RSA chief Art Coviello brushed off the scandal over RSA business practices that caused a schism in the security community and nearly sank the RSA Conference in San Francisco this week.
Rather than add any detail about RSA’s widely criticized involvement with National Security Agency (NSA) efforts to weaken encryption standards, or do anything to make amends with RSA attendees and speakers who bailed out of the conference in protest, Coviello called for an international effort to bring peace to the Internet, attacked the NSA, and described RSA’s business as its contribution to a new era of international cyber diplomacy.
“We must do what we do best: develop and implement the technologies that will protect us now and into the future,” Coviello said in his keynote (video), describing the role of RSA and other technology vendors in contributing to an effort to stop cyberwar, cybercrime, and introduce the rule of law to the global Internet.
Coviello spent only a few paragraphs of a speech whose transcription runs to 15 pages on the scandal that even speakers at the RSA Conference describe as a “civil war” among security advocates.
The controversy, for which Coviello admitted little or no fault, broke after a Dec. 20, 2013 Reuters story accused RSA of accepting $10 million from the NSA to knowingly include in its BSafe cryptography library a formula to generate random numbers that had been modified by the NSA to let it crack the resulting encryptions more easily.
Documents released by whistleblower and former NSA contractor Edward Snowden in September basically accused the National Institutes of Standards and Technology of introducing an NSA-accessible backdoor into NIST cryptography standards, of which RSA was one of the most influential and effective distributors.
RSA denied the allegations in a public statement posted Dec. 22, 2013, which said it had added Dual EC DRBG to BSafe in 2004 because it was superior to the hash-based algorithms available at the time, and eventually made it the default method in BSafe because it was the method favored by NIST. When NIST, stung by accusations of its complicity with NSA’s encryption-weakening efforts, recommended the algorithm no longer be used, RSA dropped it as well, according to the statement.
“We categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the statement read.
In his keynote speech the morning of Feb. 25, Coviello avoided addressing the accusation of bribery directly, pointing out that the NSA was an acknowledged RSA customer for years before the scandal broke. He also repeated the defense of Dual EC DRBG as superior to hash-derived number generators, but said RSA went with the new algorithm because that’s what his customers wanted: “Given that RSA’s market for encryption tools was increasingly limited to the U.S. Federal government and organizations selling applications to the federal government, use of this algorithm as a default in many of our toolkits allowed us to meet government certification requirements.
“And that brings us to today…” he said in an effort to leave the controversy behind. “When or if the NSA blurs the line between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that’s a problem,” he said. “If, in matters of standards, in reviews of technology or in any area where we open ourselves up, we can’t be sure which part of the NSA we’re actually working with and what their motivations are, then we should not work with the NSA at all.”
The NSA’s Information Assurance Directorate (IAD), which works with technology vendors on encryption standards and issues security guidelines such as its Best Practices for Securing a Home Network, is valuable and should be spun out into a separate group that is part of a different agency, Coviello said.
The NSA’s intelligence-gathering should be focused only outside the U.S., but should be recognized as one of a long list of state-sponsored intelligence agencies raising international tensions online and in the real world. Cyberespionage and cyberwar strategies being pursued by the U.S. and other countries are not limited online in the same ways they are in the real world, by diplomatic standards of behavior and barriers built on international law. As ineffective as those often are, they’re eons ahead of the chaos of digital realpolitik.
“The resulting chaos and confusion that reigns online, in the media and in legislatures and courtrooms around the world reflects the lack of digital norms,” Coviello added. “If we don’t figure out digital norms, and do so quickly, the alternative may be extinction of the Internet as a trusted environment” to do business, coordinate research and development and even to communicate. Without strict controls on the use of viruses and hacks as cyber-weapons, limits on use of the Internet as a field of war, protection to enable business to be conducted and intellectual property to be protected and protections of the privacy of individuals, the Internet will become all but unusable by all but warring intelligence agencies and criminals.