[Full disclosure: As an industry analyst I conduct business with RSA, the security division of EMC, including white papers and recording videos of key executives and customers.]

Update Jan 12, 2014:  The Guardian reports that privacy rights groups are petitioning Stephan Colbert to boycott the RSA Conference.

My reaction to the several calls that have been made by well-respected security researchers, most notably Mikko Hyponnen of F-Secure, to boycott the RSA Conference 2014 is that perhaps this is a case of misplaced anger.

Two thoughts. First, RSA Conference (RSAC) is not RSA the security division of EMC. There is strict separation between the product company and RSAC, led by Alex Bender who is the General Manager.

The actual operations of the conference is outsourced to nthdegree a conference management company based in Georgia that, according to their website, handles events for 1,100 organizations and 44 of the Fortune 100 companies including Cisco, Dell, HP, and Sprint as well as RSA/EMC.

Alex leads a small team that coordinates the call for papers, sales to sponsors (of which there appear to be 371 this year), press passes, and marketing, etc.

Jeanne Friedman, Senior Content Manager for RSAC, has been with the conference for years and told securitycurrent that she was not even familiar with RSA/EMC product offerings. She described the great pains RSAC takes to make sure the show’s content is not tainted by RSA/EMC.

There is an independent program committee of outside security industry representatives led this year by Hugh Thompson. Each track is assigned two people, typically one from the vendor community and one with a CSO role from industry, who winnow through the 1,500 submissions to make final presentation selections. (I think I received a record number of rejections this year, five, all of which were panel moderator slots submitted by PR people from various vendors.)

So, expressing your distaste or moral outrage over the actions of RSA executives to reportedly accept a $10 million payment from the NSA (to include a pseudo-random bit generator, Dual_EC_DRBG, as the default in BSafe, in 2004, when RSA was a stand alone company), against a separate conference operation, is perhaps mis-directed.

Don’t get me wrong. I fully respect and appreciate the stand taken by Mikko, Robert Graham, Jeffry Carr, Josh Thomas, and anyone else who feels as they do. I faced a similar decision when asked to keynote the Trusted Computing Conference this past October because of my strong concerns over the close tie between the Trusted Computing Group and the NSA.  I reached out to three people who I trust to give me good advice. They advised the best course would be to attend and voice my concerns. I did. [Stiennon keynote at Trusted Computing Conference] And, after attending, securitycurrent published my call for the Trusted Computing Group to repudiate the NSA if it wants to survive the Snowden fallout.

My second point is that you should be enraged at the NSA’s actions: the compromise of the NIST standard, allegedly cutting secret deals with RSA to undermine their BSafe crypto libraries, working with foreign governments to spy on innocent US citizens, sharing data on US persons with foreign governments, creating a global differentiation between the privacy rights of US and non-US persons, researching and deploying backdoors in firewalls, telecom gear, and hard drives, researching and using zero day exploits for iPhones, destruction of trust of US technology vendors, persecution of privacy advocates, working with Congress and secret courts to bypass the letter and intent of the US Constitution, lying to Congressional oversight panels, and offending the leaders of just about every country outside the five eyes.

The IT security industry is going to counter surveillance with new products, new protocols, and new organizations dedicated to privacy and confidentiality of communications. Those of us in the United States can be vocal. We can make our voices heard. Customers of US tech companies must demand that they fully account for the security of their products. The vendors must invest in independent testing and validation of their products. They must attest to their opposition to government interference in their product designs. They must lobby Congress to curtail the surveillance state.

Presenters at RSAC 2014 should do whatever they can to educate their audiences on the implications of a surveillance state, loss of trust, and the need for security regimes that are designed to keep out an adversary with 30,000 employees, a $10 Billion budget, and a mission to collect everything by any means.

A final recommendation to RSAC: respectfully ask Mr. Colbert to forgo his Friday keynote and invite some of the most vocal critics of the NSA to present. Perhaps Mikko Hyponnen will relent if he is offered that opportunity.

Leave a Reply