For most security companies, the leaks likely won’t change the way they forge their products and services. At least for the moment, they won't.
The corporate security industry isn’t too concerned about the threats Edward Snowden’s leaks posed to the National Security Agency's facade.
It might sound counterintuitive, but it's true. It’s not that the leaks aren’t important, or that they aren’t worth continued debate and discussion—they are, and experts in the industry have said as much. But for most security companies, the leaks likely won’t change the way they build their products and services. At least for the moment, they won't.
Over the course of a week I talked with dozens of security professionals of the tens of thousands who descended on San Francisco to attend three overlapping security conferences: RSA USA, which remains the corporate mainstay, and Security B-Sides and TrustyCon, two alt-cons. And while a lot of people I spoke with expressed concern or even outright disgust over the NSA’s activities, the vast majority said it was their customers who have changed, not the industry’s products.
If you’ve never heard of RSA, that’s no surprise. Normally it’s a little-discussed, highly technical conference for nerdy security types—which is cool, but not exactly the stuff of prime time news coverage. But amid Snowden's ongoing leaks, cybersecurity is getting far more attention, and made this year one of the most exciting I can remember.
That’s because one of Snowden’s leaks brought RSA’s alleged $10 million deal with the NSA to light. The revelation prompted several prominent security experts to boycott RSA’s trade show (even if such a move did more harm than good), sparked a brief protest, and spawned the entirely new TrustyCon. For security geeks, this is pretty spicy stuff.
RSA got started back in 1991. It's a corporate affair, to be sure, with “booth bunnies,” pitchmen, and tons and tons of marketing crap. (Yes, the conference is mostly male-attended.) The conference’s main purpose is to connect buyers and sellers of security hardware and software, and there are also dozens of security-related talks every day that are aimed at education. After attending a few of these, however, it was clear that some of them are essentially sales pitches.
On the conference floor, most of the corporate industry types I talked with basically said that Snowden hasn’t changed much about what they actually create. Chris Gaebler from Kaspersky Lab, a Russian antivirus manufacturer, told me their product development “really hasn’t changed, and doesn’t change from year to year. We’re constantly looking for new threats." The Snowden leaks haven’t changed what their core business hopes to achieve, he said.
Enigma Macine at the NSA's RSA booth. Photo by the author.
On the other hand, Gaebler and others told me their customers have changed quite a bit in the wake of the Summer of Snowden. For example, Prakash Panjwani of SafeNet, a data protection company, told me that Snowden's leaks have made clear to customers the importance of “insider threats”—as in, people within an organization, like Snowden, accessing and distributing sensitive information—as well as the importance of data encryption.
Smaller businesses are concerned too. Gaebler told me about a San Francisco-based art gallery that became concerned enough with the possibility of credit card fraud to install protection. But the gallery ended up buying off-the-shelf software.
Andy Ellis, Akamai chief security officer, also echoed the sentiment; his customers are now having “open and honest” conversations about the importance of the Snowden leaks, but it hasn’t changed what Akamai actually produces by way of security.
Not everyone at RSA wanted to talk about Snowden, though, or how he has (or has not) changed the industry. On several occasions throughout the week, a handful of communications reps gave a typical “no comment” or only spoke about Snowden and the leaks off the record. Notably, at RSA, I got shoed away from Barracuda Networks’ booth apparently after they got wind that I was asking around about Snowden.
Of the two alt-cons, Security B-Sides was the farthest from the corporate look and feel of RSA. When I walked in—it was hosted at a dark, hot, stale-beer soaked night club in SOMA—I was handed three drink tickets, and told that I should be careful of using the public wifi. “It is a hacker conference after all,” the door guy said. (They handed out Wi-Fi Pineapple Mark V Tactical Bundles to the speakers.)
There were no booth babes at B-Sides. In fact, there were really only a few "booths." I kept hoping no one had assembled the wifi intercept kits.
Security B-Sides has an important place in the industry because it provides “community, conversation and engagement,” Jack Daniel, one of the organizers, told me. He was wearing a top hat and sported a long, gray beard—definitely not one of the clean-cut corporate types I talked with at RSA. Daniel said oftentimes the “bleeding edge” of security research ends up at B-Sides before RSA or Black Hat, another large security conference, because it’s too raw for a corporate market.
You can see the effects of Snowden’s disclosures, there’s a spectrum now. There are people who are going to make money off of stopping people like him [Snowden].
Still, some of the presenters at B-Sides didn’t want to talk about Snowden—most likely because some of them were employed by companies also presenting at RSA—but others said the Snowden leaks have splintered the community. “You can see the effects of Snowden’s disclosures, there’s a spectrum now,” said Rodrigo Bijou, an independent security expert, “There are people who are going to make money off of stopping people like him [Snowden].”
While B-Sides presents itself as the antithesis to the RSA conference, TrustyCon was probably the most articulate expression of anti-RSA sentiment. Its creation came in response to the Reuters report implicating RSA with the NSA, which spurred international media coverage, and widespread speculation about the extent to which the security industry was in bed with the government.
TrustyCon was held in a movie house adjacent to one of the facilities RSA used. Most of the day was packed with talks (viewable here), but the organizers made clear that it wasn't completely adversarial. “RSA is a little past its prime,” Alex Stamos, one of TrustyCon’s organizers, told me. “The keynote lineup, with big sponsors, it’s not all based on tech merit.” It was a success I'd say, despite RSA’s reported attempts to put the kibosh on the conference.
What the Snowden revelations did for the industry, according to Joel Wallenstrom, one of TrustyCon's organizers, was confirm what a lot tinfoil-hat types have been speculating about for years—they’re now taken seriously. That’s a pretty big deal, because now, Wallenstrom said, everyone is thinking about security, not just the people who are focused on it. “It’s very difficult to do research that doesn’t take the Snowden revelations into account at this point,” Wallenstrom said.
He also noted that this new post-Snowden paradigm has forced the security community to create something like TrustyCon to give a voice to those who might not be heard at RSA. No wonder the conference was situated with a drone’s-eye view of the four blocks around RSA.
Of course, the NSA has been attending the show for more than a decade, so other than the enigma machine, which was a real draw, the guys manning the booth were willing to talk about a lot of what the agency does—except, obviously, Snowden. For that, I was referred to NSA’s office of public affairs.
One thing that the NSA guys did help me out with, though, was in front of the booth. I’d heard selfies in front of the NSA booth had turned into something of a mini-meme during the conference. While my picture in front of the NSA’s booth has no particular political or ideological significance—I was there gathering the news, not making it—the two security experts, Katie Moussouris and Morgan Marquis-Boire, were making a statement of defiance and absurdity with their NSA selfie.
Moussouris told me that it was her job to defend information security “no matter the adversary.” A photograph in front of the NSA’s booth is an act that defends “the very fabric of trust,” she said, noting that trust is an issue vital to information security that “transcends borders and politics.” But, aside from now being aware of the NSA’s activities, Moussouris’ mission, while clearly more determined, sounds unchanged.
The NSA-selfie is more than just a symbol of defiance, though. It’s a potent reminder of how relationships in the security industry writ large are simultaneously interconnected and blurry—and while the products and services haven’t changed very much following Snowden's leaks about the NSA’s surveillance activity, the security community itself has changed quite a bit. That’s likely going to have an effect in the future. After all, it's these people who actually create the technology.