IN THE NEWS ~ Commons asked to review encryption following report NSA has back-door access

 

Published: December 23, 2013, 4:08 pm

OTTAWA — House of Commons security is being asked to review its continued use of a private encryption device amid media reports that the company that makes it took money from the National Security Agency to build in a back-door access point.

The request from the NDP caucus comes on the heels of a Reuters report that IT security company RSA made a secret deal with the NSA to weaken code in its encryption software that would grant the embattled spy agency the ability to access what users believed were secure files.

RSA received $10 million from the NSA to put the loophole in its product, Reuters reported Friday, citing two unnamed sources familiar with the deal. The report followed earlier stories from Reuters and The New York Times that the NSA created a flawed formula to generate random numbers that was then allegedly inserted into an RSA security product and gave the NSA access to multitudes of computers.

“As you are no doubt aware RSA provides encryption for the House of Commons, including RSA SecurID electronic keys,� NDP caucus chair Peter Julian wrote Monday in an official letter to Speaker of the House of Commons Andrew Scheer.

In the letter, a copy of which was obtained by Postmedia News, Julian asks Scheer to look into how much MPs and their staff rely on RSA to secure their devices, and “what steps have been taken to ensure that communication remains secure in light of this report.�

“Such a break in security has implications for the security and confidentiality of members and their staff to conduct business without being monitored by foreign governments or those who could exploit such a loophole,� Julian writes.

In a news release issued Sunday, RSA denied the Reuters report that it entered into a “secret contract� with the NSA “to incorporate a known flawed random number generator� into its devices.

“We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security,� the statement read.

“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.�

Full text of NDP caucus chair Peter Julian’s letter to Speaker of the House of Commons Andrew Scheer:

Dear Mr. Speaker,

On Friday night, media reported that RSA, the computer security firm, had integrated a broken random number generator from the United States National Security Agency into some of its products. Reuters alleges that this was part of a $10 million payment from the NSA to the company. The NSA shares information amongst the Five Eyes signals intelligence agencies of the UK, the United States, Canada, Australia and New Zealand.

As you are no doubt aware RSA provides encryption for the House of Commons, including RSA SecureID electronic keys.

I would like to know to what extent the communications made by Members and staff of the House of Commons rely on security provided by RSA. In addition, I would like to know what steps have been taken to ensure that communication remains secure in light of this report.

Such a break in security has implications for the security and confidentiality of members and their staff to conduct business without being monitored by foreign governments or those who could exploit such a loophole.

Yours sincerely,

Peter Julian, MP

Burnaby-New Westminster

NDP Caucus Chair

 

Share this page

Constituent Resources
Attend an Event

Sign up for updates

Connect with Peter