The news that RSA, the security division of EMC, has acknowledged that information stolen from its network was used to carry out a cyber attack against Lockheed Martin and is to replace all of the 40 million SecurID hardware tokens in existence is a big setback for the IT security industry.
This incident shows that there is a very strong business case for sustained and planned investment in security. By my estimates this breach is going to cost RSA a minimum of $400M to replace 40 million tokens. This is not just bad news for RSA Security – it paints the rest of the IT security industry in a bad light.
I put the fault squarely on the senior management of EMC for treating the SecurID division as a cash cow that received little to no investment after RSA was acquired by EMC. A quick review of the SecurID products show that the SecurID product line has languished in innovation and development investment since the takeover.
EMC is guilty of milking the RSA cow dry, neglecting it, getting it sick, and then selling the tainted beef. The tragedy is that had they provided just a little bit of food and care to the cow, they could still be receiving milk and have a healthy cow today.
The RSA SecurID scenario is a testament to the consequences of greed and outsourcing exhibited by EMC senior management, who, in their single minded wish to maximize profitability, neglected to provide sufficient resources and domestic talent to keep their company healthy and competitive. The management of RSA and EMC did exactly what they were incentivized for: maximize shareholder equity with minimal concerns for the wellbeing of their customers, partners or society at large.
I have a hint for Art Coviello – maybe he should now consider spending some money on Research & Development (R&D) and product management in Bedford, MA instead of moving everything off-shore and outsourcing the rest. RSA actually has some amazing talent in the Boston area, they just don’t work cheaply and now we can see what “cheap” has produced.
Some of us have been arguing against this short-term approach and for investment in both R&D and people and against management fads like outsourcing for its own sake for years. I take no pleasure in these disasters but we can prevent them with care and foresight.
In March this year RSA announced that attackers managed to penetrate its network and accessed information related to SecurID, its two-factor authentication solution. At the time the company provided very little information about the incident and the size of the breach – this silence attracted strong criticism from the information security community.