Coviello RSA Keynote Avoids $10 Million NSA Contract Question
NEWS ANALYSIS: RSA Chairman Arthur Coviello's keynote carefully avoided any discussion of whether or not RSA accepted government money to weaken its encryption software.If you thought RSA Chairman Arthur Coviello's keynote at his company's RSA Security Conference would lay to rest the question of whether or not RSA Security was paid $10 million by the National Security Agency to use easily cracked encryption software, you would be wrong. In what was the most highly anticipated keynote at a security event in years, Coviello took a long route around the $10 million question and instead worked hard to elevate the entire NSA controversy to a discussion about the role of government in protecting both digital secrets and citizen rights. He wound up his keynote with a four-point worldwide plan for digital protection. But as far as the answer to the $10 million question, none was forthcoming. In many ways, no answer was expected. The entire dispute came to light after Reuters published an article last December that stated: "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA." RSA issued a denial that contended the company would not enter into a contract that would intentionally weaken its products, but stopped short of addressing the specific NSA contract or the $10 million figure. That article, along with the ongoing revelations of NSA snooping provided by secret files taken by former government contractor Edward Snowden, has set the stage for an RSA Conference far different from past years. Whereas past conferences were largely concerned with advances in cryptography and the latest security products being introduced by the exhibiting vendors, this year's conference has veered into a range of digital policy issues many of which concern governmental rights and responsibilities when addressing the conflicting roles of protecting its citizens while also protecting the privacy of those citizens.
During his keynote, Coviello said the RSA and NSA partnership has long been a matter of public record. "Has RSA done work with the NSA? Yes. But the fact has been a matter of public record for nearly a decade," he told the audience. He mentioned in particular the NSA's defense arm and the Information Assurance Directive (IAD) and suggested the IAD should be spun off from the NSA into a separate organization. The separation of offensive and defensive roles within governmental cyber-security organizations is a key to reducing the "blurring" of roles and policies, according to Coviello.