RSA Show Boycott Spreads in Wake of NSA Allegations
Hypponen was wrong on at least one count: Other speakers—including Americans—have pulled out of the event, something he noted as an update to his blog post. "While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don't want to portray myself as a leader of a boycott," he wrote. "I did what I felt I had to do. Others are making their own decisions." In a column on the InformationWeek site, Dave Kearns, senior analyst for European security firm Kuppinger-Cole, said the allegations in the Reuters story, coupled with the reports in 2011 of a compromise of RSA's SecureID hardware token via a phishing attack that led to attacks on U.S. defense contractors—including Lockheed Martin and Northrop Grumman—led him to withdraw from the show. "That a security vendor could so easily have its security breached is, at best, unfortunate," Kearns wrote, adding that his confidence in RSA has fallen since EMC bought the company. "But taken alongside this latest set of allegations, it's too much to ask me to swallow.""It's not enough to just talk about how bad this is," Carr wrote. "RSA's parent EMC, like every other corporation, has a Board of Directors that is answerable to its shareholders for maximizing revenue. If RSA's customers begin canceling their contracts and/or refuse to buy RSA products, the company's earnings will drop, and that's the type of message that forces Boards to make changes." Other people pulling out of the show include Adam Langley, a software engineer with Google, and Alex Fowler, global chief of privacy for Mozilla. Not everyone agrees with the need to boycott the RSA event. In a post on his personal blog, The OCD Diaries, Bill Brenner, a writer with CSO, said that "boycotts can be powerful tools. But they can also lead to trolling or a loss of your own voice." Brenner said he understood the anger being directed at RSA in light of the allegations. "Based on all the information out there—and I've read quite a bit of it—I'm inclined to believe RSA took money from NSA to allow a flaw into its technology," he wrote. "I agree that this shouldn't come as a surprise because the NSA was, after all, created for those sorts of activities. That doesn't mean there's no cause for anger. RSA customers rely on the company's products to keep proprietary information safe from sinister hands. Taking money from a government agency to make spying easier is not OK."
Security analyst Jeffrey Carr also is boycotting the event, saying in his blog, Digital Dao, that RSA had violated its mission and tarnished its "illustrious history of defending the integrity of encryption against government attempts to weaken it."