Analysis: What is RSA’s relationship with the NSA?

After RSA 2014, are we any closer to understanding RSA's relationship with the NSA?

The opening keynote of RSA Conference 2014 has raised questions around what exactly RSA executive chairman Art Coviello was saying about RSA’s relationship with the US National Security Agency (NSA).

He wasted no time in tackling accusations that RSA colluded with the NSA to sabotage a common encryption algorithm, but are we any closer to knowing the true nature of RSA’s relationship to the NSA?

Coviello said it was a matter of public record that RSA had done work with the NSA, but said the NSA was not a monolithic intelligence-gathering organisation.

He said the agency has a defensive arm called the information assurance directorate (IAD) that defends information systems and US critical digital infrastructure.

In practice, Coviello said RSA and most security and technology companies work primarily with this defensive unit within the NSA, which provides valuable intelligence on cyber threats.

More on the RSA Conference 2014

However, he also said that when or if the NSA blurs the line between its defensive and intelligence gathering roles, and exploits a position of trust within the security community, that is a problem.

“Because, if in matters of standards, in reviews of technology or in areas where we all open ourselves up we cannot be sure which part of the NSA we are actually working with, and what their motivations might be, then we should not work with the NSA at all.”

Rather than laying matters to rest, some conference attendees said it was not clear what Coviello meant. Did the NSA blur the lines? Was RSA misled? What was he actually saying?

Computer Weekly put the question to Coviello, who said: “What it means is: we don’t know. And it is a hypothetical. ‘When or if’ – when they do something like that, it is a problem. If they have done something like that, it is a problem. But it is a hypothetical. So the answer is: we don’t know.

But, he said, RSA had acted immediately on the guidance from the National Institute of Standards and Technology (Nist) to stop using a particular algorithm because of concerns over a theoretical attack.

“As I said in the keynote, you have to bear in mind the perspective that in 2000, RSA’s crypto business started to go away," he said.

The only thing the Snowden document says is that the NSA wanted to compromise commercial crypto

“Recognising the inevitability of shrinking cryptography business, we participated less in being the driver of the standards and became more of a contributor."

For what remained of RSA’s crypto business, it relied on standards bodies to develop those standards with some RSA participation, and then it implemented those standards.

Because its footprint in crypto had shrunk and it was selling mainly into the US federal government, Coviello said RSA had no way of understanding much beyond what everybody else knew.

“I am not in the speculation business, but I can give you a hypothetical based on the fact that Nist advised not to use the algorithm.

“Now one of the issues is that people in the media have made conjectures on top of conjectures. The only thing the Snowden document says is that the NSA wanted to compromise commercial crypto.

“But it has been reported as fact that the Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) algorithm was the mechanism for doing that.

“That is just not true. So again, nobody knows because no one has actually broken it. Nist had a review, and they have not seen any way to break it,” he said.

So why did Nist issue guidance to discontinue using the algorithm?

Norms of behaviour have to be established

Coviello believes that Nist chose to take the algorithm out purely because of the theoretical attacks against it. “But, other than that, nobody seems to know,” he said.

Despite the media hype around the Snowden document and “unsubstantiated claims” about secret deals with the NSA, Coviello said RSA has had very few inquiries on the issue from customers.

“There has been no impact on our business. We are just not seeing customer concern because we do not have a big footprint in crypto, and so it is difficult to understand why this issue is getting so much media coverage,” he said.

Instead, Coviello said the discussion should be around the urgent need for digital norms around things like behaviour on social media, tracking of browsing habits, protecting personal information, cyber espionage, theft of intellectual property and cyber war.

“Norms of behaviour have to be established, and my point is that if we do not start having a dialogue about what those norms of behaviour are, then we are going to run into trouble.

“Instead of having digital technology, big data and the internet of things to help solve problems, we could be sowing the seeds of our own destruction,” he said.

For this reason, Coviello said he is asking nation states to start talking before some misguided individual is able to take advantage of billions of devices connected to the internet for destructive purposes.

In light of the fact that some countries have developed cyber weapons, he said a real concern is that these weapons could be used against those who developed them in the first place.

Information security professionals need to speak up to C-level executives and to the board of directors

“The only way to win this game, is for everybody to not play it,” he said.

It is also important to protect people’s privacy and personal freedom, but with personal freedom comes responsibility," said Coviello.

“But it is possible to have personal privacy and collective security at the same time. These things do not have to be mutually exclusive.

“And in the few places where privacy and collective privacy do not align perfectly, we need to recognise those, and figure out a transparent model to deal with it,” he said.

In his keynote, Coviello called on nations to renounce the use of cyber weapons, co-operate on tackling cyber crime, ensure economic activity is unfettered online and intellectual property rights are respected, and ensure privacy of all individuals.

“Consequently, I have been accused of being idealistic and naïve. Now I am not naïve, but if you don’t start, you are never going to make any progress,” he said.

Do information security professionals working in UK companies have a role to play in terms of these four principles?

“I do not think they need to become political activists, but I think voices need to be heard from people who have the knowledge.

“Information security professionals need to speak up to C-level executives and to the board of directors. Not with hyperbole but in a factual way so people understand the consequences of inaction.

It is possible to have personal privacy and collective security at the same time

“You need to give business leaders perspective because they will say ‘I am running a business, not a security business,' and that is fair. So give them risk context.

“Do not oversell the magnitude of the problem. Just help them understand the risk, and guide them to a decision.

“If they disagree, at least a disagreement will be with enough knowledge that they can make an informed decision.”

Coviello believes that the same needs to be done with political leaders to give them the information they need in a clear and concise way.

Read more on Privacy and data protection