Art Coviello is a salesman who headed the company that bought RSA and took the name. It would be a little weird to expect him to meaningfully know what a cryptographer even is. The idea that Coviello would himself be weighing NIST against crypto eprints is pretty silly.
And, more importantly, the only important cite here is Shumow and Ferguson. Schneier didn't analyze Dual EC (he never did work in elliptic curves at all, and claimed not to trust their math); here, he's simply reporting on Shumow and Ferguson's paper, and he doesn't even say Dual EC was backdoored. Nor, for that matter, do the cites before Shumow and Ferguson.
(Before anyone jumps on my back about this: I basically shared Schneier's take on this, that Dual EC was too conspicuous to really be a backdoor, and that the right response was to ignore and never use it. I was wildly wrong about how prevalent Dual EC was --- I couldn't imagine any sane engineer adopting it, because it's slow and gross. If I'd known before the BULLRUN revelations that, for instance, every Juniper VPN box was using Dual EC, I'd have been a lot more alarmed and a lot less charitable about it. Oh well, live and learn.)
Also: I'm naturally going to sound like I'm defending RSA here, and I am not. I feel like --- I'll probably be proven wrong by this in time because we live in a fallen world --- no major company in the world would in 2021 swap out a crucial cryptographic component for one DOD was demanding while cryptographers were making noise about how janky it is. That should have been the standard in 2007 or whatever, too.
RNGs were understood to be the lynchpin of secure systems for decades, including long before 2007; and it was also widely assumed both now and then that they were one of the most common vectors for attack by the NSA.
Why RSA added Dual_EC_DRBG is easy to explain in dollars & cents: 1) RSA was literally paid to add it, and 2) most of RSA's revenue comes, directly or indirectly, through government contracts (e.g. FIPS compliance, etc).
As for why RSA insiders didn't speak up: there are mountains of scholarship explaining why people just keep their heads down. Even if you were absolutely convinced beyond a shadow of a doubt that Dual_EC_DRBG was a backdoor, intelligent people are very good at rationalizing things. Anybody who has worked at a large company, including RSA, understands that your day-to-day work and the company's business is as a practical matter <10% technical and >90% everything else (sales, profit seeking, integration, etc, etc). More importantly, if you're a company doing business in a space dominated by U.S. government requirements and processes, or even just patriotic, the NSA having a backdoor is hardly the worse thing in the world. There are amazing cryptographers in China. Even the ones who fancy themselves world citizens and above the fray of nationalism, how many do you think would stick their head out were they in a position to identify possible formal government attempts to manipulate technology?
Moreover, a backdoor doesn't necessarily mean insecure; it's not a categorical truth that any backdoor means broken security, that's just a rule of engineering thumb built on the experience that securely maintaining the keys to backdoors is supremely difficult, often more difficult than any other aspect. Nobody has yet come close to breaking Dual_EC_DRBG, AFAIU. From a purely technical perspective, Dual_EC_DRBG is still secure. The keys haven't leaked, and the algorithm remains as impenetrable as ever. At the end of the day, that's all the rationalization most people would ever need to keep their head down. The "security" of Dual_EC_DRBG is a socio-political debate, not a technical one.
I think it wasn't that long before that NSA had warned against some other crypto that was widely thought to be safe and everyone later realized that it had been a good thing.
Can it be that some people thought NSA were doing them a favour again?
I don't expect any random person to know, but why would anyone spend that much money to buy that company without doing enough due dilligence to what a crytographer does? I don't imagine they'd be any expert in cryptoanalysis, but you'd likely listen do your own cryptographers on RSA staff, right?
The juniper backdoor was another confirmation of that IMO.
The key is selling to American government, and any entity related to it. But no, they can't mandate RSA build anything. Of course, if they refuse, they'll find another company which would, pay them lots of money, and then issue a certification requirement that only this particular backdoor algorithm is "approved" and then wait for RSA to go out of business.
NIST was evaluating dual_ec_drbg for certification for government usage, with people from NSA heavily pushing it. NIST was actively contracting out to RSA to evaluate it for weaknesses. The kicker is here: NSA then secretly paid RSA something like $10M to advocate strongly for dual_ec_drbg, behind the back of NIST. So you have one government agency spending money on a contractor, hoping for an honest expert opinion, then another government agency spending money on a contractor secretly so that the second government agency can sneak something behind the first government agency. It's insanity.
Sure, RSA should not have taken the money from NSA, but given that NIST crypto certification mostly matters to government implementations (and not to the private sector), isn't the bigger problem that NSA is happy to introduce backdoors into crypto exclusively used by other government agencies? It's traitorous.
Thomas Massie offered an amendment in the house to try to stop this. He gave a pretty good overview of the situation (he is an electrical and mechanical engineer from MIT) to the house when the amendment was brought to the floor.
https://www.govtrack.us/congress/votes/114-2015/h290
(strangely, the video has been sort of cut on cspan. It's supposed to be at 3:17:11 https://www.c-span.org/video/?326244-2/us-house-debate-fy-20... )
Maybe not within a US context, for arguable the US government gave them a mandate for this deception. But within an international context they should probably be held accountable and barred from doing business abroad (as they are essentially an agent/extension of a US intel agency).
Never going to happen, of course. Not with how that whole industry operates. But that only shows how little the whole lot of them and their industry should not be trusted in the first place.
Supporting those who make us less safe is a clear signal about where your priorities lie.
So then for each standard you then end up with the government equivalent of an open process where there are requests for comments, maybe a meeting or two to discuss, and trusted folks end up defining the bulk of the document with oversight from editors.
Where this breaks down is when you have the subject matter expert on crypto in government, the NSA, be interested in undermining the standards for their own specialty to serve their internal agenda.
https://spectrum.ieee.org/the-scandalous-history-of-the-last...
... In 1966, the relationship among CAG, the
NSA, and the CIA went to the next level. That
year, the NSA delivered to its Swiss partner
an electronic enciphering system that
became the basis of a CAG machine called
the H-460. Introduced in 1970, the machine
was a failure. However, there were bigger
changes afoot at CAG: That same year, the
CIA and the German Federal Intelligence
Service secretly acquired CAG for
US $5.75 million.
— Upton Sinclair
Anyone who is capable of getting themselves made President
should on no account be allowed to do the job.
-- Douglas Adams, "The Hitchhiker's Guide to the Galaxy"
I'm glad this is being brought up and not forgotten.
What do we do with it? Not many in a product development team that is interacting with other companies or organizations can meaningfully defend not using a NIST curve because it looks suspicious.