BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
SAN FRANCISCO -- "We're slaving away, not seeing what is going on in the world, and what we should do is wake up."
When a security company can't be trusted, what do they have left? Very little.
chief research officer, F-Secure
That was the closing plea that Mikko Hypponen, chief research officer for Helsinki, Finland-based security vendor F-Secure, issued to the security community during his presentation at the inaugural TrustyCon event, billed as the trustworthy alternative to the 2014 RSA Conference.
Hypponen's appearance at the upstart conference came on the heels of his decision to drop out of RSA Conference, an event he has spoken at nine times previously. The Finnish security researcher chose to boycott RSA in response to a December Reuters report, which detailed an alleged $10 million payout RSA received from the National Security Agency (NSA) in order to use a weakened random-number-generation algorithm as the default in one of its primary encryption products.
"Today I'm happy not to have an RSA Conference badge on me," Hypponen said. "The [RSA-NSA] revelations regarding backdooring or weakening security is the declaration of losing trust."
Infosec industry depends on trust
Throughout his impassioned talk, Hypponen emphasized that trust is a principle that is essential to the success of the security industry. He opined that the customers and users of security vendors' products "blindly trust" companies such as RSA, F-Secure and others to mitigate threats that they would otherwise be incapable of defeating on their own.
In the case of RSA, the NSA allegations dated back much further than last year; Hypponen noted claims, made as far back as 2007 by cryptography experts such as Bruce Schneier, that the company was utilizing weakened encryption standards. The company also suffered a high-profile breach in 2010, when attackers targeted the company's SecurID authentication tokens as a route into the network of several high-profile targets, including defense contractor Lockheed Martin.
"When a security company can't be trusted, what do they have left?" Hypponen asked rheotrically. His answer? "Very little."
Hypponen indicated that RSA is hardly the only vendor facing scrutiny. He said that the trustworthiness of U.S.-based security and technology companies is quickly eroding, pointing to a letter recently sent to 20 of the world's largest antivirus companies by Bits of Freedom, a Netherlands-based organization focused on digital rights. In that letter, the group asked whether the vendors had whitelisted government-authored malware. Most of those companies gave a prompt response in the negative, but U.S-based AV giants McAfee Inc. and Symantec Corp. never replied.
In contrast, Hypponen said F-Secure's president and CEO Christian Fredrikson indicated in no uncertain terms that the company was not involved in any government operations, either in Finland or elsewhere, that involved purposefully ignoring the security of its customers, a policy the company has maintained publicly since 2001.
"If it's malware, we will protect our customers from it [regardless of the source]," Hypponen said.
Malware sophistication is 'world-class'
Hypponen said the escalating sophistication and wide-ranging use of government-sponsored malware, the original topic of Hypponen's canceled RSA Conference talk, means that security customers now more than ever must be able to trust their vendors.
Hypponen highlighted a number of malware samples widely thought to have been produced by the U.S. government, namely Stuxnet and Flame, though he emphasized that government entities around the globe are currently deploying malware against other countries' politicians and even citizens.
During the talk, he described Flame's capabilities in detail, which included the ability to forge Microsoft certificates in order to compromise the Windows software update process, adding that that sort of malware could only be created by a team of world-class cryptographers using the processing power of a supercomputer, resources typically only nation-states have at their disposal.
Harkening back to his earliest days in the security industry, Hypponen lightheartedly commented that while viruses were once "written by 15-year-olds for fun," today's adversaries are professional attackers in every sense. Even security companies themselves are becoming targets, as in the RSA SecurID breach.
Hypponen said he receives many questions from customers regarding whether F-Secure's products can "really defend them" from the most dangerous threats. He said he answers such questions with an analogy: banking malware, ransomware and similar threats are the equivalent of an average criminal performing a street mugging, which modern security products are more than capable of mitigating.
On the other hand, Hypponen described nation-state-sponsored malware as a force so well-crafted that many security companies simply cannot handle it, akin to the unrelenting and highly skilled fictional British spy James Bond.
"If James Bond wants to kill you, he will kill you. It is very hard to defend against James Bond," Hypponen said. "That doesn't mean we are giving up, but I'm just telling you it is very hard."
Attendee Jeffrey Brock, senior operations manager for cloud security and compliance for San Rafael, Calif.-based software vendor Autodesk Inc., said that he was drawn to TrustyCon because his own company "needs to establish trust" with its customers, making the notion of trust in the security community a worthwhile topic to him.
While he admired the "frank" discussion offered by Hypponen, Brock seemed unconvinced that government-authored malware poses a particularly unique menace, noting that companies need to be "as diligent as possible of any and all threats."
Brock also said that the security community has been aware of allegations involving backdoors in RSA products for a long time and that the world shouldn't have needed Snowden to highlight either issue. Still, he believed the conversations taking place at TrustyCon are important both for the security industry and the public at large.
"I think this conference is really focused on opening the curtains and demanding transparency," Brock said, "which I think in the long run, I don't see how any legitimate government is not going to have that transparency.