recommended reading

NIST Paid $16,500 for Space at Now-Boycotted RSA Conference

RSA 2013 featured hundreds of exhbitors.

RSA 2013 featured hundreds of exhbitors. // Flickr user e_kaspersky

The National Institute of Standards and Technology purchased a $16,500 booth at an RSA event that technologists are pulling out of in protest of the encryption company’s alleged deal with the National Security Agency to weaken products using a NIST-approved trapdoor.   

NIST’s entire leadership and management team attended last year's conference, according to 2013 contracting documents. They "cultivated key relationships with peer-to-peer executives at companies and government agencies," the documents state.  "Our attendance at RSA offered our leadership team to speak on panels that reinforced NIST's position as a technical thought leader and policy advisor."

As of Tuesday night, at least eight speakers and attendees had cancelled appearances at next month’s event after Reuters first reported that RSA accepted $10 million to make the "Dual Elliptic Curve" the default setting for generating random numbers in a popular encryption product. The report, based on documents leaked by former NSA contractor Edward Snowden, said NSA promoted and promulgated a flawed formula for creating the numbers, giving the agency a back door to spy on users. RSA denied designing or enabling back doors into any of its products. 

NIST bought the exhibitor space last spring from event planning company Nth Degree to use for four days at the annual conference in San Francisco, the documents state.

The agency has been a regular RSA Conference attendee since 1995. This year, officials said NIST will promote a new lab in Maryland, called the National Cybersecurity Center of Excellence, where government, nonprofit and industry developers test tools for business and personal computers. 

Some experts are boycotting the RSA event to raise awareness about company’s alleged complicity with NSA.

Eight-time speaker Mikko Hypponen, chief research officer for security firm F-Secure, publicly cancelled his presentation within days of Reuters breaking the backdoor story on Dec. 20, 2013.

"Aptly enough, the talk I won’t be delivering at RSA 2014 was titled ‘Governments as Malware Authors,’” he wrote in a blog post. At the time, Hypponen, based in Finland, said he did not expect American security professionals to follow suit.  

But participants from some U.S. companies are boycotting the conference as well, including Google and Mozilla officials and a researcher who is keeping a running tally of protestors. Robert David Graham, chief executive officer of Errata Security, said he wants to warn other companies that might be in cahoots with NSA, or thinking about it. 

"The only thing stopping corporations from putting NSA back doors into their products is the risk of getting caught," he wrote in a blog post.

Graham, who would have attended as an audience member, said he does not think RSA knowingly aided NSA. "I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products," he said. "What I care about is sending the message to other corporations that they should fear this sort of thing happening to them. If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business."

According to Reuters, NSA paid RSA to use an NSA-developed, NIST-approved standard as the preferred formula for RSA’s BSafe technology, which is used to secure PCs and many other devices.

“NIST's blessing is required for many products sold to the government and often sets a broader de facto standard,” Reuters noted. “RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.”

After leaks by Snowden suggested NSA manipulated the formula, NIST cautioned that the encryption standard might be flawed.  

RSA denies the company allowed NSA to contaminate its product but would not divulge details of customer engagements. 

Company officials "categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use," they said in a Dec. 22 statement

RSA officials acknowledged working with NSA, both as a vendor and an active member of the security community. "Our explicit goal has always been to strengthen commercial and government security," the statement said. "When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”

NSA was not listed as an exhibitor on the RSA Conference website as of Tuesday night. Agency officials, however, are scheduled to speak at the event, including NSA Information Assurance Director Debora Plunkett. 

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Flickr user e_kaspersky)

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.