I have watched on silently from the sidelines as the "boycott RSA Conference" story has played out. Now that we are a month or so away from the conference, "where the world talks security," I just can't hold it in any longer. I really think the few outliers who have announced they are boycotting and not speaking or attending this year's RSA Conference have gotten more than their 15 minutes worth. I think the whole effort is a misplaced endeavor blaming the wrong people for the wrong transgression.
First of all, for you folks not familiar with this matter, about 9 of the over 500 speakers at this year's RSA Conference (in full disclosure I am one of those 500+ speakers) have announced they will not be attending and speaking at the conference this year. Their reasons are tied to the story of how RSA supposedly accepted a $10 million payment from the NSA for a backdoor into the RSA programs.
The first person to come out and announce their boycott was Mikko Hypponen, of F-Secure. I respected Mikko's decision. Considering he's a non-U.S. citizen, I understood his displeasure over a U.S. company working with the U.S. government to potentially gain a backdoor into other people's data. Mikko was soon joined by 8 or so other speakers of various persuasions, and so in our social media frenzied world a movement was born. Next came word that these 9 or speakers and those who support them were setting up an anti-conference across the street from RSA Conference called Trustycon. Then came word that Microsoft and Cloudflare would sponsor Trustycon.
So now I feel compelled to say, "let's stop the insanity." Boycotting the RSA Conference is not the same as not supporting or buying RSA tokens. For anyone who doesn't already know, RSA Conference is pretty much a separate entity from RSA and their token business. In fact, they work really hard to keep a "firewall" (no pun intended) between the two organizations.
Yesterday, I spoke to Hugh Thompson, program committee chairman of RSA Conference. Hugh told me that the fact is many of the people who work on RSA Conference are not in fact RSA employees at all and don't have anything to do with RSA itself. They work hard year-round making the RSA Conferences the best and biggest security conferences in the world. Dragging them into this mess, in Hugh's opinion, is just misplaced.
On top of this, RSA Conference has always prided itself on pitching a big enough tent to give everyone a bully pulpit to speak. If anyone with issues around the NSA/RSA story wanted to speak out about it, the RSA Conference folks would have been glad to give them a forum to do so. Instead, they chose to just boycott the conference.
For me, another issue is if you are going to punish RSA, what about the other companies who cooperated at some level with the NSA? Should we stop using Microsoft, Google, Apple or Facebook? Because they have done their best "Captain Renault: I'm shocked, shocked to find that gambling is going on in here!" imitations, are they immune from our wrath? For one of these companies to now go and sponsor Trustycon seems pretty nervy to me. Is it a way to sooth a guilty conscience?
I spoke to my friend Rajat Bhargava, CEO of JumpCloud, about what he thought about the RSA Conference boycott. Raj feels that if people don't want to buy RSA products because of the NSA story, that is their right to do so. There are other products (including JumpClouds) that can do the job. But to not attend the conference isn't the right response. Better to go to the conference and make your voice heard.
I agree with Raj on this one. For those people who are genuinely outraged by RSA's dealings with NSA, being a part of the conversation at RSA Conference would have been a lot more impactful. For those people who are boycotting or supporting the boycott for their own monetary gain, I think we know what that is about. I will leave it to you to decide.
How do you feel? Do you think boycotting RSA Conference is the right response?