Art Coviello, executive chairman of RSA, rejected rumours that RSA is snooping for the US National Security Agency (NSA), in the opening keynote of RSA Conference 2014 in San Francisco.
He immediately tackled accusations that the security division of EMC had done a secret deal with the US National Security Agency (NSA) to use a purported backdoor in a common encryption standard.
“When last September it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, the National Institute of Standards and Technology (Nist) – as the relevant standards body – issued new guidance to stop the use of the algorithm, and we immediately acted on that guidance notified our customers and took steps to remove the algorithm from use,” he said.
Although several high-profile speakers pulled out of the conference over the allegations, there was no noticeable impact with a record 25,000 attendees and 400 sponsors and exhibitors.
Coviello said it was a matter of public record that RSA had done work with the NSA, but said the NSA was not a monolithic intelligence gathering organisation, pointing out that the agency has a defensive arm called the information assurance directorate (IAD) that defends information systems and US critical digital infrastructure.
In practice, he said Nist, RSA and most security and technology companies work primarily with this defensive unit within the NSA and receive valuable intelligence on threats and vulnerabilities.
More on RSA
“But regardless of these facts, when or if the NSA blurs the line between its defensive and intelligence gathering roles, and exploits a position of trust within the security community, then that is a problem because if in matters of standards, in reviews of technology or in areas where we all open ourselves up we cannot be sure which part of the NSA we are actually working with, and what their motivations might be, then we should not work with the NSA at all,” he said.
To eliminate that possibility, Coviello said RSA endorses Nist’s new proposal for the creation of cryptographic standards.
RSA also supports the recommendation of president Obama’s review group on intelligence and communication technologies to simplify the role of the NSA – that it should be solely a foreign intelligence organisation and that the IAD should be spun out and managed by a different organisation.
“However it is done, creating greater separation between the offensive and the defensive roles of the NSA would go far to repair relations and rebuild trust,” said Coviello.
Changing gear, he said this critique was not limited to NSA because all nations spy on one another. “All governments and their intelligence agencies need to adopt a governance model that enables them to do more to defend us than to offend us,” he said.
Coviello said that while technology could bring enormous benefit, the same digital capabilities are also becoming “a path to a destructive power that rivals anything since the coming of the digital age”.
He said the world needs to figure out norms for behaviour and engagement in the digital real quickly or risk the extinction of the internet as a trusted environment to do business, to coordinate research and development, and to communicate with each other.
Coviello called upon all nations to adopt and implement four principles to:
- Renounce the use of cyber weapons and the use of the internet for waging war.
- Cooperate internationally in the investigation, apprehension and prosecution of cyber criminals
- Ensure that economic activities on the internet can proceed unfettered and that intellectual property rights are respected around the world
- Respect and ensure the privacy of all individuals
Coviello said we all live in a world that has been made less dangerous by accords on nuclear non-proliferation, the outlawing of chemical weapons and the outlawing of war in space, so there is no reason why the same cannot be done for cyber space.
As in previous keynotes, he called on the security industry to contribute by taking a more active role than ever before and advocate for the four principles he laid out.
“We must in a thoughtful, factual and persistent way raise the level of understanding and the consequences of in-action,” said Coviello.
“Instead of headline grabbing hyperbole, we must lay out a series of coherent, compelling arguments for why inaction leads to a lesser and more dangerous world for generations to come. We must shine a light on these issues and inspire our political leaders as never before,” he said.
Switching to a more commercial theme, he said the security industry must continue to develop processes and technology frameworks to implement an intelligence-driven security model.
“In all of my years in security, I have never seen the scale of investment and innovation that we are seeing today – and this is all happening none too soon,” said Coviello.
He said the expansion of the attack surface and increasingly sophisticated methods of malware have out-paced conventional controls.
“Never before has the need for intelligence-driven security been greater. We urgently need anti-malware that is intelligent enough to spot zero-day threats and block them. We urgently need security systems that are intelligent enough to see patterns of attack and by correlating and analysing data from numerous sources across and organisation, give us the actionable information we need to respond,” he said.
Coviello concluded by reiterating his call on governments to adopt the four principles he outlined and on the security industry to create the secure frameworks and technology to support them.