RSA 2012: Art Coviello – There’s Proof Governments And Cyber Crooks Are Collaborating

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Art Coviello talks to us about government and cyber criminal cooperation, icy relations with China and the exploit seller market

Art Coviello didn’t make many outrageous statements at RSA 2012 in London today, but he did make one rather big claim to TechWeekEurope: there is proof that nation states and cyber criminals are selling gear to each other and working together to breach organisations with super sophisticated techniques.

“We’ve seen evidence from our anti-fraud command centre. We hang out in the chat rooms, we see what’s for sale,” he told TechWeekEurope. “That is primarily circumstantial, but we had an advanced threat seminar in Washington a few weeks ago where a recently-retired member of our intelligence community was talking about the latest threats and he specifically called it out.

“It was something we suspected based on the circumstantial evidence and he in essence confirmed it.” He wouldn’t name any names, of course: “You won’t get me to say.”

Last year, RSA blamed a nation state for a hack of its own infrastructure, so should we assume that cyber crooks could have been involved too? “No criminal could have done this at the scale that they did it,” Coviello says.

He also admits he has no proof of what nation state was behind the hit, however. “If I had evidence, I would point the finger. Both law enforcement and the intel community told us that this type of attack was so sophisticated it could only be a nation state.”

The China question

That hack has spawned other pertinent questions. When RSA claimed a government was responsible for the 2011 hit, some fingers pointed to China, just as they did in the Aurora attacks of 2009, when Google and numerous other US firms were hit. In the tech industry, and elsewhere, relations between the US and China are somewhat fraught right now.

Huawei and ZTE are both getting the cold shoulder in the US, where the intelligence division of the House of Representatives suggested products of those companies should be banned. At question is whether they can be trusted, given their ties to the Chinese government. Cisco has also ended a reseller agreement with ZTE, claiming there was a chance that its equipment was ending up in Iran.

How does RSA get on in China? It doesn’t, not in the development space anyway. And it certainly doesn’t get any business from the Chinese Politburo. “We at RSA don’t do anything in China,” said Coviello, who noted it is “a little bit more difficult” to sell security kit that is made in China. “If you’re a security vendor, they [potential customers] are wondering why you’re developing security products in China.

“China acts the same way the US does – they don’t trust us any more than we trust them. The Chinese government doesn’t buy any of our products, but a lot of Chinese companies buy our products.”

‘Horrible’ exploit sellers?

Then there’s the question of zero-day exploit sellers, who can make up to $500,000 for selling information and tools relating to just one threat. It’s hard to gather what Coviello makes of outfits such as Netragard, Errata Security and Vupen.

If RSA wants a world where data sharing is ubiquitous, between partners and other players to boost general security, then surely it should have qualms about what such exploit sellers are doing. Coviello said he doesn’t know too much about it and isn’t willing to lay down his own personal judgment.

What if a company found an exploit in RSA’s software,didn’t inform the security firm and sold the code for hundreds of thousands of dollars? Wouldn’t Coviello be a little peeved then? “Yeah, I’d be pretty upset. I think it’s horrible.”

As for its partnership with defence companies who are thought to research exploits as part of offensive work, such as Lockheed Martin, Coviello said he “simply doesn’t know of that”. RSA is about providing defence, nothing more.

trust security - Shutterstock: © LightspringNevertheless, the RSA chief would be “shocked and disappointed” if the US government didn’t have offensive capability. “All countries spy and they spy with technology.”

Reaching for Bigger Data

As for the future, Coviello believes Big Data is the future for security, drawing together all the relevant pieces of information from within a company’s network and from external sources, such as partners or customers.

This future is one where perimeter defences become all but redundant, according to Coviello. As more and more data is thrown around, through various ports and end points, anti-virus and firewalls become increasingly hard to scale and manage. That might be why companies like McAfee are shedding workers. What companies need is insight into that data, said Coviello, and that is what RSA is going to give to its customers.

“People don’t think about what has happened in ten years since the dot-com bust,” he said. “What do you suppose happened to the perimeter where you open stuff up and move data around so fast?

“People are getting by that stupid perimeter, how can we detect them? You need some form of continuous monitoring to be able to do that.

“We need to take the log data, the packets and gather up data from all of these controls and this becomes the Big Data application. But this system needs information sharing at scale. You’re going to bring in external sources and internal sources to feed this beast.”

That data sharing won’t happen with any rival SIEM (security information and event management) providers though, as that intelligence is their IP. “We gather this information and we want to sell it.” So much for a collaborative security industry, in the SIEM space at least.

He promised some major updates to its SIEM pieces later this year. “We have something called NetWitness for Logs, which is the first instantiation of this… but we will be making announcements into the latter part of the fourth quarter, and into Q1 2013, on this.”

RSA will have to hope companies are interested in its Big Data sell, as its SecurID two-factor authentication products have taken a hit, since the 2011 attackers stole data relating to them, before using it to go after Lockheed Martin.

Coviello happily admits that he doesn’t expect to see growth in that segment for some time, not because of trust issues, but because of price pressures and the free token renewals it offered customers following the hack. “That will put pressure on that business,” Coviello added, noting that it could take 18 months before any uptick is seen in the SecurID business.

It’s a case of the bigger Big Data gets, the bigger RSA’s revenues get.

Are you a security expert? Find out with our quiz!