract with RSA was first reported by Reuters on December 20, 2013. That report, which was based on interviews with a dozen current and former RSA employees, alleged that RSA accepted the money in exchange for selecting a weak random number generator as the default for its BSAFE encryption libraries, which developers use to add encryption to their products.
In response, EMC issued a "RSA response to media claims regarding NSA relationship" statement, saying that its decision to use the NSA-promoted Dual Elliptic Curve algorithm as the default for BSAFE was made "in the context of an industry-wide effort to develop newer, stronger methods of encryption." It also said that "at that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."
[What is in store for 2014? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]
Many information security and privacy experts, however, have said that RSA's explanation didn't go far enough. In particular, they've called on the company to come clean about whether it -- knowingly or not -- compromised customers' security in exchange for a $10 million licensing contract.
Some security experts, however, have gone further. Indeed, less than 24 hours after RSA released its statement, Mikko Hypponen, chief research officer at F-Secure, published an open letter to EMC and RSA saying that he would be canceling his planned RSA Conference, titled "Governments as Malware Authors." He later updated that letter to say that no one from F-Secure would be attending or exhibiting at the conference.
Hypponen, whose past RSA talks have been well regarded and highly attended, said the rationale for his boycott was, in part, personal: He's a Finn, and thus any surveillance operations that the RSA may have abetted could affect him personally. "I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," he wrote in his letter to EMC and RSA. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway -- why would they care about surveillance that's not targeted at them but at non-Americans."
But the boycott quickly spread beyond Europe. By Wednesday, notably, eight more RSA conference speakers or panel participants said they planned to either boycott their presentations, or the conference altogether. They include Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project; Google senior staff software engineer Adam Langley; attorney Marcia Hofman; and Taia Global CEO Jeffrey Carr.
Carr said the issue for him isn't whether RSA worked with the NSA. "The reason why I pulled my talk (and why most if not all of us did) is not b/c of RSA's 'NSA ties,' " he said in a comment posted to a Washington Post story. "It's because RSA has refused to explain why it took $10m from the NSA to use its encryption algorithm in its BSAFE product in 2004."
The ACLU's Soghoian, meanwhile, was more blunt. "I've given up waiting for RSA to fess up to the truth," he said via Twitter.
Another scheduled speaker who plans to boycott the conference is Dave Kearns, senior analyst at KuppingerCole. Like some other security experts, he's called on would-be attendees to boycott the entire show. "While boycotting the conference won't have a big impact on the company's bottom line, the resulting publicity will," Kearns said in an InformationWeek opinion column. "Security is hard enough without having to worry that our suppliers have -- either knowingly or unknowingly -- aided those who wish to subvert our security measures."
Robert David Graham, CEO of Errata Security, said in a blog post that he hadn't presented at RSA in years. But from now on, he said he'll boycott anything with "RSA" in the title, and likewise called on everyone else to do so as well too. "The reason isn't that I'm upset at RSA, or think that they are evil," he said. "I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products. Instead, what I care about is sending the message to other corporations, that they should fear this sort of things happening to them."
"If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business," he said.
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)