SAN FRANCISCO – Normally, the buzz around a RSA Conference is confined to talk of products and services and the challenge of improving enterprise security. This year however, it was different.
Controversy about the U.S. government’s electronic surveillance programs led to several speakers dropping out ahead of the conference, and sparked discussions about privacy and civil liberties. In his keynote, Art Coviello, executive chairman of EMC’s RSA security division, spoke about the balance between national security and individual liberty and called for the U.S. and governments around the globe to denounce the use of cyber-weapons and cooperate in the fight against cybercrime and the protection of economic and privacy rights on the digital world.
RSA found itself in the middle of this debate late last year, when it was reported that it accepted $10 million from the NSA to use Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) as the default in its BSafe products. It continued to do so until last September, despite the fact that concerns about its security were raised several years before.
According to Coviello, using the algorithm as default allowed the company to meet government requirements and stopped in September after the National Institute of Standards and Technology (NIST) issued guidance discouraging it. But he also spoke of the dangers of spy agencies blurring the lines between offensive and defensive work.
“If we can’t be sure which part of the NSA we are actually working with and what their motivations are, perhaps we should not be working with the NSA at all,” he told the crowd, adding that the agency’s defensive-minded Information Assurance Directorate (IAD) does valuable work and should be spun-out of the agency and run on its own.
In a separate talk, Richard Clarke, who served as special advisor to former President George W. Bush on cybersecurity and worked on the committee that recently recommended changes to the NSA’s surveillance program, said that it would be foolish for the American government to purposefully weaken an encryption standard in order to exploit it.
“We argued in the review report that if the united states government becomes aware of a vulnerability that can be turned into a zero-day exploit, its first obligation is to tell the American people about that so we can patch it,” Clarke said. “Not to run off and try to break in to the Beijing telephone system. We are so dependent in this country on cyber systems that when one of them is vulnerable we put ourselves at risk.”
Former NSA Director Michael Hayden, who sat on the panel with Clarke, argued that public opinion on national security practices ebbs and flows as fear of attacks waxes and wanes. In the aftermath of an attack, agencies get criticized for not being aggressive enough; but in the absence of an attack, critics say the intelligence community goes too far, he said.
According to Clarke, transparency is key. The country will accept many things, as long as there is a general understanding of what is going on, he said. Ultimately, intelligence activities should pass what he called the “front page test” – meaning they can be explained in a way the country will accept if they become public. While he stated that America is far from a police state, it is important to have checks and balances in place to prevent it from coming into being given the advancements in the world’s technology.
“The technology is there- not just at NSA, your local police department with its surveillance cameras – the technology is there writ large for a police surveillance state; and not just in the United States, but in most of the modern world,” Clarke said. “That means we need now more roadblocks to the police surveillance state being turned on than we did in the past.”
*This story was updated.
Related: Treaties, Multi-National Agreements Needed to Ban Cyber Weapons: RSA Chief