US government’s hacking tools may end up with criminals
Government's purchase of information about undisclosed flaws in software is troubling and brings 'collateral damage', experts say
Electronic spying tools used by the US government could end up in the hands of organised criminals and hackers, further eroding internet security, warned industry leaders who called for new restrictions and oversight of government activity.
"It is a big worry" that the methods will spread, said Andrew France, former deputy director of Britain's NSA equivalent, GCHQ, and now chief executive of security start-up Darktrace.
The government habit of purchasing information about undisclosed holes in software was also "really troublesome", said former White House cybersecurity adviser Howard Schmidt. "There's collateral damage."
Both France and Schmidt were speaking at the annual RSA Conference, the world's largest cybersecurity gathering, in San Francisco last week. RSA is the security division of electronic storage company EMC.
Security researchers say that secret state tools tend to fall into the hands of mobsters and eventually lone hackers. That trend could worsen after former NSA contractor Edward Snowden disclosed NSA capabilities for breaking into Cisco Systems routers, Dell computer servers and all kinds of personal computers and smartphones, industry leaders and experts warned at the RSA conference and two smaller gatherings in San Francisco convened partly to discuss RSA's government deals.
Both the US and the security industry itself came under fire at the various assemblies.
Previously faulted mainly for their inability to stem the tide of attacks, security providers such as RSA have become frontline victims themselves. Hackers tied to China breached RSA in 2011 in order to falsify credentials used by employees at US defence contractors.
"A lot of companies have been lax as to their own security," said RSA conference speaker David Cowan of Bessemer Venture Partners, who co-founded Verisign, an internet infrastructure and security company spun off by RSA in 1995.
Far worse was the revelation in December that RSA had accepted a US$10 million federal contract largely to promote the use of a flawed cryptographic formula developed by the NSA.
Though experts publicly called the system suspicious in 2007, it remained the default in RSA's widely distributed kit for securing software until documents leaked by Snowden last year suggested it had been planted by the NSA to provide the agency back-door access to a wide variety of computer programs.
Though sources said in the autumn that RSA had been duped instead of bribed, the resulting outrage led several speakers to withdraw from RSA and speak at a rival gathering.
Such revelations have further eroded trust between the industry and public agencies.
RSA executive chairman Art Coviello, who had been silent on the contract, devoted much of his conference opening speech to the controversy.
Without going into specifics, Coviello turned on his erstwhile partners at the intelligence agency, implying RSA had been misled. He endorsed a recommendation by a White House review panel that the NSA's defensive mission be separated from its much larger spying mandate.
"RSA, and indeed most if not all major security and technology companies, work primarily with this defensive division within NSA," Coviello said. "When or if the NSA blurs the line between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that's a problem."
Some attendees said they found his comments to be a way to distract from his company's culpability for the contract after the outcry.