Report: $10 million NSA contract tied influential security company RSA

A $10 million National Security Agency (NSA) contract was arranged with computer security giant RSA with the goal of creating a back door into widely used encryption products, according to an exclusive Reuters report.

This comes after the Obama administration’s advisory panel criticized the NSA’s practice of undermining encryption. Previously, it was reported that the NSA and British GCHQ crack encryption and “covertly influence” companies and that encryption standards were weakened under NSA influence.

It was already revealed that the NSA created and distributed a random number generation formula that was intentionally flawed in order to create a back door into common encryption products.

Reuters also previously reported that RSA was the key distributor of the formula by placing it in “Bsafe,” a tool used to enhance computer security.

Yet the latest Reuters report published Friday reveals that “RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.”

Even before it was reported that RSA received millions in exchange for rolling out the flawed NSA formula, Reuters notes that some security experts were shocked.

RSA “had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products,” Reuters reports.

This, however, didn’t stop them from accepting what made up over one third of the yearly revenue at the relevant division of RSA in exchange for helping the NSA.

Unsurprisingly, RSA and their parent company EMC Corp, did not answer questions for the story. When the earlier reports were published, both companies urged customers to stop using the NSA formulas.

However, RSA issued a statement, saying the company “always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.”

Most of the dozen current and former employees of RSA interviewed by Reuters said the company made a mistake in agreeing to the NSA contract.

Many reportedly cited RSA’s shift away from pure cryptography products as one of the reasons it happened, though several said the company was misled by government officials.

“They did not show their true hand,” one anonymous individual briefed on the NSA-RSA deal said, referring to the NSA. The individual said that NSA officials did not say they knew how to break the encryption.

Just how accurate that is remains unknown. The NSA declined to comment for the Reuters report.