When RSA chief Art Coviello opened RSA’s information security conference earlier this week, there was an elephant room.
The elephant? Allegation(s) that his company had provided an NSA designed “back door” in its BSafe software which made it easy for the agency to decrypt information that RSA’s encryption software was supposed to keep private.
RSA’s encryption software, by the way, is one of the most widely used and respected products of its kind.
And while Apple, Facebook, Google, Yahoo and other tech firms have also faced allegations of cooperating with the government in granting access to data, RSA, a division of EMC, was accused of something much bigger -- accepting $10 million for its cooperation.
RSA has categorically denied that this is the case.
The Industry Reacts
The RSA Conference, which is vendor agnostic, has traditionally attracted some of the cybersecurity industry’s leading thought leaders and practitioners -- so many, in fact, that over 2000 - 3000 typically make proposals to speak and only 300 - 400 can be accepted.
This year at least eight of those who were scheduled to speak dropped out citing moral reasons.
I've given up waiting for RSA to fess up to the truth re: the NSA and Dual_EC. I've just withdrawn from my panel at the RSA conference.— Christopher Soghoian (@csoghoian) January 7, 2014
Coviello Takes the Elephant by its Tusks
Coviello was scheduled to give the conference’s opening keynote. The program lists its title as “Redefining Identity in the Age of Intelligence-Driven Security.”
But that’s not what he talked about.
Instead he took the elephant by its tusks saying:
Unlike nearly 20 years ago when we (RSA) were seen as leading the charge against the government to secure the privacy of digital infrastructure, we've been accused of being on the other side of that battle.”
He claimed that context was missing in the accusations, then went on.
"Has RSA done work with the NSA? Yes. But the fact has been a matter of public record for nearly a decade," he said.
He then explained that RSA and most security companies work with the NSA's defensive arm, the Information Assurance Directorate (IAD), to ward off attacks. It seems that BSafe was intended to help governments track terrorists and other bad guys. (And, according to some accounts, a full third of BSafes purchases were made by governments.)
Coviello went on, “When or if the NSA blurs the lines between its defensive and intelligence gathering roles, and exploits its position of trust within the security community, then that's a problem," he said.
In an interview with the Wall Street Journal, he finished the thought, "If that is an issue, we can't work with the NSA."
Working Together, We Can Solve the Problem
Coviello had opened his keynote with an analogy President Kennedy had used during the Cold War, "Our problems are man-made. Therefore, they can be solved by man."
During his presentation he proposed a solution, namely that the computer security industry worldwide adopts four guiding principles:
1. Renounce the use of cyber weapons and the use of the Internet for waging war.
"We must have the same abhorrence to cyber war as we do nuclear and chemical war."
2. Cooperate in the investigation, apprehension and prosecution of cyber criminals.
"The only ones deriving advantage from governments trying to gain advantage over one another on the Internet are the criminals. Our lack of immediate, consistent and sustained cooperation, globally, gives them the equivalent of safe havens."
3. Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected.
"The benefits to all of us from the improvements of productivity in commerce, research and communication are too valuable to not achieve agreement."
4. Respect and ensure the privacy of all individuals.
“Our personal information has become the true currency of the digital age. While it is important that we are not exploited, it is even more important that our fundamental freedoms are protected. Governments have a duty to create and enforce a balance, a balance based on a fair governance model and transparency.”
While there were, no doubt, some cynics in the audience listening to Coviello’s speech, it seems that those who were inspired outnumbered them. We found some thoughtful reactions on video