23 February 2014

What will be hot at RSA? NSA/tech industry battle; cyberwarfare issues dominate

 Ellen Messmer 
20.02.2014 
It's almost a shame that former National Security Agency contractor Edward Snowden won't be at the upcoming RSA Conference since the disclosures he's leaked about the NSA's mass surveillance practices involving the U.S. high-tech industry are directly influencing a preponderance of conference agenda this year.

It's almost a shame that former National Security Agency contractor Edward Snowden won't be at the upcoming RSA Conference since the disclosures he's leaked about the NSA's mass surveillance practices involving the U.S. high-tech industry are directly influencing a preponderance of conference agenda this year.

But Snowden, considered a whistleblower by some and traitor by others, still seems be holed up in snowy Russia, having fled there and given refuge by President Vladimir Putin. But the effect of the NSA documents Snowden leaked over the past eight months -- that the NSA works with Google, Microsoft, Apple, Yahoo, Facebook and others to collect information about non-US. citizens in particular, or otherwise vacuums up all data possible -- has emerged as a top privacy and security concern. In his keynote at the RSA Conference this year, Scott Charney, Microsoft's corporate vice president, trustworthy computing, is expected to take up the topic of government surveillance, because, according to the description of the Microsoft talk, "trust in technology has been badly undermined by public disclosures of widespread government surveillance programs."

(Check out all of the stories that come out of RSA on this page.)

"I think it's safe to say that the 95% of the world's population subject to espionage by the NSA is not happy about it," says Tatu Ylonen, CEO at SSH Communications, based in Helsinki, Finland, who will be at RSA. RSA Conference is global in scope and will be attended by many international visitors and companies, including Chinese networking giant Huawei which will have a pavilion there with other Chinese companies, and the exhibit floor will also have a section carved out for German IT security providers. Huawei has been essentially been shut out of the U.S. federal market, primarily due to allegations from the NSA that Huawei products represent a threat to the security of the U.S. and its allies because Huawei has close ties to the Chinese government and facilitates cyber-spying.

Ylonen points out there's a backlash in Europe because of the NSA cyber-spying that's extending not just to U.S.-based IT service providers but security providers as well. It's leading to an erosion of U.S. competitiveness, Ylonen observes.

While this might be seen as an advantage to non-U.S. companies, the simple fact is that mass surveillance by other governments for cyber-espionage purposes also appears to be occurring in China, Russia, Great Britain and probably France and Israel, if not other places, Ylonen points out. He says the effect of the Snowden document leaks to the media about the NSA is resulting in a "call to action" to the high-tech industry to come up with new technologies to thwart mass surveillance, lest the world end up like the infamous surveillance state of East Germany in the Cold War era.

The RSA Conference is organized by RSA, the security division of EMC. There's a lot of anticipation about whether RSA's executive chairman Art Coviello, who kicks off the conference with his annual keynote, will take up the topic of the NSA since a Reuters investigative report last December asserted that RSA accepted a $10 million contract from the NSA in the past to include a crypto algorithm pushed by the NSA as the default algorithm in the BSAFE toolkit that RSA offers for building crypto capabilities into products.

That crypto algorithm, called Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) which is also a NIST standard, was long suspected by crypto experts of possibly being an NSA backdoor. Documents leaked by Snowden assert it is. Most of the high-tech industry now believes that and NIST may say something to that conclusion as well, based on documents found on the NIST website. NIST is not publicly discussing its conclusions about Dual EC DRBG yet.

RSA has only offered a single indefinite blog response to the Reuters investigative story about the alleged $10 million NSA contract related to BSAFE. Though the official description of Coviello's keynote talk says he is expected to discuss cloud, mobile and Big Data for security, there's expectation that he has to take up the prickly issue of Dual EC DRBG which has had a huge impact on RSA's reputation.

"I would certainly like to hear him say something about it," says John Dickson, CEO at Denim Group, who will be at the conference, adding, "But if I were his attorney, I wouldn't necessarily want him saying anything about it." Coviello has been in a tough spot before, as when three years ago he had to discuss how a suspected nation-state broke into the RSA network to steal information related to the RSA product SecurID. But this is different. "He will play defensive for the first time, not the gracious host," Dickson noted.

There has been so much anger in the security community over the BSAFE issue, several experts who were once slotted to speak at RSA have bolted from the RSA Conference, and it's led to an alternative security conference springing up next door, TrustyCon. TrustyCon, taking place on Thursday, is dedicated to the "trust" theme, one aspect being that products don't have government cyber-espionage backdoors in them.

And controversy just keeps flying. Microsoft, which has a large pavilion in the exhibit hall at the RSA Conference, initially sponsored TrustyCon but then suddenly dropped sponsorship.

When asked about this, a TrustyCon spokesperson said Microsoft had to pull out of sponsoring TrustyCon "due to contractual issues" associated with the RSA Conference, but wouldn't say more. Microsoft simply issued a statement saying, "Sponsoring TrustyCon, which is currently perceived as an anti-RSA conference,' is not consistent with our plan to engage at the RSA Conference." 

Dickson from Denim Group says there's some suspicion that RSA put pressure on Microsoft to drop TrustyCon.

The NSA and government cyber-espionage theme -- and even "cyberwar" -- will be apparent in many sessions and panel events this week at the conference. Here's a sampling:

- "Understanding NSA Surveillance: The Washington View," with James Lewis, program director, Center for Strategic and International Studies, Michael Hayden, principal, the Chertoff Group and Richard Clarke, CEO, Good Harbor Security Risk Management.

- "The Next World War Will Be Fought in Silicon Valley" is the provocative title of the keynote expected from Nawaf Bitar, senior vice president and general manager, security business unit, Juniper Networks.

- Bruce Schneier, CTO at Co3 Systems, speaking on "NSA Surveillance: What We Know, and What to Do About It."

- Richard George, senior adviser for cyber security, Johns Hopkins University Applied Physics Lab, will speak on "What is Going on at NSA These Days." This a topic many might well be curious about after the Snowden leaks, but it should be noted that George, a former NSA employee who was given permission by the NSA to make public appearances in the past, has proven adept at not revealing anything.

For all that, RSA Conference won't be all about government cyber-espionage by any means. There will be plenty of sessions devoted to other topics, such as cyber-crime and how to fight the international scourge of criminal hacker gangs running botnet operations. Dan Hubbard, CTO at OpenDNS, for example, will be speaking about how in some cases, it is possible to predict what cyber-criminals will do in advance through predictive algorithms and stop them.

"We've been stopping CryptoLocker this way," he says, referring to the notorious encryption-based malware that can lock up the victim's data files and then demand payment to unlock them with the decryption key.

While the OpenDNS approach can't stop an initial CryptoLocker infection, it can block the key download the cyber-criminals attempt, he points out. Hubbard says he hopes the security community takes a closer look at what algorithms for predictive reasoning can do, and that security people around the world collaborate closely to stop the botnet scourge.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

http://news.idg.no/cw/art.cfm?id=2D477F09-9B80-F194-3A817E77415CB45F

No comments: