This content is part of the Essential Guide: RSA 2014: News, analysis and video from RSA Conference 2014
News Stay informed about the latest enterprise technology news and product updates.

Strikes, fouls aplenty in 2014 RSA Conference boycott, MLB HoF vote

Executive Editor Eric B. Parizo explains why the 2014 RSA Conference boycott, like the MLB Hall of Fame voting, is driven by a crisis of conscience.

As someone who follows both the information security industry and Major League Baseball, I've been fascinated this week by the numerous parallels between two seemingly dissimilar news events: the 2014 RSA Conference boycott and the 2014 MLB Hall of Fame voting.

Both baseball and information security have devolved into a 'Who do you trust?' guessing game.

For those just tuning in, a December Reuters report alleged that RSA signed a $10-million contract with the National Security Agency (NSA) to set the flawed Dual_EC_DRBG pseudorandom number-generating algorithm as the default option for number generation in its BSAFE cryptographic library product, meaning the NSA may have been able to access data encrypted using that algorithm. Naturally, this has caused some to question the integrity of RSA's products (for the second time in just a few years, following the SecurID breach) and its actions.

In response to these events, some believe the best way to voice displeasure with RSA is to boycott the 2014 RSA Conference, which of course is the infosec industry's biggest annual confab. At least eight speakers have already cancelled their talks, though it's unclear how many attendees might stay home.

Over in the baseball world, the 2014 inductees to the MLB Hall of Fame (HoF) were announced this week, preceded by the usual rancorous discourse over which players are (or aren't) deserving of the honor, whether the use of (or suspicion of using) performance-enhancing drugs should affect a player's eligibility for induction, and even who should be doing the voting. These controversies were amplified this year thanks to one voter who allowed visitors to a sports website to make his picks.

While the two storylines seemingly have little in common, I have been struck by the contradictory themes they share: guilt and innocence, trust and betrayal, posturing and sincerity, and perhaps, ultimately, condemnation and forgiveness.

Baseball's steroids era has cast a sickly pallor on the would-be golden busts of so many great players. Because suspicion looms large around players like pitcher Roger Clemens and catcher Mike Piazza, even though the evidence that they used banned substances is suspect, their HoF candidacies are in serious jeopardy not because of their guilt, but because of the suspicion of guilt.

RSA also finds itself mired in the unenviable realm of guilt by association. The NSA, for all the good work it does in promoting information security best practices, has rapidly become an industry pariah in light of its deliberate efforts to undermine industry cryptography standards. Even though RSA has denied the allegations in the Reuters story, many believe the circumstantial evidence, accusing RSA of malfeasance all the same.

Both baseball and information security have devolved into a "Who do you trust?" guessing game. Without a confession or a failed drug test, it's impossible to know with certainty which baseball players cheated, but fans and writers alike banter endlessly and shamelessly about who used and who didn't, and HoF voters each have their own subjective formula for deciding which of the alleged users are worthy of induction.

In light of the NSA allegations, the question for enterprises isn't about BSAFE or SecurID, but about the company itself. Can RSA be trusted? Many have concluded it can't and that participating in the RSA Conference is akin to letting bygones be bygones. They know they can't trust their governments, but they should at least be able to trust their security vendors.

I think these folks have a point. Corporations like RSA exist for one reason: to make money for their shareholders. When their products, policies and even people threaten that objective, change comes quickly. While the RSA Conference operates independently from the rest of the RSA business, I have no doubt that Art Coviello and Joe Tucci will notice if the RSA Conference makes less money this year because fewer attendees are there to buy the vendor's wares, and it annoys me that some don't respect the decision to boycott.

That said, historically speaking, not showing up hasn't been an effective method of inciting societal change. From the Boston Tea Party to the Tea Party Movement and all the civil rights, anti-war and other protests in between, the best way to rally for change is through a visible, thoughtful and respectful gathering of individuals.

So I'm somewhat disappointed that those looking to send RSA a message couldn't find a better way. I would have liked to see a sidewalk sit-in outside the Moscone Center in San Francisco, or even a few hundred people wearing "BLEEP RSA!" T-shirts. Staying home is the least creative way to get RSA to increase transparency and change the way it does business with the U.S. government.

The security industry is still in the early innings of this game, and RSA is merely the latest to be called out. I can't cry "foul" against anyone who goes to bat against the governments' ongoing assault against security and privacy, but I'm still waiting for someone to hit a good, clean home run.

Eric B. Parizo is Executive Editor of SearchSecurity. Read more of his articles here.

Dig Deeper on Security industry market trends, predictions and forecasts

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you plan to boycott the 2014 RSA Conference? Why or why not?
Yes I plan to attend. To be truthful upfront, I work for EMC/IT. The RSA Conference should be renamed the Security Industry Conference --- because it is way more than just RSA. Even though RSA execs get to do the initial key notes, the show belongs to the security industry, not RSA/EMC. So, to boycott hurts the idustry and some direct competitors of RSA (Symantic has their own two-factor token; they are big annual partners of the show). To me it is better to show up and voice you disappointment/anger with the company RSA.
Since EMC withdrew funding for the RSA challenge numbers in 2007, and the RSA mechanism is still in to use, then the $10million they apparently got paid by NSA to use another system (by default) - might prove well spent in migrating uses away from this process... Advances in computational number theory (which might just include a very efficient large factoring algorithm) are not likely to be communicated directly to EMC. So, when and if such progress is unveiled (as is eagerly anticipated) it would not only blast a massive hole in the RSA algorithm, it could conceivably sink the entire EMC business...