RSA SecurID electronic keys, via Flickr
All is not well at this year's RSA Conference. Security and privacy experts are dropping like flies from their scheduled panels.
It all started on December 20 when Reuters, working from Edward Snowden's leaked documents, reported that the NSA paid security firm RSA $10 million to incorporate a random number generating algorithm, Dual EC DRBG, into its security product BSAFE. This effectively created an NSA backdoor into a security product that was standard for a decade.
In a statement made days after the Reuters report, RSA confirmed that it had a relationship with the NSA, but denied that it had intentionally weakened BSAFE. Nevertheless, some considered this proof that the RSA was in cahoots with the NSA. Mykko Hyppönen, chief research officer at Helsinki-based security firm at F-Secure, was the first to pull out of the conference back in December. Seven others, including Mozilla's Global Privacy and Public Policy Leader Alex Fowler, later followed suit.
@mattblaze Add me; just backed out of the "Hot Topics in Privacy: A Dialog with Facebook, Google, Microsoft, Mozilla & Twitter" panel at RSA— Alex Fowler (@alexanderfowler) January 7, 2014
"I've become convinced that a public stance serves more than self-aggrandizement, so I've pulled out of the Cryptographers Panel at RSA 2014," said Chris Langely, a Google security team member, via Twitter this past Tuesday. Langely then followed that statement up with the tweet, "(I had already decided not to do it, but I pondered for a while whether I should say anything in public)."
Wouldn't it be far more interesting if these security and privacy experts didn't simply boycott the conference, but instead used their panel spots as a platform to criticize the security company instead of issuing short tweets? The boycott is a pretty sexy protest, making for good national headlines. However, confronting RSA's actions head-on at the conference would be even better. Potentially, it could create even more noise than the boycott, and produce a substantive public dialogue.
The public deserves a spirited and transparent debate about the NSA and its private sector collaborators. Doing this through 140-character statements and brief blog posts just won't suffice. Something more is required. Jeffrey Carr, CEO of Taia Global, suggested as much on his blog, writing, "I think it's vitally important that those of us who profoundly object to RSA's $10 million secret contract with the NSA do more than just tweet our outrage."
The conference's committee chairman, Hugh Thompson, also acknowledged the importance of debate. "Security has risen in the agenda of almost every company and every government in a way that we've never seen before," he said."I think that the security dialogue is more intense than it has ever been."
RSA may be shucking and jiving the Reuters accusation, but the conference isn't ducking a debate. Demanding clarification from RSA isn't counterprouctive, but neither is it forcing the company's hand. The panelists should take the fight to the conference floor. Maybe Stephen Colbert, the closing keynote speaker, will have a go at the boycott. Despite the speakers' principled stand, they deserve just a little razzing.