Cybersecurity experts and privacy advocates are continuing to press Bedford cybersecurity company RSA to reveal more details about its relationship with the National Security Agency’s spying program, with some critics calling for a boycott of the company’s upcoming annual convention.
A Dec. 20 Reuters article suggested that RSA, a division of the data storage giant EMC Corp. of Hopkinton, received $10 million from the NSA to modify one of its cybersecurity products, Bsafe, in a way that would allow the spy agency to get around computer safeguards and access sensitive data. Critics contend RSA has failed to clarify what its specific business dealings were with the NSA.
“I would want to see a clear statement from EMC about what software they’re using, and what algorithms they’re using,” said Matthew Green, assistant research professor of computer science at Johns Hopkins University, referring to the compromised computer formula and other security products.
RSA and EMC each declined to comment Friday.
The product in question, Bsafe, is a widely used software tool designed to prevent hackers from breaking into software applications and stealing data. It gives users a choice of several formulas that generate random numbers needed to encrypt data. Moreover, the RSA encryption software is used throughout EMC’s products, raising the possibility that data stored on EMC systems might be vulnerable.
The Reuters story said RSA installed a computer algorithm selected by the NSA into Bsafe, and made it the default number generator, so that it would more likely be used by customers. That could give the NSA the means to break into applications protected by the RSA product.
Earlier this year, leaks by former government contractor Edward Snowden revealed that the NSA had designed such an encryption formula and made it available to the cybersecurity industry.
The Reuters article is the first account suggesting that RSA was paid to be complicit in using the NSA algorithm. The story quoted some in the industry who questioned whether RSA was duped into using the encryption tool by the NSA.
This past weekend, RSA acknowledged it had worked with the NSA on a computer code for its security products, as far back as 2004 — well before anyone had an inkling of the widespread snooping the agency would conduct.
But RSA said, “We have never entered into any contract or engaged in any project with the intention of weakening” its security products or introduced vulnerabilities that others could exploit.
Earlier in 2013, RSA did acknowledge that the security formula in Bsafe was flawed, and suggested clients stop using the default number generator.
The company’s statement, however, has failed to mollify many critics, who complained the company did not address some of the allegations in the Reuters story.
Now, just eight weeks before the company hosts its annual conference, one of the computer security industry’s most prestigious events, RSA is facing a growing backlash, from cyber professionals and privacy advocates alike.
Two prominent speakers have withdrawn from the conference, and talk of a boycott of the RSA Conference is spreading on social media.
“There are going to be economic consequences, especially outside the United States. The boycott of the RSA Conference is just the tip of the iceberg,” said Nicco Mele, a technology and policy expert at the Harvard Kennedy School.
Indeed, one of the first cybersecurity experts to withdraw from the conference was Mikko Hypponen, a well-known privacy specialist and chief research officer at the Finnish company F-Secure. Soon thereafter, Josh Thomas, an executive with Atredis Partners in Houston, also canceled his talk at the RSA Conference.
“I feel absolutely no need to go to that conference and speak, and by my actions and my words to further the RSA brand,” said Thomas, who worked for more than a decade developing artificial intelligence software for the Army and cryptographic software for the Pentagon.
Previously RSA earned a reputation for fighting the government’s efforts to weaken encryption tools. In the 1990s, under Jim Bidzos, former chief executive, it helped quash an NSA program to get telecommunications companies to adopt a chip that would make government eavesdropping easier.
Now its credibility is being called into question.
“What can RSA say? You caught us here, but we haven’t done it anywhere else? You can trust us?” said Bruce Schneier, author of multiple books on data security and privacy.
More broadly, said Schneier, the NSA spying scandal is taking a toll on the American technology industry.
For instance, he said, Cisco Systems Inc. said last month that customers in emerging markets are buying less of its equipment out of concern about built-in back doors that could let US spies access their data.
A bid by AT&T Inc. to buy the British cellphone company Vodafone Group PLC has faced pushback from European regulators worried about NSA infiltration of American telecommunications.
“This is the poison of what NSA has done,” said Schneier. “They’ve destroyed trust on the Internet.”
Meanwhile, some smaller security companies that offer similar products to the RSA Bsafe tool kit may stand to benefit. One such firm is Security Innovation Inc. of Wilmington, which offers its own security algorithm to keep applications safe.
As a result of the Snowden leaks “you are seeing everyone rethinking and reevaluating the relationships they have,” said Ed Adams, chief executive of Security Innovation. “It’s an opportunity for smaller security companies.”
Adams said that RSA has reached out to Security Innovation about potentially working with his company. That could be a way for RSA to add additional security formulas to its technology.
Adams did not provide details on what that partnership would involve.
While he would also like to see RSA respond to critics with more information, Adams doesn’t fault RSA in this case. It’s often impossible to know the motivations and intentions of the NSA when performing contract work for that and other government agencies.
“This is the yin and yang that you always have to manage when you are trying to do business with the government,” said Adams, whose company worked extensively with government spy agencies until it spun off that business unit in 2005 and sold it to Raytheon Co. in 2008. “You are always caught between two different missions.”