The RSA Conference in San Francisco is underway this week, and this year promises to be one that’s remembered for years to come. However, it’s not the expected high number of visitors, the product announcements from vendors, nor likely any of the talks that will be given at this year that will make it memorable. Instead, it will be the row that has ripped apart the information security community since press revelations in December alleged that RSA Security took a payment of US$10 million from the NSA to weaken the security of one of their products.
According to unnamed sources in a December Reuters article, the NSA paid this money to RSA Security so they would deploy a default number random generator that is suspected to contain a backdoor in the cryptography library for their BSafe product. It’s alleged that this backdoor could allow the NSA to break the encryption being used by those customers, via the default number random generator, and eavesdrop on their communications.
These revelations caused outrage among the security community. Debate raged on social media and other online channels over whether the allegations were true, whether other companies may have accepted similar payments in return for allowing NSA backdoors into their products, and what should be done to express the community’s anger at these allegations. A number of people who had already agreed to speak at this week’s RSA Conference withdrew their talks in protest. They felt that this was one of the more effective ways to highlight to RSA Security that the alleged actions were unacceptable.
Other speakers decided to keep their commitments, believing the more effective way to address the issue is to use the conference as a platform to discuss the controversy, so that a broader audience is made aware of it.
OWASP, which for the past number of years has partnered with the RSA Conference to provide free web application security training to attendees, withdrew the training from this year’s event. Instead, OWASP will independently run their training session at a nearby location.
A new conference called TrustyCon has been set up to run in parallel on Thursday to the RSA Conference. Many of the speakers who withdrew their talks from the RSA event will instead address this audience.
A restaurant near to the Moscone Center, where the RSA Conference is held, and is quite popular with conference attendees has been block booked by those protesting the alleged collusion of RSA Security with the NSA. According to the organizers, the restaurant will only be available to “BSidesSF, TrustyCon and ‘Expo Only’ RSA” badge holders. Anyone wearing “Press, Delegate, Conference, Speaker, Vendor, Exhibitor and Employee Badges” will be denied entry. A team of volunteers will explain the protest to those who will be turned away.
Nevertheless, my concerns over this controversy do not lie solely with the allegations laid against RSA Security. What concerns me most is the division among the information security community that this controversy is causing. Many peoples’ anger now seems to be focused on those on the other side of the debate, rather than examining the cause of that debate itself, namely the allegations that the US government is undermining the security protocols and tools that we are using to protect ourselves, our families, our businesses, and our nations.
As a speaker at the conference, I have struggled to decide which the better avenue to highlight my concerns is. As a non-US citizen, I am deemed a foreigner under US law and therefore do not have the same protections as US citizens do from NSA mass surveillance. Having considered the pros and cons of each side of the debate, I have decided to remain as a speaker and see how best I can raise my concerns with those attending the conference.
Information security is a challenging career choice for many. Not only does it require good technical skills, it can also be a demanding and stressful role. We can be seen by those within our own organizations as being a blocker to the business, as we insist on proper security controls being in place. We are faced with the challenges of protecting our systems against various threats, be they external, malicious insiders, or careless users. We also have to ensure compliance with various legal and regulatory requirements, audit requirements, and business demands. All the aforementioned has to be done as businesses and technological requirements constantly change.
Because so much is demanded of us in our roles, I believe we also place a high demand on ourselves, each other, and the vendors that we work with. Should any one of us not meet those expectations, then the industry can react in a very negative way. Should an organization suffer a security breach, the finger of blame is often pointed at that organization for some perceived failure that allowed the attackers to breach their systems. We often forget that the breached organization is the victim of the attack and that perhaps the majority of the blame should lie with those who carry them out.
History has shown that communities, or countries, that suffer internal conflict can lose focus on their common goal, resulting in individuals being hurt and grudges being harbored for years. Our focus should not be aimed on who has the higher moral ground over this controversy, but how we as a community can work together to make the internet a safe and secure environment for all.
Brian Honan is an independent security consultant (BH Consulting) based in Dublin, Ireland, and is recognized as an industry expert on information security. He is COO of the Common Assurance Maturity Model and founder and head or IRISSCERT, which is Ireland's first CERT. Honan also sits on the Technical Advisory Board for a number of innovative information security companies and is on the board of the UK and Irish Chapter of the Cloud Security Alliance (CSA). He is author of the book ISO 27001 in a Windows Environment and is regularly published in a number of industry-recognized publications. Honan is also the European editor for the SANS Institute's weekly SANS NewsBites, a semi-weekly electronic newsletter.