RSA speakers and sponsors drop out over NSA allegations

News 9 Jan, 2014

Security event rocked by boycott over parent company's alleged involvement with US National Security Agency.

F-Secure has confirmed that it’s ditched plans to sponsor and exhibit its wares at next month’s RSA Conference, as the furore surrounding RSA’s alleged NSA links rumbles on.

At the last count, eight speakers booked to appear at the info-security event had cancelled their talks – including Mikko Hypponen, chief research officer at F-Secure, Chris Palmer, a Google software security engineer and Josh Thomas, chief breaker at Atredis Partners.

This was in response to allegations made last month that EMC-owned RSA was secretly paid $10 million by the US National Security Agency to put a backdoor in its encryption software.

If everyone agrees that what RSA did was wrong, but nobody boycotts its products/services, then it suggests to others there is no consequence to bad behaviour.

According to a report by Reuters, RSA accepted payments from the NSA to use a flawed random number generator in its products, known as the Dual Elliptic Curve Deterministic Random Bit Generator.

The claims were vehemently denied by RSA in a blog post dated 22 December, where it stated: “RSA, as a company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”

Unfortunately, RSA’s denial has not cut the mustard with some members of the IT security community, prompting several speakers to pull out of the vendor’s conference next month.

The event chalked up 24,000 attendees last year, and more than 400 speakers were down to present in 2014.

Furthermore, F-Secure’s Hypponen confirmed in an open letter on his blog yesterday that his company will not speak, sponsor or exhibit at this year’s event, in light of the NSA revelations.

He was originally booked to deliver a speech and participate in an FTC panel.

“Initially, I only cancelled my talk, as I didn’t want to punish the FTC, which had nothing to do with the events I was protesting about,” he wrote.

“However, partial participation sends mixed messages. I don’t want to send mixed messages, so I have cancelled all my appearances at RSA 2014. I’m sure the FTC will understand.

"I can also confirm that F-Secure is not speaking, sponsoring or exhibiting at RSA Conference USA 2014."

Meanwhile, Robert Graham of researchers Errata Security, called on more speakers to boycott this year’s event, as well as the company’s products.

“It doesn’t matter how many people you convince that what the RSA did is wrong if that doesn’t change their behaviour. If everyone agrees with you, but nobody boycotts RSA’s products/services, then it sends the clear message to other corporations that there is no consequence to bad behaviour,” he wrote.

“It sends the message to other corporations that if caught, all that happens is a lot of talk and no action. And since the motto is that 'all PR is good PR,' companies see this as a good thing.”

IT Pro contacted RSA for comment on this story, but was still awaiting a response at the time of publication.

However, earlier this week, Hugh Thompson, programme committee chairman at RSA, told the Washington Post he was “disappointed” by the boycott because – despite being owned by RSA – the event is neutral.

“Security has risen in the agenda of almost every company and every government in a way that we’ve never seen before,” he said.

“I think that the security dialogue is more intense that it has ever been.”