Hugh Thompson, chairman of the RSA Conference program committee, on Wednesday expressed his dismay at the developments and noted that the conference itself is vendor neutral and separate from RSA, the company. He also noted that the number of people who have said they would boycott the event represents a small portion of the 570 confirmed speakers. The conference provides a great venue for the security industry to discuss the issues raised by revelations of the NSA's surveillance activities, he said.
The criticism directed at RSA is understandable if the claims in the Reuters story are accurate. But RSA may not be the only company that has either accidentally or deliberately helped the NSA.
Recent reports by German magazine Der Spiegel revealed how the NSA developed exploits and hacked backdoors into networking equipment, PCs and servers from some of the world's biggest technology vendors, including Cisco, Juniper Networks, Dell, Huawei and Hewlett-Packard.
The tools, developed by a specialized group of hackers from within the NSA's Tailored Access Operations (IAO) unit, are listed in a 50-page product catalog and are used by the NSA for tasks like penetrating network routers and firewalls and monitoring mobile phone calls, according to Der Spiegel. So far, there is no evidence that any of the vendors whose products the NSA has gained access to, worked with the agency to enable that access.
But it is likely that at least a few of them were approached by the spy agency in the same way it approached RSA. Given the extensive arsenal of tools the NSA has at its disposal, it is nearly inconceivable that none of the vendors had an inkling that their products had been compromised.
The Reuters report suggests that RSA was the biggest distributor of the flawed random number generator but not the only one. NSA documents leaked by Snowden have clearly referred to the agency's seeking and building commercial relationships to help with its data collection efforts.
Companies including Google, Microsoft, Yahoo and others have claimed they had no idea the NSA was siphoning data from their networks by tapping into the fiber cables connecting their data centers. But they should have, said John Pescatore, director of emerging security trends at the SANS Institute.
"A lot of the reaction from the large tech companies, like Microsoft, Google, Yahoo and others ...is disingenuous," Pescatore said. "The fact that NSA, the UK, China, and probably France and Germany, could eavesdrop on fiber optics has been long known and even publicized. Companies that chose not to encrypt made a risk-based decision to save money by saying the consequences of government interception are not enough of an impact for us to spend the money," he said.
For RSA and other U.S. technology vendors, the Snowden leaks mean that they will need to do what Huawei did in the U.K. back in 2010, when the Chinese company had to convince the UK government that the telecom equipment BT wanted to buy did not have backdoors installed by the Chinese government, he noted.
Huawei had to invest in a testing center in the UK to support the GCHQ, NSA's counterpart in the UK, in inspecting its source code. U.S. companies may have to do the same to show their products have not similarly been backdoored by the NSA, he said.