[EDITOR'S NOTE: The opinions expressed in this Commentary are those of the author and do not reflect the position of InformationWeek or its parent company, UBM LLC.]
In early November, I was pleased to announce (via my Twitter feed, @dak3) that one of my proposals had been accepted for a presentation at the RSA Security Conference in San Francisco in February. I was very pleased, because this was my first acceptance (in three tries), and I know how hard it is to garner a spot on the agenda. Some years ago, I was the sole referee for the conference's identity management track. I reviewed more than 1,000 proposals, which I had to whittle down to 25, so that the event organizers could pick five that would actually make the agenda.
So it was with great reluctance that I've canceled my presentation in light of unsettling news reports about RSA's involvement with the US National Security Agency. Just before Christmas, Reuters published a story based on revelations from the papers and documents stolen by former NSA contractor Edward Snowden. "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry."
The story cited a New York Times story that said the Snowden documents "show that the NSA created and promulgated a flawed formula for generating random numbers to create a 'back door' in encryption products." The flawed random number-generating algorithm, Dual Elliptic Curve, was reportedly installed as the default choice for RSA's BSafe package, a tool for developers to add encryption techniques to their products.
After the Reuters story, RSA, a unit of EMC, said in a blog post: "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." I believe RSA. That's what really troubles me.
It troubles me because RSA did introduce a backdoor, though unknowingly, and made it the default choice. Security experts who have examined RSA's software package have confirmed that fact. RSA's statement doesn't deny taking $10 million from the NSA. It would appear that the NSA offered to sign a $10 million licensing contract -- provided, according to the Reuters report, that RSA made Dual Elliptic Curve the default. The Reuters report maintains that the NSA then used the evidence that RSA had chosen the algorithm to convince the National Institute of Standards and Technology to adopt it as the default method of random number generation.
This was a business decision, not a technology decision. If the Reuters story is true -- and RSA hasn't denied the crux of its allegations -- the security of RSA's customers and its customers' customers was put at risk for monetary gain. (When contacted via email, an EMC spokesman declined to respond to questions about the nature of the NSA's $10 million payment to RSA, or to a request for the company's reaction to threatened conference boycotts. More on the boycotts later.)
Even more telling for me was the widely reported compromise of RSA's SecureID hardware token in 2011. The company was compromised by a phishing attack, which led to a data breach in which the root keys of the SecureID algorithms were taken. This event led to attempted breaches (which may or may not have been successful) at US defense contractors such as Lockheed Martin, L3 Communications, and Northrop Grumman.
That a security vendor could so easily have its security breached is, at best, unfortunate. But taken alongside this latest set of allegations, it's too much to ask me to swallow.
I haven't been a fan of RSA since EMC took over (and pushed EMC execs into the management of all RSA divisions) and the people who had been the heart and soul of RSA began to leave. When the SecurID breach occurred, I urged readers to find another security partner. This latest revelation has led me not only to pull out of next month's RSA Conference, but also to stop supporting the purchase of RSA products. I leave that decision to you.
(Note to readers: InformationWeek's parent company, UBM LLC, owns Black Hat, an RSA Conference competitor, though UBM Tech editors regularly attend the RSA Conference. As we've reported here, at least nine leading information security and privacy experts now say they will boycott the conference.)
Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will. Security is hard enough without having to worry that our suppliers -- either knowingly or unknowingly -- have aided those who wish to subvert our security measures.
Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.
Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability (free registration required).