SAN FRANCISCO -- As a handful of token protestors stood outside the 2014 RSA Conference this week, inside, the...
security industry defended itself against allegations that it colluded with the National Security Agency.
In the past eight months, RSA, Google, Microsoft and other IT industry heavyweights have faced allegations that they have cooperated with the NSA to undermine the security of the Internet. RSA, the organizer of the information security industry's biggest annual event, has been foremost in the line of fire.
According to a December Reuters report, RSA received $10 million from the NSA to use a pseudo-random number generation algorithm that the agency knew to be weak as the default in its Bsafe encryption product.
A number of security experts have boycotted the 2014 conference because of RSA's alleged dealings with the NSA. On Thursday, a shadow conference, dubbed TrustyCon, takes place at the Metreon adjacent to the Moscone Center, where RSA is being held. That conference quickly sold out, according to its website.
Outside of Moscone South on Tuesday morning, four protestors held up a bright pink sign made of a bedsheet declaring "RSA <3 NSA".
One of the protesters, freelance Web designer Max Hunter, said the intent of the display was to raise awareness of the RSA-NSA controversy.
"It's really just as a user of the Internet that I'm concerned about this and how it impacts our privacy," he said.
Yet, the boycott has had little impact on 2014 RSA Conference attendance, which early estimates say topped 30,000 people this year, expanded its exhibitor space and spread to a third building in the Moscone complex.
Attendees at RSA took a practical stance on the RSA controversy. While any vendor undermining their security to allow easier surveillance is troublesome, the conference is a critical meeting place for businesses and customers, said Scott Lewis, vice president of delivery for a Silicon Valley security startup that has not exited stealth mode.
"This is the place where we are going to meet all of our partners and customers," Lewis said. "The $10 million [potential payoff] is troublesome, but security is more important than ever, and that is why people are here."
Vendor heavyweights rail against criticism
The leaders of several top security companies at RSA Conference this week haven't been shy to shout down allegations that they served the U.S. government's interests over those of their customers.
Saying that his firm was challenged to defend itself against criticisms swirling around social media's "140-character dialog" on the issues, Art Coviello, executive chairman of security giant RSA, spent his entire Tuesday keynote defending his company.
Coviello reminded attendees that in the 1990s, the company fought battles against the Clipper chip, an NSA-sponsored encryption device widely believed to be flawed, and efforts to undermine strong encryption in browsers. While the company worked with the NSA more recently on the security of its products, Coviello said the interactions were almost entirely with the part of the agency known as the Information Assurance Directorate (IAD), tasked with defending U.S. communications.
If the IAD departed from its mission of defending U.S. communications, then it undermines the relationship between the NSA and the security industry, Coviello said.
"When or if the NSA blurs the lines between its defensive and intelligence roles, and exploits a position of trust within the security community, that is a problem," he said. "If we can't be sure which part of the NSA we are working with and what their motivations might be, then we should not work with them at all."
Coviello called for the NSA and IAD to be split, so that there is never any confusion over their contradictory missions.
Scott Charney, Microsoft's corporate vice president of trustworthy computing, argued during his keynote address that even if critics did not believe in the companies' good intentions, undermining the security of a product for a single government made no sense.
More RSA stories
View all of our RSA 2014 Conference coverage
"If I put a backdoor in my products, our market cap goes from $260 billion to zero overnight -- I can't even sell in America," he said. "It's nuts; it's economic suicide."
Microsoft has had to occasionally defend itself against allegations that it allowed a backdoor to be inserted into the Windows operating system. Researchers found a registry key in the software labeled NSAKEY, which has fueled past speculation of collusion between the company and the U.S. government.
Nawaf Bitar, senior vice president and general manager of the security business unit at Juniper Networks, conducted his own version of "active defense" against critics, calling them out in a polished speech for their "first-world outrage."
"Liking a cause on Facebook is not outrage; retweeting the link is not outrage; posting a bad review is not outrage; not showing up at a conference is not outrage," he said. "These are all examples of a new American disease: first-world outrage."
He said security professionals that want to truly change the direction that the nation is going should innovate and create great technology and policy that preserves citizens' privacy and protects information.