Does RSA understand what happened to them?
Blogmaster Note: This was originally posted on January 18, 2012 to ComputerWorld UK’s Security Spotlight Blog .
This was not just an attack on RSA, it was an attack on all of us. In Tim Greene’s article, “RSA security breach has silver lining, says CEO,” he quotes Art Coviello as saying “…we were able to minimise the damage…” and that “we’ve been engaged with customers at a strategic level as never before and they want to know in detail what happened to us, how we responded, what tools we used, what was effective and what was not.”
It’s hard to know what to say about this. The first thing that comes to mind is to paraphrase André the Giant’s retort to Wallace Shawn, “You keep using that word [minimise]. I do not think it means what you think it means.” For their engagement with customers, perhaps Dylan’s rebuke to Mr Jones, “something is happening here but you don’t know what it is.”
Let me be blunt on this. The hack on RSA stole the crown jewels for SecurID. It was a nation-state attack. RSA did warn its customers at the time that it could potentially “reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” that was sugar-coating the magnitude of the loss. Indeed, the stolen secrets enabled attackers (presumably the same nation state) to hack into Lockheed Martin and steal trans-national secrets. Wikipedia documents it well. This is not minimal. This is about as bad as it gets. For all of us in the security business, we can certainly feel for the horribleness of being attacked like that, but it’s even worse for one’s customers to be breached because of their security products! For it to be worse, it would have to include direct loss of life, long-term environmental damage, or both.
The SecurID customers are not “engaging” with RSA because they want to. They want to know what happened, and if they are going to be next in an attack. RSA told them what happened only after they were sworn to secrecy about the attack. Since then, unconfirmed reports say that the vector was a Flash vulnerability in an Excel spreadsheet sent to recruitment consultants. The customers weren’t talking to RSA because they want to emulate their information security processes!
Does RSA get it? Do they understand the business they are in? All of us security experts are holders of the public trust. We design, build, and maintain public safety. The biggest failure we can make is that our products enable the bad guys to get to our clients. For nearly a year now, RSA has made light of the situation and brushed it aside. Nor have they come clean about what’s happened so that the rest of can learn.
This was not just an attack on them, it was an attack on all of us in which they were the proximate victim; they were Patient Zero. They’re not alone in being attacked by nation states, either. Google, Symantec, Vasco, and others have suffered as well.
Bad things happen to good people. But good people have a responsibility to the rest of us. This is how society and technology improves. RSA needs to let its colleagues in the industry, all of its customers (not just the ones that signed an NDA), and the world at large know what happened.
In another month, RSA’s annual conference is occurring in San Francisco. This is the perfect opportunity to stop the whitewash, stop the joking happy talk, and treat this horrible event with the seriousness that it deserves. Stop the spin, come clean. Let’s all go forward better prepared to fight off these attacks. We all make mistakes and we learn to do better because we learn from each other. We need to know what happened and how to stop the next one. I call on Mr Coviello as a responsible leader in the security industry to lead a full accounting of what was done to him and his company for the betterment of us all.