So You Wanna Boycott RSA Conference 2014

Disclaimer: This is my opinion. I do not speak on behalf of my employer.

Folks in the information security industry are debating whether to boycott RSA Conference 2014 to protest RSA’s reported misdeeds concerning the National Security Agency (NSA). Boycotts can be powerful tools. But they can also lead to trolling or a loss of your own voice.

Mood music:

One of this blog’s missions is to promote more reasonable discussion. I’ve seen how people hurt each other with words in the security industry and elsewhere, and this latest issue is no exception.

It’s a waste of energy.

Some Background

At last count, eight well-known security practitioners announced that they were skipping the upcoming RSA Conference in San Francisco because the conference’s sponsor, security vendor RSA, allegedly pocketed money from the NSA to put a faulty encryption algorithm into one of its products.

The revelation is part of the ongoing fallout of former NSA technical contractor Edward Snowden leaking details of top-secret mass-surveillance programs to the press.

In this debate on whether RSA, and by extension the NSA, did wrong, you’re either a PR-obsessed grandstander or a coward who refuses to take a stand. It just depends on which side of the discussion you fall under. Those who are boycotting the RSA conference have been accused of the former, while those who are still attending are accused of being the latter.

My Two Cents

I’m going to RSA Conference 2014.

Based on all the information out there — and I’ve read quite a bit of it — I’m inclined to believe RSA took money from NSA to allow a flaw into its technology.

I agree that this shouldn’t come as a surprise because the NSA was, after all, created for those sorts of activities. That doesn’t mean there’s no cause for anger.

RSA customers rely on the company’s products to keep proprietary information safe from sinister hands. Taking money from a government agency to make spying easier is not OK. The argument that spying on American citizens is necessary to uncover terrorist plots is rubbish. It’s the same fear-based thinking after 9-11 that led to the PATRIOT Act. That’s my opinion. To those who disagree, I mean no disrespect. Good people can disagree.

Having said all that, you would think I’d be among the boycotters. I share their anger and respect their right to protest as they see fit, as long as no one is harmed in the process. But I’m not boycotting for a few reasons:

  • I’ve never gone to RSA Conference to support RSA the company. I go to network with peers and get a better sense of what the latest security trends are.
  • I can’t do my job from the sidelines. I have to be where the action is.
  • If you’re angry with RSA, isn’t it better to attend the conference and speak your mind? It’s a more powerful approach than staying home.

I don’t claim to have all the answers. I don’t claim moral superiority. That’s simply where I stand.

On Twitter the other night, Akamai CSO Andy Ellis — my friend and boss — said, “Whether or not one agrees with the RSAC boycott, we can celebrate [the boycotters’] freedom to express anger and disappointment. We need more of that.”

Furthermore, he said, we should be able to be angry without feeling the need to ostracize those who aren’t expressing anger, and vice versa.

He’s right.

It’s OK to rage, and it’s OK to boycott. Troll if you must. That’s your right, my friends. I’m going to follow my conscience and strive for civility.

RSA SecurID