RSA 2014: RSA Chief Coviello Tries To Answer $10m Question Over NSA

Coviello kicks off the PR push after claims of NSA payoff, whilst anti-surveillance activist Bruce Schneier appears to be sympathising with the company

Art Coviello, chief of security company RSA, today attempted to answer questions surrounding an alleged $10 million payoff from the National Security Agency (NSA) to include a software vulnerability in one of its products.

RSA has denied any collusion, whilst even cryptography expert and anti-surveillance activist Bruce Schneier has expressed sympathy for RSA, telling TechWeekEurope the firm was not as culpable as had been suggested.

RSA explains its side of the story

Art-coviello-RSA preferredCoviello did not talk specifically about the reported monetary deal with the NSA, but did urge governments across the world to respect and ensure the privacy of all individuals. He suggested the reason why RSA had included the flawed encryption algorithm in its kit only because it trusted the standards body that had gave its stamp of approval for the code, the National Institute of Standards and Technology (NIST).

When NIST warned of weaknesses in the Dual Elliptic Curve Deterministic Random Bit Generation (Dual-EC-DRBG) algorithm in 2007, RSA duly informed customers, Coviello said. He noted that the use of the algorithm helped the company meet government security requirements, adding that it was no secret RSA had worked with the NSA in the past.

“Has RSA done work with NSA? Yes, but that fact has been a matter of public record for nearly a decade,” Coviello said, pointing out that many security vendors work with the defensive arm of the NSA, the IAD.

The RSA chief said he supported moves to reform the NSA, whilst urging other global intelligence agencies to curb their offensive operations.

“If we can’t be sure which part of the NSA we’re actually working with, then we should not with the NSA at all… the IAD should be spun out and managed by a different organisation,” he added.

“Sadly much of the great work of the IAD [has been forgotten] amidst the feeding frenzy around this… It is not only sad, it is dangerous for this country.

“I don’t want to limit this critique to the NSA, all nations spy on each other. I would repeat this to all governments and intelligence agencies.

“All intelligence agencies need to adopt [models] that enable them to defend us not offend us.”

Coviello urged all nations to renounce the use of cyber weapons and the use of Internet for war. “The genie is out of the bottle on cyber weapons… unlike nuclear weapons can propagate quickly and turn on the developer.”

Coviello was speaking at RSA Conference 2014, which a number of noted security professionals, such as F-Secure’s Mikko Hypponen, had chosen to boycott over the reports of the NSA payoff.

A separate event, TrustyCon, was set up in protest at the apparent collusion with the NSA. It will take place later this week, just down the road from the Moscone Center in San Francisco.

The whole RSA Conference will likely be overshadowed by the NSA revelations. Last year, in questions about the Snowden revelations, Coviello told TechWeekEurope the whole industry, from vendors to intelligence agencies, had to become more transparent, suggesting anonymity was the “enemy of privacy”.

600px-Bruce_Schneier_at_CoPS2013-IMG_9178

Schneier speaks

Bruce Schneier, renowned cryptography expert and current CTO at Co3 Systems, told TechWeek today he thought the story was more complex than had been made out, and that RSA was “not as culpable” as had been suggested.

“I think the story of RSA and the random number generator was much more complicated than we made it out. Technical changes, like making something a default, is part of a lot of big contracts, you just do that,” he told TechWeek.

“The algorithm remained in the NIST standard even after 2007,  when we first had suspicions there might be a backdoor. RSA couldn’t had to keep it in to comply with the standard. I just don’t think they are as culpable.

“We don’t know what the $10 million was for… my guess is that it was for quite a lot of things, which included, among a number of technical changes, making this a default. When a big customer asks you to do that, you just do it. And that was well before 2007 when no one knew anything.”

Are you a security expert? Try our quiz!