Updated on Feb. 26, 2014 at 7:45am ET with analyst comments from Anton Chuvakin of Gartner Inc.
There’s been a lot of talk about RSA Security Inc.’s involvement with the U.S. National Security Agency (NSA) hanging over this year’s RSA conference in San Francisco. And with that in mind, the opening keynote speakers came out swinging today, losing no time in talking about the need for better security for a better world.
In December 2013, Reuters published a story saying the RSA had accepted $10 million from the NSA to put a backdoor in its encryption products, leading some conference speakers and attendees to boycott the conference. Some even organized their own anti-RSA conference, branding it as “TrustyCon” and holding it at the same time as the RSA event.
So with that cloud of controversy looming overhead, the first keynote speaker, RSA executive chairman Art Coviello, lost no time in plunging in and addressing the RSA-NSA allegations.
“Has the RSA done work with the NSA? Yes. But that fact has been a matter of the public record for years,” he said, mentioning the two decades of history the two organizations have shared in setting up cryptographic standards.
During his address, Coviello also called for a separation between the NSA and its defensive arm, the Information Assurance Directorate (IAD). That way, the NSA could go on to gather intelligence, while the IAD could focus on uncovering threats and vulnerabilities. He also added the RSA supports the National Institute of Standards and Technology’s proposal for a new cybersecurity standard.
“This feeding frenzy of controversy has been sad and dangerous for the country,” Coviello said, adding he was calling on security professionals around the world to take a leadership stance in promoting cybersecurity.
“We need to repair relations and rebuild trust … We’ve only had a scant decade or two to set rules for the digital world. The resulting chaos reflects the lack of digital norms,” he said.
Coviello went on to propose four principles for cybersecurity, going forward: 1) to renounce cyber weapons; 2) to agree to cooperate with investigating, apprehending, and prosecuting cyber criminals; 3) to allow economic activity to go unfettered and to respect intellectual property rights; and 4) to respect individuals’ rights to privacy.
However, his call for action failed to impress Anton Chuvakin, research director at Gartner Inc.
“It sounds naïve. We never renounced the use of water (many countries have navies) or air for war (air forces), and sort of renounced – but – not-really the use of space for war,” he said in an email.
“No country leader would be insane enough to say ‘I won’t ever use cyber-methods in war.’ Comparing cyber to nuclear is at best naïve and at worst misinformed and inflammatory … Other points he made sound painfully obvious, but it is not obvious why stating them for the umpteenth time helps the community.”
Scott Charney, corporate vice-president for Microsoft Corp.’s Trustworthy Computing Group, also gave his thoughts on cybersecurity and privacy in his keynote address.
While people have been talking about surveillance for a couple of years now, the reason why everyone is so excited about it now is because they’ve seen “a theory become reality,” he said.
“People internalize [their fears], and the fear becomes much more real,” Charney said, adding governments need to balance their need for collective security with the rights to individual privacy.
“[The industry] has a choice – you can choose to encrypt things, and make governments’ lives harder and criminals’ lives easier. Or you don’t encrypt, and the government’s life is easier, but it’s dangerous for privacy.”
Microsoft would never put in a backdoor, even if the NSA asked, as that would be “economic suicide,” Charney added. The company would only comply with individual court orders requesting specific data, he said.
After Charney, keynote speaker Nawaf Bitar, senior vice-president and general manager of the security business unit at Juniper Networks Inc., called for less “first world outrage” and apathy towards security. Instead, security professionals should be galvanized to action and work harder to protect data, he said.
For Gartner research director Jay Heiser, the common thread between all of the keynote speakers was their desire for norms and standards in cybersecurity.
“The Internet does not have boundaries, and thought leaders are saying, how do you deal with the domain?” he said. “Seeing it repeated [among the keynote speakers] was kind of disingenuous … but addressing the NSA allegations, they had to address them. It was expected, even if it was self-serving.”
This year’s RSA conference features over 45,000 attendees, 400 sponsors, and 550 speakers, with the conference running until the end of the week.