Former UK spy exec warns NSA tools could fall into criminal hands

By on
Former UK spy exec warns NSA tools could fall into criminal hands

'It is a big worry'.

Electronic spying tools used by the US government could end up in the hands of organised criminals and hackers, a former executive of Britian's cyber intelligence agency has warmed.

"It is a big worry" that the methods will spread, said Andrew France, former deputy director of the UK's NSA equivalent, GCHQ, and now chief executive of security startup Darktrace.

The government habit of purchasing information about undisclosed holes in software is also "really troublesome," said former White House cyber security advisor Howard Schmidt.

"There's collateral damage."

Both France and Schmidt spoke to Reuters at the annual RSA Conference, the world's largest cyber security gathering, in San Francisco last week. 

Secret state tools tend to fall into the hands of mobsters and eventually lone hackers - a trend which could worsen after former spy contractor Edward Snowden disclosed NSA capabilities for breaking into all kinds of IT equipment, industry leaders and experts warned at the RSA conference and two smaller gatherings in San Francisco convened partly to discuss RSA's government deals.

Pointing fingers

Both the United States and the security industry itself came under fire at the various assemblies.

Previously faulted mainly for their inability to stem the tide of attacks, security providers such as RSA have become front-line victims themselves. Hackers tied to China breached RSA in 2011 in order to falsify credentials used by employees at US defence contractors.

"A lot of companies have been lax as to their own security," said RSA conference speaker David Cowan of Bessemer Venture Partners, who co-founded Verisign, an internet infrastrucure and security company spun off by RSA in 1995.

Far worse was the revelation RSA had accepted a US$10 million federal contract largely to promote the use of a flawed cryptographic formula developed by the NSA.

Though experts publicly called the system suspicious in 2007, it remained the default in RSA's widely distributed kit for securing software until documents leaked by Snowden last year suggested it had been planted by the NSA to provide the agency back-door access to a wide variety of computer programs. 

Though sources familiar with the deal said RSA had been duped instead of bribed, the resulting outrage led several speakers to withdraw from RSA and speak at a rival gathering.

Such revelations have further eroded trust between the industry and public agencies.

RSA executive chairman Art Coviello, who had been silent on the contract, devoted much of his conference opening speech to the controversy.

Without going into specifics, Coviello turned on his erstwhile partners at the intelligence agency, implying RSA had been misled. He endorsed a recommendation by a White House review panel that the NSA's defensive mission be formally separated from its much larger spying mandate.

"RSA, and indeed most if not all major security and technology companies, work primarily with this defensive division within NSA," Coviello said.

"When or if the NSA blurs the line between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that's a problem."

Some attendees said they found his demand, and an accompanying call for all countries to renounce cyber weapons, to be a convenient way to distract from his company's culpability for the contract after the outcry. But it allied RSA with protesters calling for restrictions on government spying efforts.

Microsoft vice president Scott Charney was among those using the RSA conference to press for international consensus on norms of online behavior.

Schmidt said that effort has been going on for six years, and attempts at even domestic legislation have failed.

"We're running out of options," Department of Homeland Security Advisor and DefCon hacking conference founder Jeff Moss told the upstart Trustworthy Technology Conference this week.

The crisis of confidence in the government calls into question one of the few things that those concerned with cyber security had agreed on for more than a decade: the urgent need for greater cooperation between the private sector and government.

If supposedly defense-oriented officials conned RSA, the thinking goes, then many technology companies could be unwitting conduits for US spies.

That might not prove crippling financially for the security industry, many said, because buyers still need protection from non-governmental hackers.

In an interview, Coviello said there had been "zero impact" on RSA's business.

Drops in overseas sales reported by Cisco, IBM and others might abate as companies prefer to risk having US government intrusion rather than be spied on by their own governments, said former White House cyber security advisor and recent review-panel member Richard Clarke.

"The alternative of buying Chinese or putting data in a European data farm is not great either," Clarke said. "The NSA can do anything overseas" without US court oversight.

Famed cryptographer Bruce Schneier, an outspoken opponent of mass surveillance, said Snowden had raised awareness on the extent of privacy invasions and showed that good encryption can force spy agencies to work harder and be more targeted in their investigations.

The chaos is also encouraging companies to move toward better encryption themselves and to offer encrypted services to customers.

But former US counterintelligence chief Joel Brenner said at a Thursday event away from the RSA conference that agencies would work through the legal system or use technology to circumvent any mass adoption of effective cryptography.

"That's la-la land to think that would happen," Brenner said at the "Suits and Spooks" event.

Got a news tip for our journalists? Share it with us anonymously here.
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?