How the NSA has destroyed trust

Summary:Because we know that the NSA has attempted, and in some cases succeeded in making vendors and other third parties complicit in their data collection, it's hard to completely believe vendor denials anymore. It's the vendors who are the biggest victims here.

RSA Security has denied that they took money from the NSA to use a backdoored random number generation algorithm in their products.  Do you believe them?

As security guru Bruce Schneier shows, you just can't trust anyone anymore about these things. This is perhaps the most poisonous and damaging outcome of the NSA's activities in recent years (or at least of the disclosure of those activities).

NSA.logo.Upside-Down

As a general rule,  I look on tech companies as victims in this scandal . In fact, they're far bigger victims that nearly any individual civilian for exactly this reason. A large part of what tech companies sell, particularly in the security business, is trust. As Schneier shows, trust is essential in any functioning society, but computer security is so complicated that you simply have to trust the vendors you deal with.

This is why many of these companies have been suing the government in the FISA court for permission to disclose more about their level of cooperation with government data collection. They need for their customers to be able to trust them, and as things stand, the companies are not allowed to refute many of the most extreme allegations.

As for the RSA allegation, I think it may be logically impossible for them to refute the charge, even if it's false. They would have to prove a negative, i.e. that they didn't have this secret contract. Even if the NSA officially denied it, and even if an audit of RSA's contracts didn't find it, would you say that proves it didn't happen? If they had intentionally backdoored their products, it would be ruinous to RSA's reputation; the only reasonable thing to do might be to lie about it and place their fate in the ambiguity of it all.

There's a lot of argument about whether the NSA's tactics have actually prevented much terrorism or otherwise aided the security of the United States. We're not allowed to know the details of that. What we do know is that the NSA has weakened the security of the tech industry, that of many tech companies in particular,  subverted the security of an industry standard , and given the whole world reason to mistrust US authorities and companies. Something needs to be done, although it won't work quickly. Trust can be destroyed in short order; it takes a long to establish, perhaps even longer to re-establish.

Topics: Security, Government : US

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.