Cybersecurity experts and privacy advocates are continuing to press
Bedford cybersecurity company RSA to reveal more details about its
relationship with the National Security Agency’s spying program, with
some critics calling for a boycott of the company’s upcoming annual
convention.
A Dec. 20 Reuters article suggested that RSA, a division of the data
storage giant EMC Corp. of Hopkinton, received $10 million from the NSA
to modify one of its cybersecurity products, Bsafe, in a way that would
allow the spy agency to get around computer safeguards and access
sensitive data. Critics contend RSA has failed to clarify what its specific business dealings were with the NSA.
“I would want to see a clear statement from EMC about
what software they’re using, and what algorithms they’re using,” said
Matthew Green, assistant research professor of computer science at Johns
Hopkins University, referring to the compromised computer formula and
other security products.
RSA and EMC each declined to comment Friday.
The product in question, Bsafe, is a widely used
software tool designed to prevent hackers from breaking into software
applications and stealing data. It gives users a choice of several
formulas that generate random numbers needed to encrypt data.
Moreover,
the RSA encryption software is used throughout EMC’s products, raising
the possibility that data stored on EMC systems might be vulnerable.
The Reuters story said RSA installed a computer algorithm selected by
the NSA into Bsafe, and made it the default number generator, so that
it would more likely be used by customers. That could give the NSA the
means to break into applications protected by the RSA product.
Earlier this year, leaks by former government
contractor Edward Snowden revealed that the NSA had designed such an
encryption formula and made it available to the cybersecurity industry.
The Reuters article is the first account suggesting that RSA was paid
to be complicit in using the NSA algorithm. The story quoted some in
the industry who questioned whether RSA was duped into using the
encryption tool by the NSA.
This past weekend, RSA acknowledged it had worked with
the NSA on a computer code for its security products, as far back as
2004 — well before anyone had an inkling of the widespread snooping the
agency would conduct.
But RSA said, “We have never entered into any contract or engaged in
any project with the intention of weakening” its security products or
introduced vulnerabilities that others could exploit.
Earlier in 2013, RSA did acknowledge that the security formula in
Bsafe was flawed, and suggested clients stop using the default number
generator.
The company’s statement, however, has failed to mollify many critics,
who complained the company did not address some of the allegations in
the Reuters story.
Now, just eight weeks before the company hosts its annual conference,
one of the computer security industry’s most prestigious events, RSA is
facing a growing backlash, from cyber professionals and privacy
advocates alike.
Two prominent speakers have withdrawn from the conference, and talk
of a boycott of the RSA Conference is spreading on social media.
“There are going to be economic consequences, especially outside the
United States.
The boycott of the RSA Conference is just the tip of the
iceberg,” said Nicco Mele, a technology and policy expert at the Harvard
Kennedy School.
Indeed, one of the first cybersecurity experts to withdraw from the
conference was Mikko Hypponen, a well-known privacy specialist and chief
research officer at the Finnish company F-Secure. Soon thereafter, Josh
Thomas, an executive with Atredis Partners in Houston, also canceled
his talk at the RSA Conference.
“I feel absolutely no need to go to that conference and speak, and by
my actions and my words to further the RSA brand,” said Thomas, who
worked for more than a decade developing artificial intelligence
software for the Army and cryptographic software for the Pentagon.
Previously RSA earned a reputation for fighting the government’s
efforts to weaken encryption tools. In the 1990s, under Jim Bidzos,
former chief executive, it helped quash an NSA program to get
telecommunications companies to adopt a chip that would make government
eavesdropping easier.
Now its credibility is being called into question.
“What can RSA say? You caught us here, but we haven’t done it
anywhere else? You can trust us?” said Bruce Schneier, author of
multiple books on data security and privacy.
More broadly, said Schneier, the NSA spying scandal is taking a toll on the American technology industry.
For instance, he said, Cisco Systems Inc. said last month that
customers in emerging markets are buying less of its equipment out of
concern about built-in back doors that could let US spies access their
data.
A bid by AT&T Inc. to buy the British cellphone company Vodafone
Group PLC has faced pushback from European regulators worried about NSA
infiltration of American telecommunications.
“This is the poison of what NSA has done,” said Schneier. “They’ve destroyed trust on the Internet.”
Meanwhile, some smaller security companies that offer similar
products to the RSA Bsafe tool kit may stand to benefit. One such firm
is Security Innovation Inc. of Wilmington, which offers its own security
algorithm to keep applications safe.
As a result of the Snowden leaks “you are seeing everyone rethinking
and reevaluating the relationships they have,” said Ed Adams, chief
executive of Security Innovation. “It’s an opportunity for smaller
security companies.”
Adams said that RSA has reached out to Security Innovation about
potentially working with his company. That could be a way for RSA to add
additional security formulas to its technology.
Adams did not provide details on what that partnership would involve.
While he would also like to see RSA respond to critics with more
information, Adams doesn’t fault RSA in this case. It’s often impossible
to know the motivations and intentions of the NSA when performing
contract work for that and other government agencies.
“This is the yin and yang that you always have to manage when you are
trying to do business with the government,” said Adams, whose company
worked extensively with government spy agencies until it spun off that
business unit in 2005 and sold it to Raytheon Co. in 2008. “You are
always caught between two different missions.”
0 comments :
Post a Comment