The US National Security Agency's blurring of its spying and cybersecurity missions led to a broad collapse in trust between the private security industry, its customers and the government, the head of security pioneer RSA said today.
RSA came under criticism after it was revealed the company had secretly accepted a US$10 million contract from the NSA to make a now-discredited cryptography system the default in software used by all manner of internet and computer security programs.
The system was based on a formula for generating random numbers that was created by the NSA to embed "back doors" in encryption products the spy agency could then crack, according to documents leaked by former NSA contractor Edward Snowden.
RSA executive chairman Art Coviello today said his company, (a unit of EMC), had adopted the formula because it thought it was dealing with NSA officials trying to improve protection for the government and critical security industry.
"When or if the NSA blurs the line between its defensive and intelligence-gathering roles and exploits a position of trust, that's a problem," Coviello said in the opening speech of the RSA Conference, the world's largest gathering of cyber security professionals, in San Francisco.
Coviello said the spy agency should spin off its cyber defensive work to another body to avoid pollution of the mission and distrust. A White House advisory panel had recently made a similar recommendation, though it was not endorsed by US President Barack Obama or NSA leaders.
A senior White House official said the administration opposed a spinoff, in part because cyber defensive efforts are strengthened by word of threats gleaned through the NSA's vast signal intelligence operation.
Two other recommendations by the advisory panel are still under consideration, the official said. One would sharply reduce the US use of unreported flaws in software to break into networks. The other would bar the NSA from deliberately weakening encryption standards.
Both of those proposals featured in a debate later at the RSA conference featuring former NSA Director Michael Hayden and former White House counter terrorism and cybersecurity advisor Richard Clarke, who was one of the authors of the recommendations to President Barack Obama.
Hayden said the White House advisory panel's report had maintained that the government did not subvert cryptography. Clarke retorted: "The report did not say that, because that would not be true."
The speech by Coviello was by far RSA's most expansive remarks on the subject since the December report on the $US10 million NSA deal prompted more than 10 speakers to withdraw from the conference. The event still drew a record 25,000 attendees.
Coviello said RSA's core cryptographic patents had expired by the time of the NSA deal and that it had turned to standards put forward by industry and government groups, including the National Institute of Standards and Technology.
NIST supported the NSA formula for generating random numbers, called Dual Elliptic Curve, until the Snowden documents suggested it allowed the agency a back door.
