NSA Reports Sullying Vendors' Standings?News of 'Secret Contract' Causes Damage
Whether reports that the National Security Agency entered into a secret contract with security provider RSA are true or not - and RSA says they're not - the reputations of all American security vendors have been damaged.
That's because the perception is that the NSA will do whatever it takes to identify those threatening national security, even if it means manipulating security products sold by American vendors. NSA declined to comment for this blog.
The U.S. government needs to recognize and account for the deep harm that it is likely inflicting on American businesses because of these ... efforts.
Indeed, some industry experts believe the NSA would do almost anything to achieve its goals. "The odds that this is the only one is close to zero," highly regarded cryptographer Bruce Schneier says. "That the NSA program to subvert cryptography standards had exactly one success just seems kind of implausible."
Schneier doesn't have proof of NSA subversion with other vendors, but that doesn't matter. But when a noted cryptographer - especially the one who first raised in 2007 the possibility of the NSA tinkering with cryptography standards - questions the motives of the NSA to go to extreme lengths to enlist vendors to bypass encryption protections, the assumption that any product from any American vendor isn't safe from NSA meddling seems reasonable.
The news service Reuters late last week - citing two sources familiar with the supposed arrangement between the NSA and RSA - reported that RSA received $10 million to set the NSA formula as the default method for number generation in RSA's BSafe software.
No Intent to Weaken Security
RSA, in a blog posted Dec. 22, didn't address the $10 million payment, but said, "We categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
That blog post is believable because of the perception the NSA might have manipulated BSafe's default algorithm. The new reality facing security professionals charged with safeguarding their enterprises' digital assets is that they have no way of knowing if their vendors' products are pure because the vendors themselves may not know.
"The line of RSA being misled is the most plausible to me," says James Lewis, the cybersecurity expert at the Center for International and Strategic Studies, a Washington think tank. "Think of it as NSA shading the deal to gain an advantage in breaking the code."
There's an economic fallout from these events, too. Imagine a trade war among the world's two greatest economic powers over communications and security wares.
Western leaders have encouraged their nations' governments and businesses to avoid acquiring products from Chinese communications equipment manufacturers, such as Huawei Technologies and ZTE, because of qualms the Chinese government could manipulate them to pilfer government and trade secrets (see House Panel: 2 Chinese Firms Pose IT Security Risks). Is RSA (or perhaps other American technology and security manufacturers) any different from Huawei because of possible NSA manipulation?
We, in the West, may see the motives of the governments differently (the Chinese seek to steal secrets; the U.S. strives to defend against terrorists and other evil doers). But that perception - there's that word again - isn't necessarily shared by others around the world. Trust in America's Internet offerings is fading fast. No wonder American tech companies want President Obama and Congress to reform government surveillance programs: NSA interference has shaken the trust of these companies' customers worldwide, which could cause many overseas to avoid buying their products and services (see Online Firms Blast NSA's Tactics).
"The U.S. government needs to recognize and account for the deep harm that it is likely inflicting on American businesses because of these surveillance efforts," says Jacob Olcott, cybersecurity principal at the security advisory firm Good Harbor Consulting.
And a special panel reporting to Obama last week about possible reforms to the NSA understands the importance of keeping encryption free from government interference. The panel recommendations aims at preventing the NSA from subverting initiatives to create secure encryption to safeguard confidential communications and data (see Panel Recommends Limits on NSA Surveillance). The panel says it's aware of reports that the NSA had cracked much of the encryption that shields global commerce, but it says it could not find any evidence that the NSA circumvented encryption. Still, it suggests limits be placed on the NSA to encourage the proper use of encryption.
Between a Rock and ...
What should enterprise security officers do about this situation? Stop using BSafe and other security products? Even if they want to, what alternative would they have?
"It's a whole bunch of guess work because fundamentally, you don't know (what's secure); fundamentally you're screwed," Schneier says. Simply put, security officials must make do with what they have.
The NSA saga will continue to unfold and get more complicated. Meanwhile, we'd like to hear from you. Do you trust the security products you buy, and if so, why? And if you don't, what are you doing about it?