As someone who follows both the information security industry and Major League Baseball, I've been fascinated this...
week by the numerous parallels between two seemingly dissimilar news events: the 2014 RSA Conference boycott and the 2014 MLB Hall of Fame voting.
Both baseball and information security have devolved into a 'Who do you trust?' guessing game.
For those just tuning in, a December Reuters report alleged that RSA signed a $10-million contract with the National Security Agency (NSA) to set the flawed Dual_EC_DRBG pseudorandom number-generating algorithm as the default option for number generation in its BSAFE cryptographic library product, meaning the NSA may have been able to access data encrypted using that algorithm. Naturally, this has caused some to question the integrity of RSA's products (for the second time in just a few years, following the SecurID breach) and its actions.
In response to these events, some believe the best way to voice displeasure with RSA is to boycott the 2014 RSA Conference, which of course is the infosec industry's biggest annual confab. At least eight speakers have already cancelled their talks, though it's unclear how many attendees might stay home.
Over in the baseball world, the 2014 inductees to the MLB Hall of Fame (HoF) were announced this week, preceded by the usual rancorous discourse over which players are (or aren't) deserving of the honor, whether the use of (or suspicion of using) performance-enhancing drugs should affect a player's eligibility for induction, and even who should be doing the voting. These controversies were amplified this year thanks to one voter who allowed visitors to a sports website to make his picks.
While the two storylines seemingly have little in common, I have been struck by the contradictory themes they share: guilt and innocence, trust and betrayal, posturing and sincerity, and perhaps, ultimately, condemnation and forgiveness.
Baseball's steroids era has cast a sickly pallor on the would-be golden busts of so many great players. Because suspicion looms large around players like pitcher Roger Clemens and catcher Mike Piazza, even though the evidence that they used banned substances is suspect, their HoF candidacies are in serious jeopardy not because of their guilt, but because of the suspicion of guilt.
RSA also finds itself mired in the unenviable realm of guilt by association. The NSA, for all the good work it does in promoting information security best practices, has rapidly become an industry pariah in light of its deliberate efforts to undermine industry cryptography standards. Even though RSA has denied the allegations in the Reuters story, many believe the circumstantial evidence, accusing RSA of malfeasance all the same.
Both baseball and information security have devolved into a "Who do you trust?" guessing game. Without a confession or a failed drug test, it's impossible to know with certainty which baseball players cheated, but fans and writers alike banter endlessly and shamelessly about who used and who didn't, and HoF voters each have their own subjective formula for deciding which of the alleged users are worthy of induction.
In light of the NSA allegations, the question for enterprises isn't about BSAFE or SecurID, but about the company itself. Can RSA be trusted? Many have concluded it can't and that participating in the RSA Conference is akin to letting bygones be bygones. They know they can't trust their governments, but they should at least be able to trust their security vendors.
I think these folks have a point. Corporations like RSA exist for one reason: to make money for their shareholders. When their products, policies and even people threaten that objective, change comes quickly. While the RSA Conference operates independently from the rest of the RSA business, I have no doubt that Art Coviello and Joe Tucci will notice if the RSA Conference makes less money this year because fewer attendees are there to buy the vendor's wares, and it annoys me that some don't respect the decision to boycott.
That said, historically speaking, not showing up hasn't been an effective method of inciting societal change. From the Boston Tea Party to the Tea Party Movement and all the civil rights, anti-war and other protests in between, the best way to rally for change is through a visible, thoughtful and respectful gathering of individuals.
So I'm somewhat disappointed that those looking to send RSA a message couldn't find a better way. I would have liked to see a sidewalk sit-in outside the Moscone Center in San Francisco, or even a few hundred people wearing "BLEEP RSA!" T-shirts. Staying home is the least creative way to get RSA to increase transparency and change the way it does business with the U.S. government.
The security industry is still in the early innings of this game, and RSA is merely the latest to be called out. I can't cry "foul" against anyone who goes to bat against the governments' ongoing assault against security and privacy, but I'm still waiting for someone to hit a good, clean home run.
Eric B. Parizo is Executive Editor of SearchSecurity. Read more of his articles here.