Some people are boycotting the RSA Conference. What is that all about?
Ostensibly, it is about the revelations made in a December story from Reuters that claimed that RSA was paid $10 million by the National Security Agency to use a flawed encryption algorithm in its BSafe product, giving the NSA a back door.
But the boycott effort is really about many other things. Things like erroneous assumptions, misguided outrage, hypocrisy, grandstanding and media hype.
It's the media hype that bothers me most really, but I'll get to that later. First, let me fill in some of the details.
The Reuters story sprang from a September report in The New York Times that said that documents leaked by former NSA contractor Edward Snowden showed that the NSA was able to implement a back door in encryption products by creating a flawed algorithm for generating random numbers. What was new in the Reuters report was the claim that in 2006, the NSA paid RSA $10 million to make that flawed algorithm the default option in its BSafe encryption product.
This alleged complicity in a spying program sparked outrage in certain quarters of the information security community. But the conspiracy theory has several holes.
First, BSafe users were free to choose other random-number generators included with the product. True, most people will never opt out of the default algorithm, but you would think the NSA would get something more for its money than just the possibility that people will deploy the algorithm with the back door.
More seriously, though, how can it be assumed that RSA adopted the flawed algorithm with full knowledge that it was flawed? The algorithm was approved by the National Institute of Standards and Technology (NIST) up until September 2013, when the flaw was discovered. Is it likely that the NSA would have volunteered the information that the algorithm provided a back door? That doesn't sound like the NSA we're familiar with.
Moreover, RSA claims that it made the algorithm in question the default random-number generator for BSafe in 2004, two years before it supposedly entered into a diabolical conspiracy with the NSA. I have not seen anyone refute RSA's claim, which shouldn't be hard to do if RSA is lying.
And to get back to the NIST, it made the algorithm in question a standard, qualifying the BSafe product for FIPS compliance. That means BSafe was deemed safe to use within critical U.S. government operations. My guess is that the U.S. government and its contractors are probably the largest segment of BSafe's customer base. Now, the NIST first had warnings about potential flaws in the algorithm in 2007, but it did not believe there was a significant concern until 2013. That means that U.S. government operations were vulnerable to attack for several years, all because of a deliberately flawed algorithm the NSA is alleged to have introduced into the market.
Some people are saying that RSA's denial of the accusations is weak. I am not sure what part of this is weak: "We also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
What I find weak are the assumptions that have given rise to the outrage surrounding the RSA conference. Just to summarize: The NSA supposedly spent $10 million to get RSA to adopt an algorithm as its default random-number generator for BSafe two years after RSA had already done that voluntarily, and then it stood by silently as other government agencies and contractors made wide use of BSafe, making themselves vulnerable to spying by other governments. And RSA was complicit in all this because somehow it knew that the NIST-approved algorithm was actually flawed.
If, despite all that, you are convinced that RSA was complicit, I have to wonder how boycotting the RSA Conference is the right response. The RSA Conference team does not decide what algorithms to include in RSA products. The conference is a completely separate profit and loss center from the products division. Boycotting the conference is a symbolic act, at best, similar to boycotting the National Park Service because you don't like the NSA's warrantless wiretapping program.
I haven't seen any of the boycotters say that they are also boycotting RSA products. Is it because boycotting the conference is more of an attention-getter? Well, yes, I think it is, but I'll get into that later.
And if you buy that RSA was complicit and therefore should be boycotted, why aren't other companies in your sights? If RSA were guilty as the boycotters charge, would that make it the worst of the worst, deserving to be the one company singled out for a boycott?
Why aren't companies like Intel, Cisco, Juniper, HP, Dell and IBM -- all of which provide the NSA with its infrastructure and provide far more active and ongoing support to intelligence collection efforts than embedding a flawed random-number generator in a relatively insignificant number of computers -- also targeted for boycotts?
Does something that RSA allegedly did eight years ago, for the paltry sum of $10 million, really compare to what countless other companies are actively doing today to support intelligence collection and analysis efforts, to the tune of hundreds of millions of dollars a year? Remember, Edward Snowden was a contractor for Dell, assisting in NSA operations in Japan, before taking a job at NSA's Hawaii facility.
And it's not just the United States and U.S.-based companies that are involved in this sort of thing. Countries including China, Germany, Iran, Israel, France and South Korea all have robust foreign intelligence-collection efforts, and they are all actively supported by a wide variety of companies. Just about every computer manufacturer in the world has received hundreds of millions of dollars for selling hardware and services to actively maintain intelligence collection and analysis activities, and they knowingly participate in these activities. Potential companies to boycott would include Siemens, Lenovo, Huawei and Mitsubishi, but there are countless others. Why don't people boycott them as well?
More importantly, are the speakers who pulled out of the RSA Conference going to refuse to speak for events held or sponsored by these organizations? Speakers can make in excess of $10,000 for private events, and I challenge them to be consistent when there is more at stake than an unpaid track session or panel late in the conference.
Perhaps the most audacious example of hypocrisy among the boycotters is the Google employee who has pulled out of the RSA Conference. Don't get me wrong; I respect Google and use many of its offerings. (And I'm not saying that Google is behind the pullout; a more senior Google employee is still speaking at the conference.) But Google's business model literally depends on compiling as much data on individuals as possible and integrating as many data sources together as possible, to such an extent that it could conceivably know more about a person than the person knows about himself. Maybe I'm crazy, but I don't think the RSA allegations can hold a candle to some of what Google has done. I mean, what would you think if the NSA sent out vans to collect data about people's home Wi-Fi networks? Google actually did that. It also found a way to learn your home Wi-Fi password. And it can track your every movement. Google's ability to compromise individual privacy certainly rivals the NSA's ability, if it doesn't outstrip it. OK, this particular boycotter might have had nothing to do with any of these invasions of privacy by Google. Sort of the way the folks who run the RSA Conference had nothing to do with the agreement between RSA and the NSA eight years ago.
I could have named that boycotter who works at Google, but I didn't, and I won't name any of the other boycotters. Why? Because I strongly suspect that the lure of getting attention has a lot to do with much of this boycott nonsense.
I'll give the folks from the Electronic Frontier Foundation and the ACLU who pulled out a pass on this. Their actions are consistent with their overall positions. But in many other cases, the grandstanding is pretty obvious.
Take the guy who runs a conference dedicated to bringing together the intelligence community and industry. Most of the speakers at that conference are former employees of intelligence agencies, who might have easily engaged in activities similar to those currently being protested. As you might expect, this guy was called a hypocrite on Twitter for sponsoring such events while protesting NSA involvement with RSA. He took the accusation as an opportunity to make a pitch for having his events coincide with BSides. For his current conference, he put out tweets advertising that he would be further speaking about his RSA boycott. I couldn't make this stuff up if I tried.
Since pulling out as a speaker at the RSA Conference, this fellow's social media presence has been a blizzard of posts about his pulling out. He provides links to his blog posts clarifying his position and links to his book and to his conference. He has not been shy about speaking to media outlets. My assessment is that this guy is getting far more attention by making himself the poster child of the boycott movement than he would have gotten as one of hundreds of RSA Conference speakers.
Yes, I said hundreds of speakers. There were 570 total speakers scheduled for the conference. That is something that has not really been mentioned in the coverage about the boycott. As of this writing, 12 speakers have pulled out. That leaves a mere 558 speakers who aren't boycotting, and there are literally thousands of experts waiting to replace those who pulled out.
So about 2% of the total number of scheduled speakers have declared that they will pull out of the RSA Conference. Maybe I shouldn't extrapolate from that, but I can't help but think that percentage roughly translates to the security community as a whole, with the majority seeing no real controversy here worthy of a boycott. But that 2% is so much more vocal than the 98%.
And this is why my biggest gripe is with the media. The media should provide perspective. Sure, publications should write about the boycott, and I have no problem with the complaints from a minority being aired publicly. But please acknowledge that it's a minority. If you read the articles from tech-focused publications and even The Wall Street Journal, you get the idea that there is a mass exodus from the conference and that the security community as a whole is in an uproar. Nothing could be further from the truth.
I have not seen any articles in the media that provide that make this clear. Take CSO Online, for example, which posted an RSA 2014 Boycott Scorecard. There's a list of those 12 boycotters, but no mention of the far more significant number of people who aren't boycotting. I won't name all of them either, but here are a few of the more prominent ones:
Gary McGraw Howard Schmidt Bruce Schneier Adam Shostack Dave Shackleford Christopher Hoff Hugh Thompson Lance Hayden Mike Murray Lance Spitzner Scott Charney Mark Weatherford Dmitri Alperovitch Rafal Los George Kurtz Kevin Poulsen Brian Krebs Steven Lipner Chris Wysopal David Mortman Gene Kim Josh Corman Marcus Ranum Matt Bishop Alan Shimel Larry Ponemon Renee Guttman John Dickson Jim Reavis John Pescatore Bret Arsenault Carolyn Wong Martin McKeay Nick Selby Gal Shpantzer Stuart McClure Mike Assante Ed Skoudis And myself, Ira Winkler
I'm leaving out the names of more than 500 other people. But a quick glance will tell you that this list is significantly longer than that other list. I guess we just haven't been vocal enough, though.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.
Read more about security in Computerworld's Security Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.