back to article Make cyberwar a no-no equal to nukes, bio, and chemical attacks, says RSA headman

RSA's chairman Art Coviello has come out fighting over claims that his firm is colluding with the NSA to weaken standards, calling for the breakup of the intelligence agency and a new global set of standards to make online warfare as unacceptable as the use of nuclear or chemical weapons. Coviello said that RSA, along with …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Big Brother

    A mixed blessing

    You know that the first thing that will happen is that someone will heed the cry "cyberwar" and ram his thing into the breach to bring "FREEHDUMS" to other people by basically blowing large swathes of a foreign country to smithereens from on high.

    Then the guy will go home and collect the votes.

    Meanwhile, the croaking begins.

    1. Anonymous Coward
      Anonymous Coward

      I call BS

      This is a "please keep buying from us because I'm saying the right thing" speech. Just to pick on a few things:

      - "Stop government hacking". Puhleez. It's your country, go fix them first because from where I'm standing, it's you "freedom fighter" lot who are in the spotlight in the worst possible way (I agree with the OP). There is no other nation that one the one hand alleges to fight the bad guys and on the other hand acts like one.

      - "make cyberwar as bad as nukes". Hopefully, we'll be a while yet that a cyber attack can hit infrastructure as bad as one device. Or is RSA software now really that bad? Oh, and as far as I know, there is as yet only one nation that used a nuke for real. Again, clean up at home first.

      - "collaborate to catch hackers". Already in place, for many years, but you have to play by the rules. What you really are saying is "let's please ALL ignore probable cause and due process like we do it in the goold old USA so we can run roughshod over the rights of people on a global scale, well, even more than when we started the spectacularly successful anti-terror lark"

      - "protect people's privacy". Again, sort out your own house. The rest of the world was doing reasonably well until US companies like Google discovered there was a lot of money to be made (and intelligence to be gathered, let's not forget that) by ignoring people's rights and collecting data on them. Sometimes done by deception, sometimes simply by ignoring local laws, right of non-US people were eroded to a level already established in the US, and any protestation eithe met with bribes, lobbying or plain hard ignoring the law (Google's "we're not beholden to UK law" springs to mind).

      Let me summarise my reply in one sentence: once you have cleaned up the mess you have locally, come back. Until then, shut up, and don't expect me to trust your software because you talk so nice. You're still subject to all the mechanisms you decry - which means we cannot trust your software.

      And I suspect you're starting to feel the pain of that already.

  2. Tikimon
    Unhappy

    Nukes are hard, Cyberwar is easy - no comparison!

    Leaving aside the fact that governments are going to run roughshod over their citizens' rights for power no matter what we want...

    It's still quite difficult to make nukes or bioweapons. One needs serious specialty equipment and a nice lab somewhere. Any a-hole can knock together cyberweapons on a decent-spec home computer. Anti-nuke-proliferation tactics simply won't apply to cyber attacks. Totally different class of threat and availability.

    Back to governments giving us some privacy and freedom... what the hell would they do THAT for? They want total access and control, they don't care about you or me. Yes, I'm calling him naive...

    1. solo

      Re: Nukes are hard, Cyberwar is easy - no comparison!

      ".. I'm calling him naive .."

      I'm calling him an ostrich.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nukes are hard, Cyberwar is easy - no comparison!

        I'm calling him an ostrich.

        Well, that gets at least the bending over out of the way :)

        /me tiptoes away ...

  3. Steve Knox

    ...a new global set of standards to make online warfare as unacceptable as the use of nuclear or chemical weapons.

    So all the major players will be doing it, and everyone will know they're doing it, but they'll continue to try to deny it and hide to what extent they're doing it?

    This is different from the current state of affairs how, exactly?

  4. Mark 85
    Meh

    Fantasy Land?

    I'm thinking that this is wishful thinking on his part. Until the world fundamentally changes, this has about as much chance as a snowball in hell. There's still chemical, nuclear, and biological weapons in abundance. There's still those who seek to destroy others and make them follow their beliefs. There's still power-hungry and greedy folks looking to conquer. His naivete reminds me of the yogi types who think that if they hug and say nice things then war, starvation, crime and all the ills of the world will go away.

    And there are those who will always try to break into computer systems for fun and profit just like there are those who will create mayhem with explosives over religion, politics, and personal grudges...

    Meh...

    1. amanfromMars 1 Silver badge

      Re: Fantasy Land?

      Quite so, Mark 85, I agree with view and would wonder at the fitness of the state of mind of the RSA headman and would ask, who on Earth he would be thinking would be listening and taking heed of his utterings. Certainly any and all concerned and working with intelligence will realise they be high fantasy and simply unlikely.

      I would just single out this one point for alternative viewing in this new age of zerodays ....

      First, he said, governments around the world need to renounce the use of offensive cyberweapons, and through treaties and mutual agreements make them as forbidden as nuclear, chemical, or biological weapons.
      ..... Governments around the world purchase from and outsource everything they need to special private and/or pirate sector operatives/smarter individuals who are very effectively hidden in the shell fronts of such intelligently designed entities as are mega corporations/specialising ventures/sensitive companies etc. Government itself is clueless and impotent. It merely picks up the tab and pays the piper for the tunes they and IT play.

      And ask yourself these two telling polar opposite questions ....... Whenever one have an offensive cyberweapon and remote invisible space command and control capability and utility and facilities which render to one whatever one would need and/or desire, why would one renounce it rather than use it to its fullest creative mutually beneficial advantage for maximum personal gain? And why would one not think of using them and IT to do massive catastrophic destruction to selected targets for maximum personal gain for either and all possible variations in between such two extreme courses are equally easily available for delivery.

      One cannot defend a system unless one knows its systemic weaknesses and how they are to be attacked to create a flow of irreversible devastation that will destroy systems administration/its guiding heads, and if the system be deemed to be perverse and corrupt and inequitable and not worthy of future consideration, intelligence would surely require it not be saved in anything like its present forms with current executive administrators/head honchos.

      And that last sentence is akin to providing defensive advice from an offensive perspective which has GCHQ UK Top Secret Strap 1 markings as shown in the last slide of twelve here ...... http://cryptome.org/2014/02/gchq-cyber-effects.pdf

      Those boys and girls need to get out more and realise who the real enemy is, for they are easily quickly destroyed in a flash series of crashes which puts intelligent communities in command and control of everything and anything, anywhere and everywhere ...... and that be an Ab Fab Fabless Domain and no Fantasy Land.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fantasy Land?

        @amanfromMars 1, I broadly agree with you, but I think we need to step back a bit and ask a couple of important questions, such as "why".

        Governments have law enforcement capabilities, because they can otherwise not do their job. Intercept is part of that toolset, collaboration across borders is another, and we would all be fairly OK with their use for fighting crime. But that's where the problem lies: those powers are used for other things than originally intended.

        What is needed is not some global avoidance of people's rights - what is needed is that every country involved starts providing proof it can be trusted with those powers through (controlled) transparency. Otherwise their politicians should be made to wash out their mouths with double strength creosote every time one of them dares to utter phrases like "for the people" and "our democracy".

  5. Anonymous Coward
    Anonymous Coward

    "Sticks and Stones"

    I find it strange how "saying the wrong thing" or more specifically the right wrong thing, can be elevated to "warfare" status. Let alone flipping nuclear war!

    Imagine if in real-life warfare, you could have a perfect, impenetrable defence by simply not participating in the war. World peace would ensue! There would certainly be no such thing as a superweapon.

    Surely the real crime should be writing insecure software, not testing it (and/or not fixing the bugs you found) and then selling or deploying it as if you had.

    Inflating the hysteria about "cyberwarfare" (to the levels of chemical and nuclear war, no less!) sounds to me like yet another attempt to control "problem" citizens. I.e. individuals who present a threat to those in power. They'll be calling it "cyberterrorism" next..

  6. Piro Silver badge

    Slipping standards at The Register?

    "And while your at it,"

    you are at it, surely, or "you're".

  7. Primus Secundus Tertius
    Thumb Down

    Beware homophones

    The sub-heading should read "...while you're at it...".

    Looks like the report was dictated into a computer. But these things do need to be checked, even if it costs time and money.

    Sorry to put this in the comment area, but there did not seem to be a 'report errors' button.

    Sorry again. Just seen a 'report errors' button, but it was on the comment page, not the main article page.

  8. Oninoshiko

    What a baffoon

    Real people are killed by nuclear, chemical, and biological weapons. Baring major advances in the transhumanism movement, noone is going to die from a cyber-attack.

    Hell, outlaw CONVENTIONAL wars, and permit cyberwars!

    1. Anonymous Coward
      Anonymous Coward

      Re: What a baffoon

      You have got to be kidding... With all of the dumb smart infrastructure, you could easily kill people. Just trash their electricity and water facilities, blow up their power plants, let them crash cars from lack of traffic signals, destroy a country's economy leading to starvation, looting and murder... You absolutely could kill with a cyber attack.

      1. Tomato42

        Re: What a baffoon

        @AC: maybe, the first or the second year after that happened

        then the people that run them would get a clue and do what they should have done since the start: put them on ISP level VPNs completely separate from Internet

        we already have the technology to be nearly 100% safe, they are just not using it

        also, it seems that the idea of "fail safe" has escaped you

        1. tom dial Silver badge

          Re: What a baffoon

          Better yet, disconnect them from the public internet and either control them manually on site or run an additional additional and purpose built network, with no interconnection (not even the same PC/terminal) for remote maintenance. That will increase costs (but also employment) and take time to deploy, but eliminate a lot of opportunities for mischief. We really ought to be doing that even now. We have gotten a bit lazy and may have to pay the price.

          1. solo

            Re: What a baffoon

            "... That will increase ... time to deploy ..."

            And that will increase job opportunities.

      2. Oninoshiko

        Re: What a baffoon

        So if the right sequence of events maybe just so happened you might be able to kill someone. Maybe. Assuming there are no physical safeties, something we've known to do since the Therac-25 problems.

        Know what happened the last time my electricity was out? I sat in the dark (actually, I was at work, the non-networked generator turned on like nothing happened. Just like it does at every hospital)

        Know what happened the last time I didn't have running water? we got bottled water.

        Know what happened the last time the traffic lights where out? everyone treated them as stop-signs.

        All of these things have happen where I live in recent memory. Keep calm and carry on.

        Now compare that with shoving a 7.62×39mm round through someone's chest at 640m/s.

  9. Chris Miller

    As Bruce Schneier put it

    (at The Register - Live 2011 event at Millbank) I paraphrase:

    Cyberwar is like an invading army landing on your shores; fighting their way up the beaches; and then pushing in front of the queue at the Post Office.

    1. Lars Silver badge
      Coat

      Re: As Bruce Schneier put it

      Did Bruce Schneier not say anything about playing with nuclear plants, the grid, traffic systems and such.

      And to Oninoshiko, cyberwar fought in cyberspace is called playing war games on computers, no great need to ban that although it would be nice if there was no need for it.

  10. Tomato42
    Devil

    Someones pockets...

    It looks like someone's pockets have just been hit, and it hurt, it hurt a lot.

    If I was a little bit less cynic about it I might have said that this will make them learn, but I've seen in too many times.

  11. Mephistro
    Devil

    Pure BS of the finest quality

    "...saying that RSA worked with standards bodies and had changed its software once the flaw had been found in the encryption technique."

    That's technically true. He forgets to mention that they fixed the flaw SEVEN YEARS after it was found.

    But he defended the company's support for the pre-weakened Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) standard endorsed by the National Institute of Standards and Technology

    That's also technically true. But they where paid 10 millions by the RSA to include the bug in their software THREE YEARS BEFORE the NIST endorsed the standard.

    Either this motherf gentleman is a true PRO bullshitter or he is employing the best spin doctors available.

    Blame the limitations of human language... :-(

    1. tom dial Silver badge

      Re: Pure BS of the finest quality

      An upvote for the reminder that Dual_EC_DBRG was known for years to be a bit funny.

      A few points, however:

      - It's a fine point, to be sure, but there is not, as far as I have seen, proof that NSA knows the particular values that would make the generator an open book. It was known early on that the generator was biased, and that should have been enough to make anyone knowledgeable (like RSA, perhaps, or NIST) wary of using it. The Shumow and Ferguson paper showed that numbers exist that would make the DBRG predictable to one who knew them. They did not demonstrate a way to obtain them. I have seen no reports of evidence that NSA knows them, and don't know that the values are an automatic byproduct of, or even obtainable from, the construction method specified in Appendix A of the NIST recommendation, which might actually have been used to produce the publicly revealed constants.

      - I was unwilling to cough up $100 to see the specified X9.62 standard, but anyone who was, or had access to an X9.62 validated generator could generate their own initial points and be free of the suspicion that NSA had the secret points that would break their generator.

      I may be wrong in this. I am not an expert in the field, nor widely familiar with the published (or unpublished) literature; but then neither are the vast majority of those who have written or commented about this issue. That said, I would judge the claim that Dual_EC_DBRG was backdoored to be "not proved", along with the claim that RSA is guilty of accepting a bribe to include it.

      Dual_EC_DBRG in its standard implementation is questionable for both bias and the possibility that NSA (or someone else) might have a back door, but an independently produced implementation using different constants might be free of those concerns. It does occur to me, however, that it may be difficult to pick initialization points for the algorithm to produce unbiased output: If it were easy, NSA surely would have done so, whether or not they were simultaneously creating a back door.

  12. Paul Hovnanian Silver badge
    Big Brother

    Control

    Keeping the materials needed to build nuclear, chemical, or biological weapons out of the hands of terrorists, bad guys or rogue states isn't very difficult. At least not compared to the controls needed to keep cyber weapon precursors* out of their hands.

    That level of control would make a totalitarian police state green with envy. It would also make the likes of the MPAA, RIAA and the major software houses, who would undoubtedly retain the rights to own/operate such tools, giddy with the thought of no more garage start-ups taking their markets or share their intellectual property.

    A background check and permit to own a compiler? I don't think so.

    *A PC with a decent tool suite.

  13. amanfromMars 1 Silver badge

    Cold War Warrior Tactics in Hot Space Ware Zones

    Methinks this is appropriate spooky information to exchange on this thread, El Reg ...... http://pastebin.com/irj4Fyd5

  14. Anonymous Coward
    Anonymous Coward

    Or else let's throw more chemical, cyber, nuclear attacks?

    And a laser cannon

  15. DocJames
    Mushroom

    Bizarre. All the others are predicated on the fact that they were (and some still are) difficult to manage in a low key way - they started as mass weapons and couldn't be directed. "Cyberwarfare" could end up including 419 scammers: not people I hold any great love for, but not in the same league as those using biological weapons.

    It'll end up having the opposite effect to that claimed. It'll be a restriction on what most people can do, whilst allowing those with power to continue to do whatever they want. Much like non-proliferation treaties...

    I can't believe nobody else has used the icon yet

  16. genghis_uk
    Coat

    Give PCs a chance man!

    Ok, sorry, I'm going...

This topic is closed for new posts.

Other stories you might like