Home / Blogs

RSA Breach Fallout?

Back in March, it was widely reported that RSA had suffered a serious security breach that (to some extent) weakened the security of its SecurID token. However, the NY Times reported then that the chairman said that the penetration wasn’t absolute but “it could potentially reduce the effectiveness of the system in the face of a ‘broader attack.’”.

That broader attack may now have happened. Press reports say that Lockheed Martin was attacked, possibly by someone exploiting the RSA penetration.

This incident reveals the dangers of companies like RSA not being open about security incidents. Many companies (and many government agencies) have long relied on SecurID tokens. Without details about the problem, though, it is unclear how they should protect themselves. Get new tokens? Change employee PINs? Firewall off the administrative servers? We don’t know—and that’s the real problem.

(I confess that it isn’t clear to me just what RSA is protecting by not revealing details of the danger. Its own reputation? That suffered a big hit in March. Its product sales? They might drop very sharply now, since it seems that even a sophisticated customer couldn’t protect itself following the breach. What attack was enabled by the stolen data? If the RSA penetration really was an “advanced persistent threat”, as they claimed at the time, the attackers certainly had the skills to discover that on their own even if they hadn’t known it already.)

The really interesting question is what proper response is. Should companies be required to disclose problems that could adversely affect their customers? Are companies that do not make such disclosures civilly liable if harm could be prevented by timely disclosure? If they aren’t liable, should they be? It is past time, I think, for such a discussion to take place.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign