So You Wanna Boycott RSA Conference 2014

Disclaimer: This is my opinion. I do not speak on behalf of my employer.

Folks in the information security industry are debating whether to boycott RSA Conference 2014 to protest RSA’s reported misdeeds concerning the National Security Agency (NSA). Boycotts can be powerful tools. But they can also lead to trolling or a loss of your own voice.

Mood music:

One of this blog’s missions is to promote more reasonable discussion. I’ve seen how people hurt each other with words in the security industry and elsewhere, and this latest issue is no exception.

It’s a waste of energy.

Some Background

At last count, eight well-known security practitioners announced that they were skipping the upcoming RSA Conference in San Francisco because the conference’s sponsor, security vendor RSA, allegedly pocketed money from the NSA to put a faulty encryption algorithm into one of its products.

The revelation is part of the ongoing fallout of former NSA technical contractor Edward Snowden leaking details of top-secret mass-surveillance programs to the press.

In this debate on whether RSA, and by extension the NSA, did wrong, you’re either a PR-obsessed grandstander or a coward who refuses to take a stand. It just depends on which side of the discussion you fall under. Those who are boycotting the RSA conference have been accused of the former, while those who are still attending are accused of being the latter.

My Two Cents

I’m going to RSA Conference 2014.

Based on all the information out there — and I’ve read quite a bit of it — I’m inclined to believe RSA took money from NSA to allow a flaw into its technology.

I agree that this shouldn’t come as a surprise because the NSA was, after all, created for those sorts of activities. That doesn’t mean there’s no cause for anger.

RSA customers rely on the company’s products to keep proprietary information safe from sinister hands. Taking money from a government agency to make spying easier is not OK. The argument that spying on American citizens is necessary to uncover terrorist plots is rubbish. It’s the same fear-based thinking after 9-11 that led to the PATRIOT Act. That’s my opinion. To those who disagree, I mean no disrespect. Good people can disagree.

Having said all that, you would think I’d be among the boycotters. I share their anger and respect their right to protest as they see fit, as long as no one is harmed in the process. But I’m not boycotting for a few reasons:

  • I’ve never gone to RSA Conference to support RSA the company. I go to network with peers and get a better sense of what the latest security trends are.
  • I can’t do my job from the sidelines. I have to be where the action is.
  • If you’re angry with RSA, isn’t it better to attend the conference and speak your mind? It’s a more powerful approach than staying home.

I don’t claim to have all the answers. I don’t claim moral superiority. That’s simply where I stand.

On Twitter the other night, Akamai CSO Andy Ellis — my friend and boss — said, “Whether or not one agrees with the RSAC boycott, we can celebrate [the boycotters’] freedom to express anger and disappointment. We need more of that.”

Furthermore, he said, we should be able to be angry without feeling the need to ostracize those who aren’t expressing anger, and vice versa.

He’s right.

It’s OK to rage, and it’s OK to boycott. Troll if you must. That’s your right, my friends. I’m going to follow my conscience and strive for civility.

RSA SecurID

Obsessing About Snowden Blinds Us From Bigger Truths

I’ve hestitated to write about Edward Snowden, the former technical contractor for the National Security Agency (NSA) who leaked details of top-secret mass surveillance programs to the press. People see him as either a hero or a traitor, but I’ve been conflicted.

Mood music:

http://youtu.be/VRXpL8mdgpQ

I used to fear everything and wanted the government to do everything possible to keep me safe, even if it meant giving up some liberty. I eventually got past the fear and now believe we must live life to the fullest, even if it means we’re not always safe. That part of me distrusts government and considers Snowden a hero for exposing how much spying the NSA does on its own citizens.

I also write about information security for a living and have many friends in government. I’ve seen the risks they take to secure us from terrorists and online attackers and how they’ve resisted the urge to talk about what they see because they believe it would damage the greater good. Snowden used to work among them and, by doing what he did, betrayed them. That part of me thinks Snowden is a traitor. His flight from the authorities only solidified that feeling.

Yesterday I decided to take a position one way or the other. I invited friends on Facebook and Twitter to weigh in, and found that half of those who responded think he’s a hero and the other half think he’s a traitor.

But the comments made me realize that by focusing on Snowden and the NSA, we’re distracting ourselves from bigger truths.

The important thing is what this story says about many of us Americans:

  • How we get obsessed with hero worship without considering all the supposed hero’s motives. Those of use who mistrust government are quick to raise people like Snowden on a pedestal, viewing him as a brave soul who exposed government’s evil side. But when you flee and pass on government secrets to countries like Russia and China, countries far more challenged in the freedom department than the U.S., are you really heroic?
  • How we crave scapegoats because it’s easier to scowl at a scapegoat than consider how we allowed the government to spiral out of control. After 9/11, we were so scared that we willingly allowed the government to enact overreaching laws like the PATRIOT Act. We’ve been paying for it ever since.
  • How we miss the forest for the trees. The larger lesson is that we could change things if we were willing to do the work.

We need to stop the blame game and look at what we must do as Americans to change things for the better.

We must be willing to hold political leaders accountable and stop reelecting the very politicians who vote to authorize more and more government control.

We must own up to the fact that we allowed the government to head down this path. If we’re outraged about the end result, we have to reexamine how much safety we’re willing to give up in the name of liberty and push the government in whatever direction we set. Then we have to keep our eyes on the road instead of falling asleep at the wheel.

I admit all that is easier said than done. Democracy is a messy thing. Good people have a bitch of a time reaching consensus. We’re all conflicted and challenged by personal demons every day, and it can be hard to overcome those things to give better government the effort necessary. We’re all busy with family and work, which usually leaves little time for anything else.

Change is hard. But if we want it that badly, we have to work for it.

Edward Snowden