RSA Executive Chairman Art Coviello defended his company's use of a flawed encryption algorithm with alleged links to the intelligence community, and later railed against the use of offensive cybertactics on a global scale, calling for a global dialogue to establish industry norms on the issue.
Speaking to thousands of conference attendees at the 2014 RSA Conference in San Francisco, Coviello did not deny that RSA had worked with NSA, nor did he repeat a previous denial that the company accepted $10 million to use a controversial encryption algorithm. He said the algorithm was set as a default in a software development toolkit to enable RSA to meet government certification requirements.
"Has RSA done work with NSA -- yes. But that fact has been part of public record for a decade," Coviello said. "We spoke to this issue, which is hard to do ... to provide any context for the state of the industry at the time, and the state of evolution of RSA's business."
Coviello's keynote comes as some eight speakers boycotted the conference following allegations prompted by leaked National Security Agency documents alleging a tie between NSA and the use of the algorithm. When Coviello took the stage, he was greeted with a chorus of boos mixed with polite applause and immediately sought to directly address why the company embraced the controversial RDBG encryption algorithm.
RSA's encryption tools had been under export controls until 1999, and most of the rest of the world had already implemented the RSA algorithm with open source toolkits, not RSA's technology, Coviello said. Under pressure to fuel business growth, the company expanded sales at the federal level and also put its weight behind standards bodies, Coveillo said.
The encryption algorithm was adopted by the National Institute of Standards and Technology (NIST) in 2006 with little opposition, Coviello said. When NIST pulled the controversial algorithm as an acceptable standard in September, RSA immediately acted upon that guidance and took steps to remove the algorithm from use, Coveillo said.
Coviello said RSA works with NSA through its Information Assurance Directorate (IAD), an arm of the agency tasked with critical infrastructure protection, an area dominated by private-sector firms. "Most, if not all, security and technology companies work with this defensive unit within the NSA," Coviello said, calling on the presidential review panel's recommendation to separate IAD from the NSA.
"NSA blurs the line between defensive and intel-gathering roles and exploits a position of trust within the security community. That is a problem," Coviello said. "We can't be sure which part of NSA we are actually working with."
DRBG was recognized by the NIST as a valid encryption algorithm at the time RSA adopted it, but some experts in the community were widely critical of its use due to known weaknesses, said Paul Kocher, a noted encryption expert and president of Cryptography Research, a solution provider that is a division of Rambus.
The NIST issued new guidance in September 2013, following leaked Edward Snowden NSA documents that alleged the intelligence agency used the weak algorithm as part of its surveillance activities. RSA issued an advisory telling developers not to use the weak algorithm and has since removed it from its toolkit.
"What needs to happen -- and is slowly happening -- is the discussion on a much clearer set of guidelines on what is and isn't appropriate for intelligence agencies and figuring out ways how the dark and dirty business of spying can coexist with ethics and adherence to law," Kocher told CRN.
Coviello also redirected attention to the use of offensive tactics. He embraced President Obama's review panel report on the extent of surveillance activity and called for an end of cybertactics that trample on the liberties of citizens around the world. He quoted presidents James Madison and John Kennedy on the importance of preserving civil liberties.
Coviello called on all nations to renounce the use of cyberweapons for waging war, cooperate internationally to investigate and prosecute cybercriminals, and to ensure economic activity and intellectual property rights are respected around the world, including the privacy of all individuals.
Conference attendees told CRN it was good that Coviello addressed the controversy swirling around the company head on, but said it will take time for trust to be re-established on a global scale. Solution providers said they have not experienced any pushback from existing RSA customers, but they say any fallout will have to be measured over time.
"It would have been better if he said all of this about a global dialogue last year," said Ling Lock, a Texas-based security consultant.
PUBLISHED FEB. 25, 2014