By Joseph Menn
SAN FRANCISCO, March 3 (Reuters) - Electronic spying tools used by the U.S. government could end up in the hands of organized criminals and hackers, further eroding Internet security, warned industry leaders who called for new restrictions and oversight of government activity.
"It is a big worry" that the methods will spread, said Andrew France, former deputy director of the UK's NSA equivalent, GCHQ, and now chief executive of security startup Darktrace.
The government habit of purchasing information about undisclosed holes in software is also "really troublesome," said former White House cyber security advisor Howard Schmidt. "There's collateral damage."
Both France and Schmidt spoke to Reuters at the annual RSA Conference, the world's largest cyber security gathering, in San Francisco last week. RSA is the security division of electronic storage maker of EMC Corp.
Security researchers say that secret state tools tend to fall into the hands of mobsters and eventually lone hackers. That trend could worsen after former spy contractor Edward Snowden disclosed U.S. National Security Agency capabilities for breaking into Cisco Systems Inc routers, Dell Inc computer servers and all kinds of personal computers and smartphones, industry leaders and experts warned at the RSA conference and two smaller gatherings in San Francisco convened partly to discuss RSA's government deals.
POINTING FINGERS
Both the United States and the security industry itself came under fire at the various assemblies.
Previously faulted mainly for their inability to stem the tide of attacks, security providers such as RSA have become front-line victims themselves. Hackers tied to China breached RSA in 2011 in order to falsify credentials used by employees at U.S. defense contractors.
"A lot of companies have been lax as to their own security," said RSA conference speaker David Cowan of Bessemer Venture Partners, who co-founded Verisign Inc, an Internet infrastrucure and security company spun off by RSA in 1995.
Far worse was the revelation, by Reuters in December, that RSA had accepted a $10 million federal contract largely to promote the use of a flawed cryptographic formula developed by the National Security Agency.
Though experts publicly called the system suspicious in 2007, it remained the default in RSA's widely distributed kit for securing software until documents leaked by Snowden last year suggested it had been planted by the NSA to provide the agency back-door access to a wide variety of computer programs. The Wall Street Journal confirmed the Reuters report a week ago.
Though sources familiar with the deal said in the fall that RSA had been duped instead of bribed, the resulting outrage led several speakers to withdraw from RSA and speak at a rival gathering.
Such revelations have further eroded trust between the industry and public agencies.
RSA Executive Chairman Art Coviello, who had been silent on the contract, devoted much of his conference opening speech to the controversy.
Without going into specifics, Coviello turned on his erstwhile partners at the intelligence agency, implying RSA had been misled. He endorsed a recommendation by a White House review panel that the NSA's defensive mission be formally separated from its much larger spying mandate.
"RSA, and indeed most if not all major security and technology companies, work primarily with this defensive division within NSA," Coviello said. "When or if the NSA blurs the line between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that's a problem."
Some attendees said they found his demand, and an accompanying call for all countries to renounce cyber weapons, to be a convenient way to distract from his company's culpability for the contract after the outcry. But it allied RSA with protesters calling for restrictions on government spying efforts.
Microsoft Corp Vice President Scott Charney was among those using the RSA conference to press for international consensus on norms of online behavior.
Schmidt said that effort has been going on for six years, and attempts at even domestic legislation have failed.
"We're running out of options," Department of Homeland Security Advisor and DefCon hacking conference founder Jeff Moss told the upstart Trustworthy Technology Conference, held at a theater a block away from RSA's event.
The crisis of confidence in the government calls into question one of the few things that those concerned with cyber security had agreed on for more than a decade: the urgent need for greater cooperation between the private sector and government.
If supposedly defense-oriented officials conned RSA, the thinking goes, then many technology companies could be unwitting conduits for U.S. spies.
That might not prove crippling financially for the security industry, many said, because buyers still need protection from non-governmental hackers.
In an interview, Coviello said there had been "zero impact" on RSA's business.
Drops in overseas sales reported by Cisco, International Business Machines Corp and others might abate as companies prefer to risk having U.S. government intrusion rather than be spied on by their own governments, said former White House cyber security advisor and recent review-panel member Richard Clarke.
"The alternative of buying Chinese or putting data in a European data farm is not great either," Clarke said. "The NSA can do anything overseas" without U.S. court oversight.
Famed cryptographer Bruce Schneier, an outspoken opponent of mass surveillance, said Snowden had raised awareness on the extent of privacy invasions and showed that good encryption can force spy agencies to work harder and be more targeted in their investigations.
The chaos is also encouraging companies to move toward better encryption themselves and to offer encrypted services to customers.
But former U.S. counterintelligence chief Joel Brenner said at a Thursday event away from the RSA conference that agencies would work through the legal system or use technology to circumvent any mass adoption of effective cryptography.
"That's La-La land to think that would happen," Brenner said at the "Suits and Spooks" event, which was structured as a debate, organized by consultancy Taia Global Inc.
Our Standards: The Thomson Reuters Trust Principles.
