RSA and the NSA: Who is telling the truth?
The National Security Agency (NSA) headquarters at Fort Meade, Maryland.
One of the most respected cybersecurity firms in the business, RSA, has reportedly accepted money from the NSA to push a flawed security product. This latest news comes from a report by Joseph Menn, an investigative reporter with Reuters. It's connected to earlier revelations about the National Security Agency building back doors into encryption to help its surveillance programs, which has had even the most capable cryptologists very worried.
The new report cites two unnamed sources that say the NSA gave $10 million to the cybersecruity firm in order to make a random number generator (often used in encryption) the default security setting in the product. Since RSA is a trusted security source, it was effectively an arrangement--paid for by the spy agency -- for the company to help establish the flawed encryption tool to be accepted by thousands of people who were building software. Some of the sources speaking to Menn said that RSA wasn't fully aware of what it was doing, but the suggestion is that the company should have known better, having a history of fighting things like the government's Clipper Chip.
RSA released a statement in response, which Ars Technica called a non-denying denial. It is interesting to read through it and try to parse the language; the part with the words "categorically deny" could refer to the suggestion that the contract with the NSA was "secret," or that there was a contract, or even that the flaw was known.
However you feel about the report or the response from the RSA (the NSA declined comment), the story brings an uncomfortable truth to light: for years, the NSA has worked in concert with cybersecurity experts. That's a good thing when it comes to national security--the U.S. government has expertise in the area of fighting a broad spectrum of cybercrime that has a very real impact on Americans. But as revelations about secret government surveillance continue, questions grow about whether online security is totally broken -- and who, exactly, can help fix it.