NIST Paid $16,500 for Space at Now-Boycotted RSA Conference

RSA 2013 featured hundreds of exhbitors.

RSA 2013 featured hundreds of exhbitors. Flickr user e_kaspersky

Speakers are backing out in protest of the encryption company’s alleged deal with NSA to weaken its security products.

The National Institute of Standards and Technology purchased a $16,500 booth at an RSA event that technologists are pulling out of in protest of the encryption company’s alleged deal with the National Security Agency to weaken products using a NIST-approved trapdoor.   

NIST’s entire leadership and management team attended last year's conference, according to 2013 contracting documents. They "cultivated key relationships with peer-to-peer executives at companies and government agencies," the documents state.  "Our attendance at RSA offered our leadership team to speak on panels that reinforced NIST's position as a technical thought leader and policy advisor."

As of Tuesday night, at least eight speakers and attendees had cancelled appearances at next month’s event after Reuters first reported that RSA accepted $10 million to make the "Dual Elliptic Curve" the default setting for generating random numbers in a popular encryption product. The report, based on documents leaked by former NSA contractor Edward Snowden, said NSA promoted and promulgated a flawed formula for creating the numbers, giving the agency a back door to spy on users. RSA denied designing or enabling back doors into any of its products. 

NIST bought the exhibitor space last spring from event planning company Nth Degree to use for four days at the annual conference in San Francisco, the documents state.

The agency has been a regular RSA Conference attendee since 1995. This year, officials said NIST will promote a new lab in Maryland, called the National Cybersecurity Center of Excellence, where government, nonprofit and industry developers test tools for business and personal computers. 

Some experts are boycotting the RSA event to raise awareness about company’s alleged complicity with NSA.

Eight-time speaker Mikko Hypponen, chief research officer for security firm F-Secure, publicly cancelled his presentation within days of Reuters breaking the backdoor story on Dec. 20, 2013.

"Aptly enough, the talk I won’t be delivering at RSA 2014 was titled ‘Governments as Malware Authors,’” he wrote in a blog post. At the time, Hypponen, based in Finland, said he did not expect American security professionals to follow suit.  

But participants from some U.S. companies are boycotting the conference as well, including Google and Mozilla officials and a researcher who is keeping a running tally of protestors. Robert David Graham, chief executive officer of Errata Security, said he wants to warn other companies that might be in cahoots with NSA, or thinking about it. 

"The only thing stopping corporations from putting NSA back doors into their products is the risk of getting caught," he wrote in a blog post.

Graham, who would have attended as an audience member, said he does not think RSA knowingly aided NSA. "I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products," he said. "What I care about is sending the message to other corporations that they should fear this sort of thing happening to them. If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business."

According to Reuters, NSA paid RSA to use an NSA-developed, NIST-approved standard as the preferred formula for RSA’s BSafe technology, which is used to secure PCs and many other devices.

“NIST's blessing is required for many products sold to the government and often sets a broader de facto standard,” Reuters noted. “RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.”

After leaks by Snowden suggested NSA manipulated the formula, NIST cautioned that the encryption standard might be flawed.  

RSA denies the company allowed NSA to contaminate its product but would not divulge details of customer engagements. 

Company officials "categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use," they said in a Dec. 22 statement

RSA officials acknowledged working with NSA, both as a vendor and an active member of the security community. "Our explicit goal has always been to strengthen commercial and government security," the statement said. "When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”

NSA was not listed as an exhibitor on the RSA Conference website as of Tuesday night. Agency officials, however, are scheduled to speak at the event, including NSA Information Assurance Director Debora Plunkett. 

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Flickr user e_kaspersky)