Information technology security firm RSA has been under scrutiny recently after Reuters reported the firm was allegedly awarded a $10 million dollar secret contract from the National Security Agency (NSA). The
revelation caused at least nine security experts to withdraw as speakers from the 2014 RSA Conference in San Francisco, including a senior software security engineer from Google. The RSA conference, which centers around cybersecurity, attracts more than 20,000 attendees annually.
On Tuesday morning, keynote speaker Arthur Coviello, executive chairman of RSA, addressed the NSA controversy, insisting the recent media storm has lacked crucial details that exonerate the security company from blame.
“Many people forget the NSA is not a monolithic intelligence-gathering entity,” Coviello said, explaining that RSA was working with the defensive branch of the NSA, the Information Assurance Directorate (IAD). The IAD provides products and services that secure national security information systems. The Department of Defense is the IAD’s largest customer. “Has RSA done work with the NSA? Yes–but that fact has been a matter of public record for nearly a decade.”
The anonymous sources alleged to Reuters that the NSA asked RSA to incorporate an intentionally flawed algorithm in one of its security products, creating a backdoor for the encryption process to be exploited. In December 2013, RSA
released a statement denying the allegations. “We have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the statement read.
In the keynote, Coviello called for the NSA to create a governance model that would more clearly separate its defensive and offensive operations. “Creating distance between the offensive and defensive roles of the NSA would go far in repairing relationships and building trust,” he noted. “Sadly much of the great work of the IAD and all those people is getting lost in the feeding frenzy around this controversy.”
Coviello did not address the $10 million dollar contract with the NSA.
He went on to tie the discussion about the NSA into a larger message about governments protecting the individual freedoms of its citizens, noting that our personal information has become the real treasure that cybercriminals are after in the digital age. He said that the rapid modernization of technology has created a collision of interests among governments, businesses, and industry, leaving the world with a lack of societal norms to guide us in the digital age.
“Governments have a duty to create and enforce a balance that embraces individual rights and collective security,” he noted. “We as an industry need to do our part by developing and implementing the capabilities that secure those norms in the future.”