BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
SAN FRANCISCO -- Much of the anticipation surrounding the 2014 RSA Conference hinged on one question: Would RSA executive chairman Art Coviello's opening keynote tackle the allegations that his firm inappropriately worked with the National Security Agency to weaken RSA's cryptography products?
When the NSA blurs the line between its defensive and offensive roles, that's a problem.
RSA executive chairman
In his speech Tuesday, Coviello did not ignore the elephant in the room, namely the December Reuters report that the security division of EMC Corp. accepted a $10 million payoff from the NSA to make a weak random-number-generation algorithm, known as elliptic curve cryptography (ECC), the default in its Bsafe line of crypto products.
Harkening back to the days when RSA was "leading the charge" against the U.S. government on such matters as the controversial Clipper chip, Coviello said the company and its flagship security conference was now sitting on the other side of the table, thanks to the NSA controversy. Much of the ensuing storm surrounding the ECC allegations, according to Coviello, has been based on false perceptions.
Coviello said that after the crypto export controls, which hamstrung RSA throughout the '90s, were lifted around the turn of the millennium, much of the world had already implemented the RSA algorithm through open source toolkits. RSA adapted to that reality by backing a number of encryption standards initiatives, including those governed by the National Institute of Standards and Technology (NIST).
In the case of RSA's support for ECC, Coviello claimed that the security industry was largely already supporting it and that NIST approval was seemingly inevitable when the company threw its support behind the fledgling algorithm. As for why ECC was made the default in a number of RSA's security products despite claims of a potential backdoor in the algorithm dating back to at least 2007, Coviello provided a very simple, financial-based reason.
"Use of this algorithm as the default in many of our toolkits allowed us to meet government requirements," Coviello said. "Last September, NIST issued new guidance to stop use of the algorithm [based on reports of a potential backdoor]. We immediately acted on that advice and took that out of our products."
Coviello also noted that the relationship between RSA and NSA has long been known because the company and many others involved in the security industry work directly with the Information Assurance Directorate (IAD), the defensive branch of the agency. IAD is responsible for, among other things, protecting critical digital infrastructure.
Coviello said many of the perception problems in recent months are the result of this confusing relationship between the defense-oriented IAD and tech companies, while other operations with the NSA are involved in offensive operations and widespread surveillance.
"Regardless of these facts, when the NSA blurs the line between its defensive and offensive roles, that's a problem," Coviello said. "If we can't be sure which part of the NSA we are actually working with and what their motivations are, perhaps we should not be working with the NSA at all."
Coviello threw his support behind the recommendation made by the presidential review group that detailed the activities and other government intelligence agencies, especially in regard to spinning out the IAD branch on its own. "Creating separation between the offensive and defensive capabilities of the NSA" would go a long way toward mending the trust between the security industry and the government, he said.
Denny Dean, an RSA attendee from a Massachusetts-based insurance firm, said he was happy to see that Coviello "took a swipe" at trying to address the NSA concerns, though he still isn't entirely sure what transpired between the company and the government agency after the keynote.
Dean said that RSA makes "good products and services," a fact that shouldn't be disregarded in the current debate among security industry professionals. "I don't think that there's a problem with doing business with RSA today," Dean said. "From a practical perspective, I'm probably not going to shun the company."
Microsoft's Charney addresses bulk data requests
Though RSA's Coviello danced delicately around the company's relationship with the NSA, Microsoft's Scott Charney instead decided to take the bull by the horns in his keynote at the RSA Conference.
According to the leaks from NSA contractor Edward Snowden, Microsoft was one of several tech giants, along with Google and Apple, that allowed the NSA essentially unfettered access to user data. Charney categorically denied any case of wrongdoing on the part of the Redmond, Wash.-based software giant.
"We only respond to court orders that specify particular accounts," Charney said. "We have never gotten any order for bulk data, and we would fight an order for bulk data.
"We don't put backdoors in our products and services," Charney continued, adding that it would be "market suicide" for Microsoft to do so.
Charney noted that he felt such statements clarifying NSA's request for Microsoft data were largely unneeded because the organization is driven by "transparency principles." Those principles, for example, mean that Microsoft makes the source code of its products available for review to foreign governments concerned about "American backdoors."
Attendee Kevin Hoffman, a monitoring engineer with wholesale retailer Costco, said he was unsurprised that the NSA allegations surfaced in the keynotes, though he was not expecting the discussion to dominate the talks. He said that the Snowden leaks were not particularly shocking, because he worked under the assumption that the government would perform such surveillance activities.
Hoffman said he had never heard of the principles Charney mentioned, but that he's "glad they exist."
"I hope Microsoft follows them as much as they say they do. You never know what they can and can't tell, because if they are working with the government, there are certain things they wouldn't be able to disclose," Hoffman said. "They could still fight it, but they wouldn't be able to fight it publically."
Microsoft, according to Charney, has shifted in one meaningful way due to the information stolen and leaked by former NSA contractor Edward Snowden. The company now often hears concerns from customers of its cloud services abroad about where their data is being stored, he said, and the company has responded by slowly making more data centers available in different locations around the globe.
"We're increasingly paying attention to the location of data," Charney said. "Data still lives in a place. You can split it up and move it around, but it still lands somewhere."
At the Cloud Security Alliance Summit keynote yesterday, former U.S. cybersecurity czar Richard Clarke said such calls for data localization were largely driven by economic concerns, namely, allowing cloud service providers abroad to be more competitive with American companies, but that the NSA and other government agencies can break into servers anywhere.
What's the remedy?
Both Coviello and Charney called for the establishment of digital "norms," namely for establishing the right to privacy for users of the Internet, and establishing some sort of governing framework among nations for the cyber activities of their respective intelligence agencies.
Coviello said he believes that governments, the industry and citizens must work together to solve these growing issues. In particular, he said that personal information has become the "true currency of the digital age," calling for measures to be put in place to protect the integrity and privacy of that info.
More RSA stories
View all of our RSA 2014 Conference coverage.
Coviello admitted that such broad measures are unlikely to be implemented in the near future, though. Instead of waiting for such actions, he said the security industry must take a more active role in solving these problems in the interim, with an eye placed on future ramifications.
"While we need to help governments develop digital norms, we also need to develop the capabilities to secure those norms in the future," Coviello said. "We must do what we do best: develop and implement the technologies that will protect us now and in the future."