Secrecy is not a poor security practice as much as a compromise of integrity.
EMC’s RSA Security division recently made headlines when its enterprise products were expertly hacked, undermining the security of thousands of organizations globally and embarrassing the industry pioneer. The company, whose illustrious founders – Ron Rivest, Adi Shamir and Leonard Adleman – are rock stars in the security industry, is now battling an even greater threat to its existence than a contingent of – allegedly Chinese – hackers.
That threat comes from within, but not from insider hacking. It comes from a comedy of errors in which RSA is only one of the actors, albeit one whose trust and influence have been built over a third of a century.
The decision to watch quietly as the NSA corrupted global security standards and subverted the process of getting them accepted through the National Institute of Standards and Technology (NIST). That process tarnished NIST’s reputation as the publisher of rigorous computing standards and undermined the good work of thousands of people. Despite the far reaching implications, NIST recently issued a statement indicating that they will continue to work with the NSA. Did they have a choice? Probably not. Should the NSA stop abusing its authority and damaging the economy? President Obama and his crew definitely think so.
But that ‘guidance’ may be too little, too late for RSA, whose decision to timidly release a recommendation to a limited number of its clients 3 months ago was intended to soften the impending blow to its reputation without saying too much.
Though it was far from precise, that lack of completeness did not result from a failure to explain that the software they had sold to a trusting public was artificially weakened to enable illegal spying. Its failure was in omitting to disclose that RSA Security took money in exchange for its complicity. And silence.
How much? If only they had made a good deal there, someone, somewhere might have been able to build a twisted case for acceptability of the dignity cost. Alas, for a $2 billion global security leader to take only – get this – $10M for its part in conspiring to deceive a global marketplace is indicative of some serious forces at play. And one of them is RSA’s accelerating battle against obsolescence.
As we try to find our footing through this new, post-Snowden world, we’re starting to see things with different eyes and we should expect no shortage of surprises. But aside from the breaches of trust, I for one lament the seismic damage to the institutions that real people have built with real sweat and real passion over the past century.
Security by obscurity doesn’t work, and one key reason is that dignity can be retroactively damaged. Immanuel Kant said it best when famously asserting that everything has either a price or dignity. In choosing to take money for its part in a massive deception, RSA early on gave up the right to chalk its actions up to altruism, national security and the global war on terror.
Image courtesy of Shutterstock