RSA may well have earned much of the criticism being heaped upon it for allegedly enabling a backdoor in one of its encryption technologies under a contract with the National Security Agency. But singling out the company for reproach deflects attention from the role that other technology vendors may have had in enabling the NSA's data collection activities.
Over the last few days, at least eight well-known speakers have canceled talks or panel presentations at next month's RSA Security Conference to protest the company's relationship with the NSA.
Those who have withdrawn from the event include Mozilla's privacy chief Alex Fowler, Google security researchers Adam Langely and Chris Palmer; special counsel at the Electronic Frontier Foundation, Marcia Hofmann; chief research officer at Finnish security firm F-Secure Mikko Hypponen; and Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union. More may join them in the coming days.
The protests stem from a Dec. 20 Reuters article, which alleged that RSA had embedded a flawed random number generator, developed by the NSA, into its BSafe encryption software. The article, based on documents leaked by former NSA contractor Edward Snowden, appeared to confirm earlier suspicions about the security of the technology.
According to Reuters, RSA received $10 million in exchange for making the NSA's Dual Elliptic Curve algorithm the default option for random number generation in the company's encryption toolkit. The report noted the possibility that the government may have misled RSA officials about the true nature of the software.
In the days since the report was published, many within the security industry have slammed RSA, a subsidiary of EMC Corp., for selling out to the spy agency. RSA is a pioneer in encryption and its products are used by millions of companies and consumers to protect sensitive documents. That the company may have weakened its own encryption products to enable NSA snooping has shocked many.
The boycott by the eight speakers is the latest manifestation of that outrage.
Hypponen, one of the first to pull out from the conference, accused RSA of continuing to use the flawed random number generator despite knowing for years that it had a built-in backdoor.
In an open letter to the chief executives of RSA and EMC, Hyponnen said he was canceling his talk because of RSA's tacit admission that it had accepted $10 million from the NSA to embed the flawed random number generator.
"Your company has issued a statement on the topic, but you have not denied this particular claim," he wrote.
Several others who have canceled their appearances at RSA expressed similar sentiments in blog posts and Twitter messages. Jeffrey Carr, founder and CEO of security consultancy Taia Global, called for more transparency from RSA and EMC leadership.
"It is vitally important that those of us who profoundly object to RSA's $10 million secret contract with the NSA do more than just tweet our outrage," Carr blogged. "We need to take action."
Hugh Thompson, chairman of the RSA Conference program committee, on Wednesday expressed his dismay at the developments and noted that the conference itself is vendor neutral and separate from RSA, the company. He also noted that the number of people who have said they would boycott the event represents a small portion of the 570 confirmed speakers. The conference provides a great venue for the security industry to discuss the issues raised by revelations of the NSA's surveillance activities, he said.
The criticism directed at RSA is understandable if the claims in the Reuters story are accurate. But RSA may not be the only company that has either accidentally or deliberately helped the NSA.
Recent reports by German magazine Der Spiegel revealed how the NSA developed exploits and hacked backdoors into networking equipment, PCs and servers from some of the world's biggest technology vendors, including Cisco, Juniper Networks, Dell, Huawei and Hewlett-Packard.
The tools, developed by a specialized group of hackers from within the NSA's Tailored Access Operations (IAO) unit, are listed in a 50-page product catalog and are used by the NSA for tasks like penetrating network routers and firewalls and monitoring mobile phone calls, according to Der Spiegel. So far, there is no evidence that any of the vendors whose products the NSA has gained access to, worked with the agency to enable that access.
But it is likely that at least a few of them were approached by the spy agency in the same way it approached RSA. Given the extensive arsenal of tools the NSA has at its disposal, it is nearly inconceivable that none of the vendors had an inkling that their products had been compromised.
The Reuters report suggests that RSA was the biggest distributor of the flawed random number generator but not the only one. NSA documents leaked by Snowden have clearly referred to the agency's seeking and building commercial relationships to help with its data collection efforts.
Companies including Google, Microsoft, Yahoo and others have claimed they had no idea the NSA was siphoning data from their networks by tapping into the fiber cables connecting their data centers. But they should have, said John Pescatore, director of emerging security trends at the SANS Institute.
"A lot of the reaction from the large tech companies, like Microsoft, Google, Yahoo and others ...is disingenuous," Pescatore said. "The fact that NSA, the UK, China, and probably France and Germany, could eavesdrop on fiber optics has been long known and even publicized. Companies that chose not to encrypt made a risk-based decision to save money by saying the consequences of government interception are not enough of an impact for us to spend the money," he said.
For RSA and other U.S. technology vendors, the Snowden leaks mean that they will need to do what Huawei did in the U.K. back in 2010, when the Chinese company had to convince the UK government that the telecom equipment BT wanted to buy did not have backdoors installed by the Chinese government, he noted.
Huawei had to invest in a testing center in the UK to support the GCHQ, NSA's counterpart in the UK, in inspecting its source code. U.S. companies may have to do the same to show their products have not similarly been backdoored by the NSA, he said.
"I think the public as well as security practitioners are rightfully looking for answers to whether any organizations have colluded or been complicit with the internal top secret goals of the NSA," said Lawrence Pingree, an analyst with Gartner.
But for the moment, not enough information is publicly available to determine whether what RSA did is unique.
"To bring some sanity back into this discussion, we must remind ourselves that the information disclosed from the Snowden breach was in fact top secret," Pingree said. So even if a company had cooperated with the NSA at some level, only a few would have known about it.
Rich Mogull, an analyst with security consulting firm Securosis said the criticism directed against RSA is based on incomplete information. "I think they are being hit far harder than the facts warrant," he said. "All we have is one article, and the underlying evidence has not been made public.
"Now if it comes out that RSA deliberately weakened BSAFE to assist the NSA in eavesdropping, they deserve a flailing. But we don't have even close to enough information to make that decision yet. When we learn more, perhaps the time will come to take action against RSA, but not the conference."
This article, The NSA blame game: Singling out RSA diverts attention from others, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about security in Computerworld's Security Topic Center.