The information security industry is at war – with itself. A civil war occurring simultaneously with the more widely publicized war against cybercrime, and whatever and whomever threatens the security of information.
Consensus says that defense is almost always at a disadvantage, of which infosec is no exception. Defense industries are almost certainly stronger if they work together, yet the cracks in our industry’s togetherness are more visible than ever before.
February will see the return of the RSA Conference to its long-time home at the Moscone Center in San Francisco. Events like RSA, Infosecurity Europe and Black Hat present a platform where we can come together as an industry. To the contrary, RSA 2014 is in danger of becoming a stage for the latest battle in the information security industry’s Civil War. Indeed, it could be argued that blood has already been shed.
Owing to accusations that RSA received $10 million from the NSA to incorporate a weakened algorithm into its security product, some industry experts, most significantly speakers, are boycotting RSA 2014.
I’ll save my thoughts on this accusation, and indeed my views on the surveillance state in light of the constantly unravelling Snowden and NSA narrative, for another time. The focus of this editorial is the boycott itself.
At the time of writing, only 12 speakers had confirmed their withdrawal from RSA. Sure, this is a significant number, and yes some of those are big names, but they only account for approximately 2–3% of the total planned speakers. Yet, the nature of their very public and vocal protest is that theirs are the only voices that get reported and thus heard. The large majority – the speakers who are choosing not to boycott – are the voices that either remain quiet or aren’t considered controversial enough for (most) press coverage.
I’m all for freedom of speech, and a great believer in peaceful protest, that’s not my issue here. My issue with this boycott is my main grievance with any war: the innocent people – or civilians – who are harmed as a consequence of combat.
Firstly, while the RSA Conference is owned by RSA, and thus EMC, I’m almost certain that the RSA Conference team have no influence over the algorithms included in their parent company’s products. So let’s take a look at who the protest actually hurts, in addition to the aforementioned.
The exhibitors: the information security vendors who are not in the middle of a controversial scandal and who pay a lot of money to have a presence at RSA to showcase their innovation and engage with the industry at large.
Next, there are the paying conference delegates who have parted with a significant amount of cash in order to be educated by the advertised industry experts.
Finally, there’s the information security industry as a whole, and the perception of an industry opening fire on itself.
The irony of the boycott, in my opinion, is that if someone is inclined to make a public political statement, there is no bigger stage to do so than at this very event. The RSA Conference provides an open venue in which to analyze and criticize the decisions of the NSA, GCHQ, or RSA itself for that matter. Is the decision to decline this stage – and thus opportunity – therefore counterproductive?
Another example of irony may be found in the boycott of one speaker in particular, a software security engineer at Google; a business entirely dependent on compiling as much data on individuals as possible. Perhaps a somewhat unconventional candidate for a boycott based primarily on privacy?
Those leading the RSA boycott last month announced the launch of their own conference, TrustyCon, in San Francisco at the same time as RSA. Interestingly the new event is sponsored by Microsoft, also a diamond sponsor of RSA 2014. Perhaps Microsoft is recognizing that this issue has divided the industry, and wants to support speakers in whichever venue they are comfortable with.
Either way, TrustyCon is another sword drawn in this Civil War in which our industry will ultimately be left wounded.
It would be remiss of me not to finish up by letting you all know that Infosecurity magazine will be exhibiting at RSA, and my team and I can be found on Booth #739 (Join us at 4pm on Tuesday 25th Feb for a drinks reception). Of course, you may also catch sight of Drew or I at BSides, or even tweeting from TrustyCon. At the end of the day, we’re here to be a voice for the industry and serve the professionals who work in it. So we’ll bring you news from wherever you want it.
| Update: |
| I have since discovered that Microsoft are no longer sponsoring TrustyCon: |