On Monday night, RSA Executive Chairman Arthur W. Coviello, Jr. published an open letter to the company's customers (and press) in an effort trying to quell customer unease and anger that its two-factor token authentication security product SecurID apparently was shown to be more vulnerable than RSA implied prior to the cyber attack on defense contractor Lockheed Martin two weeks ago.
In the letter, Mr. Coviello tried to reassure RSA customers that the Lockheed attack didn't "... reflect a new threat or vulnerability in RSA SecurID technology." Translation: there is nothing to see here, so please just move along.
However, since the Lockheed Martin cyber attack may have lowered "some customers' overall risk tolerance" - translation: some RSA customers don't quite buy into RSA's rosy risk assessment of the situation - Mr.Coviello announced in his letter that for certain customers RSA would replace their security tokens. RSA is offering to:
"... replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks."
"... implement risk based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions."
For other customers, RSA is apparently still deciding whether or not it will replace their security tokens, but the company would at the very least enhance the monitoring of their use.
On Tuesday, a story in the Boston Globe reported that rival security companies have been moving since the SecurID breach in March to sow fear, uncertainty and doubt in RSA's customers in hopes to getting them to switch to their products. CA Technologies, for example, has launched a trade-in program for current SecurID customers in hopes of enticing them to switch.
The Globe story also noted that the impact of the breach may be wider than first reported. RSA has been saying that some 30,000 companies and 40 million users use SecurID. What wasn't made clear is that this apparently is the number of people who use the physical SecurID security tokens. Another 250 million people use the software-only version of the product, the Globe said.
Articles today in both the Wall Street Journal and New York Times describe a SecurID user base that is very unhappy. The WSJ article said that Mr. Coviello didn't think that RSA would need to replace all 40 million tokens, once customers "realize there is no new risk to the SecurIDs." This is a bit wishful thinking, I believe.
According to RSA, even though the breach has reduced the effectiveness of SecurIDs, customers should consider themselves still as safe as before the breach once they follow the added security measures it outlined. Not surprisingly, some customers are not buying this logic, especially since RSA apparently has not disclosed what happened in any sort of detail to allow customers to perform independent security risk assessments.
"Trust us" is not going to fly very far with customers' IT security managers who are going to be on the short end of the stick if a security breach does occur. The first question a corporate CEO is going to ask that security manager in that situation is why didn't he or she demand new SecurID tokens? Therefore, I expect a large portion of RSA SecurID customers will be or already have demanded new security tokens.
In addition, the WSJ article reports, getting new tokens to all of RSA customers who want them may take awhile. It took Lockheed Martin two weeks to replace 45,000 tokens under emergency conditions. How long will it take to replace millions?
It will be interesting to see how customers react when they are told it may be the end of the summer or longer to get new tokens. How many customers will decide that they would rather switch to another security company rather than wait?
Additionally, customers who decide to stay will be watching RSA closely to see who gets the new tokens first. Defense contractors apparently have been the highest priority, with big banks also deemed to be a high priority for token replacement. After that, who knows. Some customers, no doubt, will be unhappy when they find out that they are lower on the priority list than a competitive rival.
The New York Times article stated that up until Monday, RSA was insisting that its security tokens did not have to be replaced. The sudden switch on Monday night undercut RSA's credibility terribly, and many of its customers seem to feel that they have been left more vulnerable than they thought they were - or should have been - since the March breach.
The only good news for RSA, the Times article says, is that moving from RSA to a new security vendor is an expensive proposition. So while many RSA customers may be unhappy, they will end up remaining as customers, nevertheless. It is generating future business that may be much harder for RSA, however, given their now damaged reputation.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.