“Twenty years ago, RSA was seen as leading the charge against government in matters of privacy and protecting infrastructure. Now, RSA is accused of being in cahoots with the government to serve on the other side of the battle.”
A Reuters report in December alleged that RSA Security was paid $10 million by the NSA to make a weak algorithm the default random number generator in one of its BSafe toolkits that the spy agency could use as a backdoor as part of its surveillance programs.
Coviello did not discuss the $10 million contract directly in his keynote, instead offering an explanation for why RSA chose the algorithm for its default; that it provided certain advantages over hash-based random number generators, including better security.
“Given that RSA’s market for encryption tools was increasingly limited to the U.S. Federal government and organizations selling applications to the federal government”, he explained, “use of this algorithm as a default in many of our toolkits allowed us to meet government certification requirements.” RSA, he declared, “put our weight and trust behind standards bodies, including NIST.”
Coviello declared support for the presidential review group’s recommendation to simplify the NSA’s role as solely a foreign intelligence gathering unit. Splitting the NSA into two organizations — one for intelligence collection and one for developing defense mechanisms to secure data – is a concept Coviello supports.
He suggested that the NSA’s dual activities – securing and breaking systems – has made it difficult for companies to understand, when working with them, which agenda will take precedence.
“When or if the NSA blurs the line between its defensive and intelligence gathering roles, and exploits its position of trust within the security community, then that’s a problem”, Coviello said. “If we can’t be sure which part of the NSA we’re actually working with, and what their motivations are, then we should not work with the NSA at all.”
Much of the great work of the IAD, he said, “has been getting lost in the feeding frenzy of this controversy – which is both sad and dangerous for the country.”
Coviello also called for reform of surveillance and privacy protections, outlining four guiding principles to encourage action by all parties with a shared interest in ensuring a safer Internet:
- Renounce the use of cyber weapons, and the use of the Internet for waging war
- Cooperate in the investigation, apprehension and prosecution of cyber criminals
- Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected
- Respect and ensure the privacy of all individuals
“All intelligence agencies around the world need to adopt a governance model that enables them to do more to defend us, and less to offend us”, concluded Coviello.