The decision by several high-profile speakers to pull out of the upcoming RSA security conference in light of allegations that the information security technology company abetted the NSA in its spying efforts is fueling debate in the industry over whether the boycott is warranted or effective.
As many as eight security experts that had been scheduled to speak have said they will not attend the RSA Conference 2014, a major annual security show set this year for Feb. 24-28 in San Francisco. Their decisions stem from a report last month by Reuters that the National Security Agency paid RSA $10 million to put a weak pseudo-random-number generator (PRNG) in its BSafe encryption solution, enabling the spy agency to gain access to protected data.
That Reuters story came after The Guardian reported that the NSA was getting access to private data of users of a range of technology products. The reports were the result of documents and information from former NSA contractor Edward Snowden.
In a statement in December, officials with RSA—a division of storage giant EMC—said the company had worked with the NSA as both a vendor and within the security community with the “explicit goal … [to] strengthen commercial and government security.” However, they denied doing anything to weaken the algorithms in their products to give the NSA easy entrance into systems.
“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the statement read.
However, that wasn’t enough for some security experts, several of whom said that in light of the allegations and the lingering questions surrounding RSA’s role, they could not in good conscience speak at the conference.
In an open letter to EMC CEO Joe Tucci and Art Coviello, executive chairman of RSA, on the F-Secure blog the day after RSA’s statement came out, Mikko Hypponen, chief research officer for F-Secure, said he was pulling out of the conference. Hypponen, who had spoken at the RSA event eight other times, noted that RSA’s statement never denied the allegation that the company used a PRNG from the NSA as the default in its products in exchange for $10 million.
“I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA,” he wrote. “In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are American anyway—why would they care about surveillance that’s not targeted at them but at non-Americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.”
RSA Show Boycott Spreads in Wake of NSA Allegations
Hypponen was wrong on at least one count: Other speakers—including Americans—have pulled out of the event, something he noted as an update to his blog post.
“While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don’t want to portray myself as a leader of a boycott,” he wrote. “I did what I felt I had to do. Others are making their own decisions.”
In a column on the InformationWeek site, Dave Kearns, senior analyst for European security firm Kuppinger-Cole, said the allegations in the Reuters story, coupled with the reports in 2011 of a compromise of RSA’s SecureID hardware token via a phishing attack that led to attacks on U.S. defense contractors—including Lockheed Martin and Northrop Grumman—led him to withdraw from the show.
“That a security vendor could so easily have its security breached is, at best, unfortunate,” Kearns wrote, adding that his confidence in RSA has fallen since EMC bought the company. “But taken alongside this latest set of allegations, it’s too much to ask me to swallow.”
Security analyst Jeffrey Carr also is boycotting the event, saying in his blog, Digital Dao, that RSA had violated its mission and tarnished its “illustrious history of defending the integrity of encryption against government attempts to weaken it.”
“It’s not enough to just talk about how bad this is,” Carr wrote. “RSA’s parent EMC, like every other corporation, has a Board of Directors that is answerable to its shareholders for maximizing revenue. If RSA’s customers begin canceling their contracts and/or refuse to buy RSA products, the company’s earnings will drop, and that’s the type of message that forces Boards to make changes.”
Other people pulling out of the show include Adam Langley, a software engineer with Google, and Alex Fowler, global chief of privacy for Mozilla.
Not everyone agrees with the need to boycott the RSA event. In a post on his personal blog, The OCD Diaries, Bill Brenner, a writer with CSO, said that “boycotts can be powerful tools. But they can also lead to trolling or a loss of your own voice.” Brenner said he understood the anger being directed at RSA in light of the allegations.
“Based on all the information out there—and I’ve read quite a bit of it—I’m inclined to believe RSA took money from NSA to allow a flaw into its technology,” he wrote. “I agree that this shouldn’t come as a surprise because the NSA was, after all, created for those sorts of activities. That doesn’t mean there’s no cause for anger. RSA customers rely on the company’s products to keep proprietary information safe from sinister hands. Taking money from a government agency to make spying easier is not OK.”
RSA Show Boycott Spreads in Wake of NSA Allegations
However, Brenner said he is going to the show, even though he, too, is angry and respects the decision of those dropping out. He argued that he goes to the conference to network with others in the security community, and that he can’t do his job without going. Besides, he wrote, “If you’re angry with RSA, isn’t it better to attend the conference and speak your mind? It’s a more powerful approach than staying home.”
The protest against RSA is not limited to speakers. The Open Web Application Security Project (OWASP) reportedly is canceling its co-marketing agreement with the show, and a board member, Eoin Keary will not lead a scheduled discussion about secure coding in protest. In a statement on Twitter, Keary said he may want to do the training at another security event, possible at a BSides conference.
“Must live by my ideals as an @owasp board member,” he said in his tweet.
Fight For The Future, a digital rights group, also is hoping to convince comedian Stephen Colbert, who is scheduled to give the closing speech, to withdraw from the show. The group has created an online petition hoping to convince Colbert to cancel his talk.
“Last month, we learned that RSA accepted $10m from the NSA to stick a backdoor in one of their encryption products, and intentionally weaken the safety of the entire internet,” the petition reads. “We know you, Stephen, and we know you love a good backdoor as much as we do—but this is no laughing matter. By colluding with the NSA and covering it up, RSA has endangered all of us.”