In the last couple of weeks Mikko Hyponnen from anti-virus company F-Secure announced that he won’t be speaking at the RSA Conference in San Francisco at the end of February. His reasoning is that the company, RSA, colluded with the NSA for a fee of $10 million in order to get a weakened version of a random number generator included in the public standards, a move that makes the whole suite of encryption standards easier to crack. As Mikko points out, RSA has not admitted to this accusation, but they haven’t denied it either. So Mikko has pulled his talk and has publicly stated that as a foreigner, he doesn’t feel right supporting the conference. I understand his sentiment, I see what he’s hoping to accomplish. But I don’t think boycotting will do much, other than gain Mikko a little bit of attention short term and harm his reputation long term.
The first problem with boycotting the conference is that RSAC is, for all intents and purposes, a side company from the RSA corporation. It has it’s own management structure, it’s own bottom line, it’s own profit and loss reporting. And it’s only a small fraction of the overall revenue stream of the corporation. As such, any impact that boycotting the conference might have is going to be highly dilluted when it reaches the management of the central corporation. Yes, at some point in a meeting it will be discussed that a speaker has withdrawn over NSA concerns, maybe even a dozen other speakers will join in a show of allegance. But the conference organizers will simply pick from the dozens of alternative speakers of nearly equal capability and move on. Senior management might lose two or three minutes of sleep that night, but nothing more. And any impact that having a particular speaker boycott has can easily be written off as being from other, much larger changes that RSA is making to the conference lay out this year.
The second problem I have is that while Mikko has stated he’ll be boycotting the RSA Conference, he’s said absolutely nothing about F-Secure boycotting. As a vendor, I know that marketing departments have to commit to the conference at least a year in advance and I’ve heard that some commit to multi-year contracts in order to get better pricing. The small booths at either end of the halls cost tens of thousands of dollars, while the big booths in the center of the floor cost the vendors several hundred thousand dollars when all is said and done. If Mikko wanted to make a statement that would really be heard, he’d have F-Secure withdraw from the RSA Conference this year and for the next few years. Except he can’t. Any vendor that’s mid-size or larger in the security field has to be at the RSA conference. In many cases, this conference is the keystone for the whole marketing effort of the year, and any talk of a boycott would be immediately quashed as an impossibility. Quite frankly, if you’re a security vendor and you don’t have a presence at RSA, you’re not really a security vendor and everyone knows it.
The third issue I have with the boycott has nothing to do with Mikko and is closely related to the vendor point; it’s become a popular meme since Mikko’s announcement for security professionals to say they’re going to boycott RSA as well. I’ll be honest, I’ve never paid to go to RSA, I’ve always had a press pass, gone as a vendor, or gone as a speaker, more than once as all three at the same time. But even if I was, the money I’d pay to go to RSA is still insignificant when you compare it to what the organization makes off of the sponsors. It would take a huge number of attendees failing to show up in order to make an impact. Given the growth rate of the converence over the last few years, it’s most likely that even a thousand people joining up in a boycott would simply lead to a flat growth rate at best. Additionally, similar to vendors, most people who are attending and have their company pay for it have already purchased their tickets and a boycott at this point would be more detrimental to them than it could be to the RSA Conference.
If you think that NSA has been behaving badly and you really want to have an impact, go to the event and talk to people at the event. If you’re a speaker, change your talk to include a slide or ten about what you believe RSA has done wrong. You might be right or you might be wrong, but you’ll have a chance to tell your story to the several hundred people in your audience. If you’re an attendee, go to the conference and talk to other attendees, tell them why you think the RSA Corporation has crossed the line and spread the word. You gain almost nothing by throwing a temper tantrum and leaving the playground. But if you attend, talk to people and raise awareness of the issues, you let others know that something isn’t right, something needs to be changed.
I wish Mikko the best, and maybe his boycott has raised awareness some. But all the people who say “Me too!” aren’t going to have an impact. They might feel better about themselves for a short period of time, but all their really doing is cutting themselves off from one of the biggest events in security. It’s better to attend, be social and spread your opinions that opt out and leave your voice unheard. I’m attending as a blogger, as a podcaster, as a speaker (panelist, really) and as a vendor. It would have more impact on me and my career to boycott than it ever would to the RSA corporation.
If you really want to send the RSA Corporation, quit buying their products and tell them why. Now that’s a message they’ll hear loud and clear.