36 Crosby Drive
RSA Security, the most trusted name in e-security, helps organizations build secure, trusted foundations for e-business through its RSA SecurID two-factor authentication, RSA BSAFE encryption, and RSA Keon digital certificate management systems. With approximately one billion RSA BSAFE-enabled applications in use worldwide, more than eight million RSA SecurID users, and almost 20 years of industry experience, RSA Security has the proven leadership and innovative technology to address the changing security needs of e-business and bring trust to the new online economy.
RSA Security Inc. develops, manufactures, and distributes a wide range of security equipment and software. RSA's BSAFE public-key encryption software has been the de facto industry standard for data protection for over a decade. The firm's SecurID authentication systems use tokens and smart cards to guarantee that only authorized individuals can gain access to buildings and computer networks. Its Keon public key infrastructure software provides business with the means to produce private and legally binding electronic communications and transactions.
Technology Origins and Company Start-Up
The discoveries behind RSA's most important technological breakthroughs were made possible in the mid-1970s. Computer scientists were concerned then about finding a secure way to encrypt data, that is to reduce data to an unreadable code in order to prevent unauthorized persons from having access to it. At the time only one type of encryption had been developed, single-key encryption. In a single-key system, a single mathematical formula or key was used both to encode and decode. If an encrypted email were sent using a single-code technology, both the sender and the receiver would have to know the same mathematical key. If the sender wanted to send encrypted email to a number of recipients, all of them would have to know the key. The more widespread the key was, of course, the more likely it would fall into the hands of someone would who should not have it. Once it fell into the wrong hands, the key was all but useless.
Scientists at Stanford University proposed a solution to the problem in 1976. The theory, called public-key encryption, was perfected a year later by Ronald Rivest, Adi Shamir, and Leonard Adleman, three students at MIT. Their system used a mathematical formula to generate two related keys: the private-key was known only by a single individual, call him John Doe; the public-key was freely available to anyone who wanted it. Each key was a one-way key and was useless without the other. For example, the public key was used to encode data being sent to Doe, but only Doe's private key could be used to read the data. Since he was the only one who knew it, or had to know it, chances were much slimmer that it would become known to persons who should not have it. Doe could also use the private key to encode messages which could be opened using his public key. Because only Doe was in possession of the private key, such messages bore a kind of electronic signature, guaranteeing that it was Doe who sent them.
Rivest, Shamir, and Adleman obtained a patent through MIT for their development, and in 1982 they set up a company in Adleman's apartment. It was called RSA Data Security, the name an acronym formed by the partners' initials. Unfortunately, RSA encryption was performed using sophisticated and complex mathematics. Most computers in the 1980s were simply not powerful enough to perform the calculations quickly, and soon the company was facing bankruptcy. In 1986, Jim Bidzos, a Florida businessman, was hired to save the Silicon Valley business. Bidzos lived and breathed business, and it wasn't long before he started getting results. Lotus Development bought a license for its Lotus Notes in 1987. Motorola, Apple, and Novell would soon follow. By 1988 the turnaround was in full swing. That year Rupert Murdoch made a multi-million dollar offer to buy the company. Murdoch and Bidzos were unable to agree on a price and, in the end, the deal collapsed.
Attempts to Impose Government Control in the 1980s
As more and more of the economy began to depend on computers to conduct daily affairs, data security became an increasingly pertinent issue. Bidzos hoped to make RSA's software the standard for encryption in the Untied States and the rest of the world. It would prove to be an up and down game that lasted years, but it was a game Jim Bidzos was uniquely qualified to play. A major milestone was achieved in February 1989 when the technical committee at a large but obscure government/academic computer network called Internet designated RSA to certify encryption keys for its members. Two months later Digital Equipment Corp. and RSA forged a strategic alliance in which they agreed to share technology. Perhaps most significant was a Defense Department license of RSA encryption software taken out in February 1990. The contract was not merely an acknowledgment of the power of RSA's technology, it also seemed to open the door to acceptance of the RSA standard by the entire federal government and the 300,000 companies that did business with it.
Hopes that the rest of the government would follow the Defense Department's example were premature however. In 1990, the National Security Agency (NSA), one of the most powerful and secretive bodies in the U.S. government, started to flex its muscle against RSA. One of NSA's most important tasks is the interception and decoding of encoded transmissions sent by foreign governments and spies. NSA opposed the spread of RSA software on national security grounds. The software's level of sophistication was so high its codes were virtually unbreakable, even by the government's own codebreakers. The Federal Bureau of Investigation (FBI) joined its voice in opposition, maintaining that it would not be able to monitor the activity of terrorists and criminals in the United States who had access to RSA encryption. Under the influence of the NSA and the FBI, the government established as its position that any public-key encryption system should include a third key--one the government could use to gain access to encoded data and data transmissions. The NSA and FBI also urged the government to impose tight restrictions on the dissemination of the software at home and abroad.
RSA claimed that NSA interest in blocking the spread of its technology dated back to 1982, when the firm was first founded. The Commerce Department had expressed interest in adopting RSA encryption as the standard for public-key cryptography in the United States. At the request of Commerce, RSA submitted technical information but never heard back from the government. According to the Wall Street Journal, it was NSA that persuaded the Commerce Department to cut its ties with RSA.
NSA came out again against government acceptance of RSA software in the early 1990s. Jim Bidzos told Fortune about a deal he had with a major software manufacturer that NSA wanted to kill--until Bidzos threatened to go to the New York Times and his congressman with the full details. The agency backed down. A few months later, RSA announced a contract with Microsoft. Bidzos seemed to relish going head-to-head with the government. When the government was putting together its alternative to RSA, an encryption package called DSS, it hesitated to pay a $2 million licensing fee to the German holder of a key patent. Bidzos zoomed in. Within an afternoon's time, he persuaded the man to accept a royalty package from RSA. Bidzos killed two birds with that deal: RSA got a key technology, and he blocked the government's access to technology they needed for their alternate encryption package.
Bidzos was outspokenly opposed to any government attempt to control encryption technology. In 1993, when the government released the "Clipper Chip," its approved encryption scheme that would give government access to all coded voice and data transmissions, Bidzos mounted a campaign calling on business to reject any system with "Big Brother inside." Most in the computer industry believed that the government's efforts to block acceptance of RSA software were futile anyway. For one thing, because RSA's most important patent was not enforceable outside the United States, foreign companies could use it to develop their own public-key packages, which would provide encryption just as impermeable to NSA and other government snoops as RSA's. Rather than blocking the spread of effective encryption technology, the computer industry felt the government's actions would simply rob the initiative from U.S. firms and give it to foreign companies.
Early 1990s Acceptance by American Computer Industry
If it still wasn't the official standard, by 1993 RSA's technology was the de facto standard for the American computer industry. Every major computer manufacturer had licensed it. In January 1994, following a conference on data security organized by RSA, a group of leading firms that included Apple, Novell, Lotus, Microsoft, Sun Microsystems, Digital Equipment, Hewlett Packard, National Semiconductor, General Magic, the Bankers Trust Company, and a consortium of five cellular data companies, defied the government by rejecting the Clipper Chip outright and formally adopting RSA's software as their encryption package of choice. There was good reason the industry to embrace RSA. It's products were able to operate in many computer environments; the company's reputation was unassailable--no weak spots had been discovered in RSA's encryption; finally, RSA held all the important encryption patents.
RSA was the victim of an act of industrial espionage in 1994. An unidentified individual posted the code for firm's software on the Internet. The suspected culprits called themselves the Cypherpunks, an online group opposed to government control of encryption technology. The Cypherpunks had also been engaged in a running feud with RSA, whom they accused of monopolistic behavior that interfered with the dissemination of encryption software. RSA immediately announced that the disclosure did not in any way compromise the security of systems protected by RSA software. Bidzos portrayed it primarily as an infringement of the firm's intellectual property rights and promised to prosecute the offenders. Some analysts believed the affair could have a negative financial impact on RSA. Others, however, speculated the disclosure could have a positive effect. The publication of the code would prove once and for all that RSA systems included no so-called trapdoors that would allow the government to eavesdrop on private communications.
Export restrictions, instigated and enforced by the NSA, were relaxed in 1992 by the first Bush administration. RSA was not allowed to ship its most powerful software abroad, but its less powerful, 40-bit systems, specifically the RC2 and RC4, were exempted from controls. Three and a half years later, in February 1996, Jim Bidzos began testing government export regulations. He organized RSA subsidiaries in the People's Republic of China and in Japan to develop programs more powerful than those permitted under NSA restrictions. For example, the Chinese firm, organized in collaboration with the Chinese Ministry of Foreign Trade and Economic Cooperation and its Academy of Sciences, was given the NSA-approved 40-bit software, but was expected to develop new encryption software from it on their own. Bidzos said RSA in the United States would further develop any promising leads developed in China. The Japanese deal involved RSA cooperation with Nippon Telephone & Telegraph Corporation on the development of powerful new encryption chips, chips that RSA was not permitted to sell directly to a Japanese company.
In the mid-1990s, RSA was still a privately owned company. It had been an attractive takeover target ever since Rupert Murdoch tried to buy it in the 1980s--between 1992 and 1994, Bidzos had received no fewer than five written offers. In 1996, as the dot-com IPO frenzy was getting underway on Wall Street, investors felt that RSA with its widely accepted technology and a roster of high-powered clients was a natural for a public offering.
Mid-1990s Acquisition by Boston Firm
Hence, it came as a great surprise on Wall Street in April 1996 when RSA let itself be acquired by Security Dynamics Technologies, Inc., a small, relatively unknown computer security firm in the Boston, Massachusetts, area. Security Dynamics had earned $34 million in 1995 producing credit-card sized devices known as smart cards that controlled access to computers and computer networks, as well as to buildings. The firm was founded in 1984 and went public in 1994. Security Dynamics CEO Charles Stuckey first initiated talks with RSA in 1995 about the possibility of licensing its encryption technology. Stuckey eventually came to believe that Security Dynamics needed a line of encryption products of its own, and RSA fit the bill perfectly. The idea of an acquisition by the Boston firm was attractive to Bidzos because of the synergies their complementary product lines were likely to generate, as well as the fact that Security Dynamics would not be perceived as a rival to RSA'a other licensees.
Security Dynamics paid out four million shares of stock to RSA's three stockholders. Investors considered the deal a bargain for Security Dynamics, and they showed it with their pocketbooks, sending the firm's share value soaring over $13 to $49.62. Based on that price, the company had paid $251 million for RSA, more than 20 times its 1995 earnings. With e-commerce on the verge of exploding, the deal looked even better considering that RSA seemed to hold the key to secure transactions. Although Security Dynamics was headquartered in Massachusetts, RSA remained based in California.
RSA Data Security opened another foreign subsidiary in January 1999. RSA Data Security Australia was established in Brisbane to develop encryption software which the company planned to market internationally. It hired two Australian researchers to work on technology compatible with RSA's existing line. Critics postulated that the establishment of RSA Data Security Australia in Brisbane was another ploy to evade U.S. export regulations. However, the deal was concluded after only months of negotiations with the Commerce Department over its provisions. In the end, the government okayed RSA's activity in Australia, as long as no U.S. workers or U.S. technology were involved.
RSA Data Security's Jim Bidzos was a marketing genius who knew how to generate the maximum positive publicity for his company and his products. One example was the regular conferences on computer security of the sort that bred the computer industry's rejection of the Clipper Chip. Another was the RSA's DES Challenge, held regularly in the late 1990s, whose purpose was to show up the flaws in the DES encryption standard that the Clinton administration was promoting. In the form advocated by the government, DES utilized a 56-bit system which meant the numerical keys it generated were fifty digits in length. By contrast the keys used on RSA's most powerful systems used keys of 100 digits or more. The difference, according to Bidzos, was that every time another digit was added to a key, the code became twice as difficult to break. In the DES Challenge, cash awards were given to the contestant who was able to most quickly decode a bit of data coded in DES. In 1997, it took 96 days to crack the test message; in 1998, 41 days; finally, the time fell to just 56 hours. The competitions succeeded in demonstrating the ultimate weakness of the 56-bit standard and resulted in endorsements from computer trade associations in favor of standardizing more powerful systems like RSA's.
RSA and its nominal parent Security Dynamics offered their first joint line of products, the Keon product group, in June 1999. Keon included a Web-based certificate server. Just three months later, Security Dynamics took the name of its California subsidiary, becoming RSA Security Inc. The new name reflected a compete restructuring of the two companies' management that had taken place at the firm, essentially uniting RSA and Security Dynamics as a single company. That company had 800 workers spread through California, Massachusetts, and an office in Sweden. Its revenues in September 1999 were up 21 percent over the previous year.
A battle for patents that Security Dynamics had brought to RSA Security Inc. erupted in February 2000. Kenneth Weiss, who had founded Security Dynamics in 1984, left in 1996 after internal disagreements with other board members. He claimed that under the terms of his employment contract with Security Dynamics he was entitled to the return of patents that were not being commercially exploited by the company. He demanded the return of up to ten patents for security techniques for data compression, data encryption, and biometric identification. Weiss requested that the claim go to arbitration. As of fall 2001, the question had not been settled.
RSA released the code to its most important encryption patent two weeks before it was scheduled to pass into the public domain. The 1983 patent, held by the Massachusetts Institute of Technology and licensed to RSA, made RSA the unquestioned leader of the American encryption field for two decades. With the expiration of its patents, RSA's encryption software suddenly faced competition from domestic and foreign companies. The company believed that its strong customer base and new technology in development would enable it to maintain its position of leadership in the data security field. Lost licensing fees would not hurt the firm's bottom line greatly. Of $218 million in 1999 revenues, royalties made up only $550,000 or so.
RSA Security saw its business slow to a trickle in the wake of the September 11, 2001 attacks on the World Trade Center and Pentagon. Orders to the firm were cut back significantly, taking a bite of about $15 million from revenues. A stock buy-back plan backfired on the company around the same time when the slowing business caused its share price to plunge. They had fallen to $10.90 from the year's high of $44.33. RSA expected to have to pay out about $43 million in stock options it had sold as part of the buy-back scheme.
Principal Subsidiaries: RSA Australia; RSA Japan, Xcert International, Inc.
Principal Divisions: RSA Capital.
Principal Competitors: Check Point Software Technologies Ltd.; Network Associates, Inc.; Secure Computing Corporation.