If you thought RSA Chairman Arthur Coviello's keynote at his company's RSA Security Conference would lay to rest the question of whether or not RSA Security was paid $10 million by the National Security Agency to use easily cracked encryption software, you would be wrong.
In what was the most highly anticipated keynote at a security event in years, Coviello took a long route around the $10 million question and instead worked hard to elevate the entire NSA controversy to a discussion about the role of government in protecting both digital secrets and citizen rights. He wound up his keynote with a four-point worldwide plan for digital protection. But as far as the answer to the $10 million question, none was forthcoming.
In many ways, no answer was expected. The entire dispute came to light after Reuters published an article last December that stated: "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA." RSA issued a denial that contended the company would not enter into a contract that would intentionally weaken its products, but stopped short of addressing the specific NSA contract or the $10 million figure.
That article, along with the ongoing revelations of NSA snooping provided by secret files taken by former government contractor Edward Snowden, has set the stage for an RSA Conference far different from past years. Whereas past conferences were largely concerned with advances in cryptography and the latest security products being introduced by the exhibiting vendors, this year's conference has veered into a range of digital policy issues many of which concern governmental rights and responsibilities when addressing the conflicting roles of protecting its citizens while also protecting the privacy of those citizens.
During his keynote, Coviello said the RSA and NSA partnership has long been a matter of public record. "Has RSA done work with the NSA? Yes. But the fact has been a matter of public record for nearly a decade," he told the audience. He mentioned in particular the NSA's defense arm and the Information Assurance Directive (IAD) and suggested the IAD should be spun off from the NSA into a separate organization. The separation of offensive and defensive roles within governmental cyber-security organizations is a key to reducing the "blurring" of roles and policies, according to Coviello.
While there had been speculation that a protest would take place during the keynote, the audience was polite and applauded when Coviello completed his speech.
It was during his keynote that Coviello veered into policy waters and outlined a four-point plan to address cyber-security issues on a worldwide basis. That plan included proposals to renounce cyber-weapons, cooperate in the investigation and prosecution of cyber-criminals, assure economic activity and intellectual property rights, and ensure privacy.
The decision to take the high road and call for policy reform rather than come clean about its role in the reported NSA contract is unlikely to cool the controversy. An alternative conference, TrustyCon, is scheduled to take place near the Moscone Convention Center in San Francisco, where the RSA Conference is being held, and will feature speakers boycotting the RSA event.
Coviello called on a broad coalition of vendors, researchers and governments to address surveillance and privacy concerns in an increasingly digital-driven economy. "Intelligence agencies around the world need to adopt a governance model that enables them to do more to defend us, and less to offend us," he said.
Meanwhile, the final story behind the alleged $10 million contract remains untold and may not come out for years to come, if ever.
Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008, authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article. All duties are disclaimed. Lundquist works separately for a private investment firm, which may at any time invest in companies whose products are discussed in this article and no disclosure of securities transactions will be made.