Whether reports that the National Security Agency entered into a secret contract with security provider RSA are true or not - and RSA says they're not - the reputations of all American security vendors have been damaged.

That's because the perception is that the NSA will do whatever it takes to identify those threatening national security, even if it means manipulating security products sold by American vendors. NSA declined to comment for this blog.

 The U.S. government needs to recognize and account for the deep harm that it is likely inflicting on American businesses because of these ... efforts. 

Indeed, some industry experts believe the NSA would do almost anything to achieve its goals. "The odds that this is the only one is close to zero," highly regarded cryptographer Bruce Schneier says. "That the NSA program to subvert cryptography standards had exactly one success just seems kind of implausible."

Schneier doesn't have proof of NSA subversion with other vendors, but that doesn't matter. But when a noted cryptographer - especially the one who first raised in 2007 the possibility of the NSA tinkering with cryptography standards - questions the motives of the NSA to go to extreme lengths to enlist vendors to bypass encryption protections, the assumption that any product from any American vendor isn't safe from NSA meddling seems reasonable.

The news service Reuters late last week - citing two sources familiar with the supposed arrangement between the NSA and RSA - reported that RSA received $10 million to set the NSA formula as the default method for number generation in RSA's BSafe software.

No Intent to Weaken Security

RSA, in a blog posted Dec. 22, didn't address the $10 million payment, but said, "We categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

That blog post is believable because of the perception the NSA might have manipulated BSafe's default algorithm. The new reality facing security professionals charged with safeguarding their enterprises' digital assets is that they have no way of knowing if their vendors' products are pure because the vendors themselves may not know.

"The line of RSA being misled is the most plausible to me," says James Lewis, the cybersecurity expert at the Center for International and Strategic Studies, a Washington think tank. "Think of it as NSA shading the deal to gain an advantage in breaking the code."

There's an economic fallout from these events, too. Imagine a trade war among the world's two greatest economic powers over communications and security wares.

Western leaders have encouraged their nations' governments and businesses to avoid acquiring products from Chinese communications equipment manufacturers, such as Huawei Technologies and ZTE, because of qualms the Chinese government could manipulate them to pilfer government and trade secrets (see House Panel: 2 Chinese Firms Pose IT Security Risks). Is RSA (or perhaps other American technology and security manufacturers) any different from Huawei because of possible NSA manipulation?

Diminishing Trust

We, in the West, may see the motives of the governments differently (the Chinese seek to steal secrets; the U.S. strives to defend against terrorists and other evil doers). But that perception - there's that word again - isn't necessarily shared by others around the world. Trust in America's Internet offerings is fading fast. No wonder American tech companies want President Obama and Congress to reform government surveillance programs: NSA interference has shaken the trust of these companies' customers worldwide, which could cause many overseas to avoid buying their products and services (see Online Firms Blast NSA's Tactics).

"The U.S. government needs to recognize and account for the deep harm that it is likely inflicting on American businesses because of these surveillance efforts," says Jacob Olcott, cybersecurity principal at the security advisory firm Good Harbor Consulting.