It began with a Reuters story from Joe Menn: Exclusive: Secret contract tied NSA and security industry pioneer in which it was disclosed that RSA, the crypto pioneer and security products vendor, had allegedly accepted a secret $10 million payment from the NSA in order to incorporate a backdoor in to their BSafe crypto suite.
There is a rising tide of anger growing within the security community against the appalling depth and breadth of the NSA’s surveillance programs. Many technology vendors have been implicated recently including RSA, Cisco, Juniper, Dell and hard drive manufacturers. Yet RSA is the first to be nailed with apparent direct complicity and it is beginning to experience fallout.
Mikko Hyponnen, a highly respected security researcher worldwide, and Chief Research Officer for Helsinki based F-Secure, was the first to suggest that he would boycott the largest security industry event of the year, the RSA Conference in San Francisco in February. In an open letter to the leaders of RSA, now the security division of EMC, he stated:
“I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that’s not targeted at them but at non-Americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.”
Mikko’s talk was titled: “Governments as Malware Authors”
And then, on January 3rd, Jeffrey Carr, who is best known for his own event, Suits and Spooks, added his protest to Mikko’s and canceled his talk at the RSA conference.
“Obviously, I hope that RSA and EMC’s leadership will eventually rise to the occasion and be fully transparent about what happened and why. However unless and until RSA fully addresses this apparent breach of trust, I won’t be speaking at any RSA events nor will I accept RSA as a sponsor at any future Suits and Spooks events.”
And Rob Graham, outspoken founder of Errata Security added his voice, January 4th, by calling for a boycott to punish security vendors for collusion with the NSA.
Although Graham did not have a speaking slot at the upcoming conference he stated:
“I won’t be talking or attending any future conference labeled “RSA” ever.”
These three voices have certainly already impacted the combined value of the upcoming RSA Conference, yet it is unlikely that the conference as a whole will suffer. Tens of thousands of security professionals will attend. Hundreds of vendors will exhibit. But the atmosphere will be tense as vendors are asked hard questions about their willingness to cooperate with the NSA and EMC executives will be called to task.