How the NSA has destroyed trust

Because we know that the NSA has attempted, and in some cases succeeded in making vendors and other third parties complicit in their data collection, it's hard to completely believe vendor denials anymore. It's the vendors who are the biggest victims here.
Written by Larry Seltzer, Contributor

RSA Security has denied that they took money from the NSA to use a backdoored random number generation algorithm in their products. Do you believe them?

As security guru Bruce Schneier shows, you just can't trust anyone anymore about these things. This is perhaps the most poisonous and damaging outcome of the NSA's activities in recent years (or at least of the disclosure of those activities).


As a general rule, I look on tech companies as victims in this scandal. In fact, they're far bigger victims that nearly any individual civilian for exactly this reason. A large part of what tech companies sell, particularly in the security business, is trust. As Schneier shows, trust is essential in any functioning society, but computer security is so complicated that you simply have to trust the vendors you deal with.

This is why many of these companies have been suing the government in the FISA court for permission to disclose more about their level of cooperation with government data collection. They need for their customers to be able to trust them, and as things stand, the companies are not allowed to refute many of the most extreme allegations.

As for the RSA allegation, I think it may be logically impossible for them to refute the charge, even if it's false. They would have to prove a negative, i.e. that they didn't have this secret contract. Even if the NSA officially denied it, and even if an audit of RSA's contracts didn't find it, would you say that proves it didn't happen? If they had intentionally backdoored their products, it would be ruinous to RSA's reputation; the only reasonable thing to do might be to lie about it and place their fate in the ambiguity of it all.

There's a lot of argument about whether the NSA's tactics have actually prevented much terrorism or otherwise aided the security of the United States. We're not allowed to know the details of that. What we do know is that the NSA has weakened the security of the tech industry, that of many tech companies in particular, subverted the security of an industry standard, and given the whole world reason to mistrust US authorities and companies. Something needs to be done, although it won't work quickly. Trust can be destroyed in short order; it takes a long to establish, perhaps even longer to re-establish.

Editorial standards