It has long been suspected that the N.I.S.T‘s recommended Random Number Generator Algorithm which utilized a Dual EC DRBG (Deterministic Random Bit Generators) was fundamentally flawed due to the role that the NSA had played in the algorithms creation. This was originally brought up as a concern by the NIST themselves back in September when it was outed by Edward Snowden via the New York Times that the NSA was involved in creating this algorithm.
Now, it appears that the NSA had a secret $10 million contract with RSA (a division of EMC Corporation). Reuters explains that this contract was made completely in secret and covered the fact that RSA agreed to employ this fundamentally flawed algorithm into their security products in order to provide a backdoor for the NSA. This contract covered the use of the Dual EC BRBG algorithm and as a result, the RSA rolled out this algorithm broadly across their products. That is, until the revelations of September which ultimately caused RSA to recommend that their customers not use the very algorithm that they themselves employed. This theoretically resulted in many companies to have to completely re-evaluate their security infrastructure and possibly move away.
The more concerning part of this entire situation is the fact that RSA, a division of a publicly traded company was allowed to keep such a contract with the NSA secret from EMC Corporation investors. Details of such a deal existing would mean that RSA (and by extension EMC) executives put the company’s bottom line and possibly entire business at risk in order to get a $10 million government contract. Sure, being between the NSA and investors is a hard place, but it is clear to almost anyone that employing such a knowingly flawed algorithm is a risk to the company and their investors. I would not be surprised if investors sue EMC Corp. executives and the RSA executives involved with the deal for not disclosing such dangerous deals to their investors.
Sure, such a deal is ‘secret’ but at the same time, these are companies and not divisions of the government. They exist to serve their customers and shareholders not the federal government. I think that companies like IBM, who are currently being sued by their investors for not disclosing their NSA involvement will likely take a second look at how they expose their businesses to government involvement in the future.
The Reuters article about the $10 million contract was posted shortly after the market’s close, but I suspect that EMC Corporation’s liability could be significant considering the fact that RSA is so broadly used across so many large enterprises. EMC’s stock was up 2% on Friday, but I suspect that they could trade all of that back today when the markets open in New York in a few hours. Such revelations also could potentially spur more investors to question if EMC has had any other secret deals with the government with any of their other products.