Disclaimer: This is my opinion. I do not speak on behalf of my employer.
Folks in the information security industry are debating whether to boycott RSA Conference 2014 to protest RSA’s reported misdeeds concerning the National Security Agency (NSA). Boycotts can be powerful tools. But they can also lead to trolling or a loss of your own voice.
Mood music:
One of this blog’s missions is to promote more reasonable discussion. I’ve seen how people hurt each other with words in the security industry and elsewhere, and this latest issue is no exception.
It’s a waste of energy.
Some Background
At last count, eight well-known security practitioners announced that they were skipping the upcoming RSA Conference in San Francisco because the conference’s sponsor, security vendor RSA, allegedly pocketed money from the NSA to put a faulty encryption algorithm into one of its products.
The revelation is part of the ongoing fallout of former NSA technical contractor Edward Snowden leaking details of top-secret mass-surveillance programs to the press.
In this debate on whether RSA, and by extension the NSA, did wrong, you’re either a PR-obsessed grandstander or a coward who refuses to take a stand. It just depends on which side of the discussion you fall under. Those who are boycotting the RSA conference have been accused of the former, while those who are still attending are accused of being the latter.
My Two Cents
I’m going to RSA Conference 2014.
Based on all the information out there — and I’ve read quite a bit of it — I’m inclined to believe RSA took money from NSA to allow a flaw into its technology.
I agree that this shouldn’t come as a surprise because the NSA was, after all, created for those sorts of activities. That doesn’t mean there’s no cause for anger.
RSA customers rely on the company’s products to keep proprietary information safe from sinister hands. Taking money from a government agency to make spying easier is not OK. The argument that spying on American citizens is necessary to uncover terrorist plots is rubbish. It’s the same fear-based thinking after 9-11 that led to the PATRIOT Act. That’s my opinion. To those who disagree, I mean no disrespect. Good people can disagree.
Having said all that, you would think I’d be among the boycotters. I share their anger and respect their right to protest as they see fit, as long as no one is harmed in the process. But I’m not boycotting for a few reasons:
- I’ve never gone to RSA Conference to support RSA the company. I go to network with peers and get a better sense of what the latest security trends are.
- I can’t do my job from the sidelines. I have to be where the action is.
- If you’re angry with RSA, isn’t it better to attend the conference and speak your mind? It’s a more powerful approach than staying home.
I don’t claim to have all the answers. I don’t claim moral superiority. That’s simply where I stand.
On Twitter the other night, Akamai CSO Andy Ellis — my friend and boss — said, “Whether or not one agrees with the RSAC boycott, we can celebrate [the boycotters’] freedom to express anger and disappointment. We need more of that.”
Furthermore, he said, we should be able to be angry without feeling the need to ostracize those who aren’t expressing anger, and vice versa.
He’s right.
It’s OK to rage, and it’s OK to boycott. Troll if you must. That’s your right, my friends. I’m going to follow my conscience and strive for civility.
Great choice of music:-), and…great post. Well said.
I was going to blog, but you’ve articulated it better than I Bill!
Disagreement is good, civil debate is great. It’s just sad to see people take public cheap-shots at individuals because of their point of views.
I certainly agree that in a civilized world, we should be able to disagree and still get along.
I also believe that it is hard to make large corporations take notice of criticism by the average person and I’m not sure who you expect to listen while people who are angry speak their mind at the conference. I think that speakers publicly pulling out and a mostly empty convention hall would speak MUCH louder.
That being said, could not your bullet list of reasons you are attending be also be addressed by attending a different conference?
It’s the exchange of money that makes this affair feel grubby; if they had done the same thing on the basis of principles and cooperating with a valid US security agency that would be far easier to swallow.
That said I too will be attending the conference as I do believe there is a distinction between the two organisation of the “Conference” and the “Security Division”, and I also agree with you that I don’t attend these conferences to listen to RSA but to network, debate, listen and be educated by the countless other individuals in this industry.
I applaud those taking a principled stand however, although part of me thinks that there is no such thing as bad publicity and that the numbers at the conference may swell even more as a result!