Eight prominent security tech researchers have announced they will not attend an upcoming industry conference because it is sponsored by the RSA, the company that was revealed last month to have a $10 million contract with the US National Security Agency.
The RSA Conference has traditionally been a major security event, with 24,000 people attending in 2013. Speaking slots at the conference, which is scheduled at the end of February in San Francisco, are especially prized, with program committee chairman Hugh Thompson telling the Washington Post they are “highly competitive,” often with 2,000 submissions vying for 300 to 400 positions.
This year, however, Edward Snowden’s disclosures about invasive NSA surveillance programs have already cast a shadow over this year’s event. Reuters reported in December that RSA, one of the most influential encryption companies among customers seeking to hide their internet activity, accepted $10 million from the NSA to make an agency-authored algorithm the primary technique used to generate random numbers in an RSA encryption product.
This algorithm, dubbed the Dual Elliptic Curve, effectively gave the NSA a “backdoor” it could use to monitor users who thought they were using RSA’s product to hide from prying eyes. When Reuters published this information, RSA claimed it had never asserted it had no relationship with the intelligence community and refuted accusations that RSA intentionally weakened its own security.
The reaction among industry leaders has been swift, with an increasing number bowing out of their engagements at the conference – which will host Comedy Central host Stephen Colbert as a keynote speaker – as time goes on.
Josh Thomas of Atredis Partners said on December 22 that his “moral imperative” compelled him to cancel his scheduled talk. Chris Palmer and Adam Langely, two of the chief security experts at Google, followed suit, only to have Mikko Hyponnen do the same. Hypponen is the head research officer at F-Secure, a cybersecurity outfit based in Finland, and wrote an open letter to the heads of RSA and its parent company, EMC.
“Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door,” he wrote. “You had kept on using the generator for years despite widespread speculation that NSA had backdoored it…Aptly enough, the talk I won’t be delivering at RSA 2014 was titled ‘Governments as Malware Authors.’”
After that came Chris Soghoian, the principal technologist for the American Civil Liberties Union; Electronic Frontier Foundation special counsel Marcia Hoffman; Jeffrey Carr, CEO of Taia Global security consultancy; and Mozilla’s global privacy and public policy leader Alex Fowler.
Carr, in a post on his blog, said that each person who chooses to reject the RSA is doing the right thing, however small their stature.
“Granted, I’m not Mikko Hyponnen and my talk was a mere 20 minutes on the last day of the RSA conference, but I think it’s vitally important that those of us who profoundly object to RSA’s $10 million secret contract with the NSA do more than just tweet our outrage,” he wrote. “We need to take action.”