[Infowarrior] - Cybersecurity Firm Advises Caution in Dealing With NSA

Tue Feb 25 19:54:32 CST 2014

Cybersecurity Firm Advises Caution in Dealing With NSA
RSA's Art Coviello Suggests Agency Wasn't Upfront About Intentions

By DANNY YADRON CONNECT
Updated Feb. 25, 2014 8:36 p.m. ET

http://online.wsj.com/news/articles/SB10001424052702304834704579405180837393664?

SAN FRANCISCO—For two months, RSA Executive Chairman Art Coviello has faced criticism that his company helped the National Security Agency spy on customers of the computer-security firm.

On Tuesday, he suggested that the government wasn't upfront about what it would do with his products and said other companies should be wary of working with U.S. intelligence.

If the NSA "exploits a tradition of trust within the security community, that's a problem," Mr. Coviello said at a conference sponsored by his company. "If that is an issue, we can't work with the NSA," he said in a subsequent interview.

The remarks were his first public comments since his company, a unit ofEMC Corp. EMC -0.04% , was accused last year of selling weakened encryption products that could help the agency spy on RSA customers.

His comments were notable for an executive whose company has significant government ties and point to a broader question for U.S. tech companies in the Edward Snowden era: Is the revenue from classified contracts worth the reputational risk?

Mr. Coviello said his company has had classified contracts with the NSA but suggested that the firm didn't know that it may have aided government surveillance efforts. The current contracts aren't encryption-related and whether the company enters into any in the future "will be dependent on assurances" from the government, he said.

The NSA declined to comment.

Documents leaked by Mr. Snowden, a former NSA contractor, last year showed that the agency helped popularize a weak encryption formula, hoping that it would help the agency spy on terrorists.

Reuters in December reported that RSA accepted $10 million to make the setting a default in one of its products, Bsafe. The Wall Street Journal recently confirmed with people briefed on the matter that such a contract existed. There is no evidence RSA knew the encryption formula was weak, the people said. Mr. Coviello declined to comment on specific contracts.

A surveillance-review panel commissioned by President Barack Obama's said last year that the government shouldn't weaken encryption standards.

Mr. Coviello said he agreed with that recommendation but that he wasn't optimistic it would be adopted.

Mr. Coviello did a "pretty good" job of addressing trust issues, said Wendy Nather, a research director at information-technology consulting firm 451 Research LLC.

RSA told customers last fall to stop using the default Bsafe encryption formula, called dual elliptic curve, as soon as documents from Mr. Snowden suggested NSA held a secret key to solve it.

Encryption accounts for a small portion of RSA's business. Most encryption used on computers is based on a series of publicly available formulas—not algorithms owned by security companies.

Mr. Coviello said the problematic formula was used mainly for clients with government ties and that the Reuters article had no affect on the company's business. Customers have been "maybe curious" about the matter, he said.

Nevertheless, the issue has roiled this year's RSA Conference.

Security researchers have questioned why RSA continued to use the Bsafe formula even after mathematicians discovered holes more than seven years ago.

"There is maybe a little 20/20 hindsight here," Mr. Coviello said Tuesday. Relatively few researchers found problems with the formula before the Snowden leaks, he said.

Mr. Coviello also sought to broaden the debate about Internet security, proposing that governments stop using cyberweapons, cooperate with other countries on cybercrime and protect online privacy.

"If the NSA had been more transparent maybe they wouldn't have the PR difficulty that they're having now," Mr. Coviello said. "That's really what I'm calling for: more of that transparency."

Write to Danny Yadron at danny.yadron at wsj.com

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.