Actions have consequences, goes the old saying, and actions taken by the security firm RSA in December have come back to haunt it this week.
Last month, it was revealed that RSA had accepted $10 million from the National Security Agency to implement an intentional cryptographic flaw, commonly called a backdoor, in one of its encryption tools. Days later, Mikko Hypponen, chief technology officer of F-Secure with decades under his belt as a security researcher, canceled his annual presentation at the American-hosted RSA Conference, to be held in San Francisco in February.
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy
- Kill the Snowden interview, congressman tells SXSW
- Edward Snowden to speak at South by Southwest
- Klocwork: Our source code analyzer caught Apple's 'gotofail' bug
- Yahoo taps TrustyCon co-founder Alex Stamos for chief information security officer
"I don't really expect your multibillion-dollar company or your multimillion-dollar conference to suffer as a result of your deals with the NSA," he said. "In fact, I'm not expecting other conference speakers to cancel."
The Finnish Hypponen cited nationality as the reason behind the cancellation of his talk but didn't expect others to follow his boycott. He didn't think American attendees would care enough to take action against an American company assisting the government in surveillance of non-American citizens.
Hypponen canceled his talk, "Governments as Malware Authors," in December. He updated his blog on January 8 to explain that he was also pulling out of a panel appearance on the security challenges in connecting previously unconnected devices to the Internet.
"I don't want to send mixed messages, so I have canceled all my appearances at RSA 2014," he said.
He said that he initially felt that the panel appearance was unconnected to his protest. He also confirmed that his company, F-Secure, would not be "speaking, sponsoring or exhibiting" at the conference.
The day before Hypponen canceled his talk in December, Josh Thomas, the "Chief Breaking Officer" at security firm Atredis, canceled his scheduled talk via Twitter.
Jeffrey Carr, another security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further. Yesterday, he publicly called for a boycott of the conference, saying that RSA had violated the trust of its customers.
"I can't imagine a worse action, short of a company's CEO getting involved in child porn," Carr told CNET. "I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it."
While many have acknowledged on Twitter that RSA the conference and RSA the company are only loosely tied entities, Carr argued that the only way to get the company to listen was to hit it where it hurts: in the wallet.
"When you look back at incidents that changed institutions of power, they weren't changed by hacking from the inside," he said. "The only way you change a company, you force the board of directors, by hitting their profits."
Carr said that he waited until this week to announce his decision because he thought that RSA had made a correctable public relations error, not an unusual mistake for the company. RSA found itself in a public relations imbroglio in 2011, when information about its SecurID authentication tokens was stolen.
When the company declined to address the NSA deal further, Carr said he was left with no choice but to cancel his presentation and advocate for a boycott.
The choice was not an easy one, he said. He was hoping that his relatively new company, Taia Global, would get a business boost from his RSA Conference session. His co-presenter, Christopher Burgess, opted to continue the presentation.
Following Carr's announcement on Monday, several other RSA regulars joined the boycott. These include privacy attorney and former Electronic Frontier Foundation lawyer Marcia Hoffman; Mozilla privacy and public policy expert Alex Fowler; American Civil Liberties Union advocate and privacy expert Christopher Soghoian; Google security expert Adam Langley; and Google Chrome security engineer Chris Palmer; bringing the total boycotters to eight.
RSA declined to comment for this story.
"Hopefully, this will force RSA to fire their CEO and apologize, and they can reclaim the company that RSA was in the '90s, as far as it goes toward the integrity of their encryption," Carr said.
In the 1990s, RSA was instrumental in resisting NSA pressure to include encrypted NSA access to personal computers via the Clipper Chip.
Given the company's stance so far, it would have to take a cancellation from a luminary like Stephen Colbert, who's delivering the opening keynote presentation this year, before Carr and the other boycotters get what they want.
Update, January 8 at 10:15 a.m. PT to reflect that F-Secure's Mikko Hypponen also canceled his panel appearance.