On Monday night, RSAExecutive Chairman Arthur W. Coviello, Jr. published an open letter to the company's customers (and press) in an effort trying to quell customer unease and anger that its two-factor token authentication security product SecurID apparently was shown to be more vulnerable than RSA implied prior to the cyber attack on defense contractor Lockheed Martin two weeks ago.

In the letter, Mr. Coviello tried to reassure RSA customers that the Lockheed attack didn't "... reflect a new threat or vulnerability in RSA SecurID technology." Translation: there is nothing to see here, so please just move along.

However, since the Lockheed Martin cyber attack may have lowered "some customers' overall risk tolerance" - translation: some RSA customers don't quite buy into RSA's rosy risk assessment of the situation - Mr.Coviello announced in his letter that for certain customers RSA would replace their security tokens. RSA is offering to:

"... replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks."

"... implement risk based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions."

For other customers, RSA is apparently still deciding whether or not it will replace their security tokens, but the company would at the very least enhance the monitoring of their use.

On Tuesday, a story in the Boston Globe reported that rival security companies have been moving since the SecurID breach in March to sow fear, uncertainty and doubt in RSA's customers in hopes to getting them to switch to their products. CA Technologies, for example, has launched a trade-in program for current SecurID customers in hopes of enticing them to switch. 

The Globe story also noted that the impact of the breach may be wider than first reported. RSA has been saying that some 30,000 companies and 40 million users use SecurID. What wasn't made clear is that this apparently is the number of people who use the physical SecurID security tokens. Another 250 million people use the software-only version of the product, the Globe said.

Articles today in both the Wall Street Journal and New York Times describe a SecurID user base that is very unhappy. The WSJ article said that Mr. Coviello didn't think that RSA would need to replace all 40 million tokens, once customers "realize there is no new risk to the SecurIDs." This is a bit wishful thinking, I believe.

According to RSA, even though the breach has reduced the effectiveness of SecurIDs, customers should consider themselves still as safe as before the breach once they follow the added security measures it outlined. Not surprisingly, some customers are not buying this logic, especially since RSA apparently has not disclosed what happened in any sort of detail to allow customers to perform independent security risk assessments.

"Trust us" is not going to fly very far with customers' IT security managers who are going to be on the short end of the stick if a security breach does occur. The first question a corporate CEO is going to ask that security manager in that situation is why didn't he or she demand new SecurID tokens? Therefore, I expect a large portion of RSA SecurID customers will be or already have demanded new security tokens.

In addition, the WSJ article reports, getting new tokens to all of RSA customers who want them may take awhile. It took Lockheed Martin two weeks to replace 45,000 tokens under emergency conditions. How long will it take to replace millions?

It will be interesting to see how customers react when they are told it may be the end of the summer or longer to get new tokens. How many customers will decide that they would rather switch to another security company rather than wait?

Additionally, customers who decide to stay will be watching RSA closely to see who gets the new tokens first. Defense contractors apparently have been the highest priority, with big banks also deemed to be a high priority for token replacement. After that, who knows. Some customers, no doubt, will be unhappy when they find out that they are lower on the priority list than a competitive rival.

The New York Times article stated that up until Monday, RSA was insisting that its security tokens did not have to be replaced. The sudden switch on Monday night undercut RSA's credibility terribly, and many of its customers seem to feel that they have been left more vulnerable than they thought they were - or should have been - since the March breach.

The only good news for RSA, the Times article says, is that moving from RSA to a new security vendor is an expensive proposition. So while many RSA customers may be unhappy, they will end up remaining as customers, nevertheless. It is generating future business that may be much harder for RSA, however, given their now damaged reputation. 

PHOTO: iStockphoto

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}