Kurt Stammberger has been to the RSA Security Conference for more years than anyone, because even though he is now the CMO at Fortscale, 25 years ago he put on the very first RSA Conference. With this year’s version attracting over 40,000 people, it seemed the perfect time to sit down with him, and talk about security, conferences, and how the FBI’s battle with Apple looks a lot like the Clipper Chip all over again.
So as we sit here on the floor of RSA 2016, I have to ask, how did all this start 25 years ago?
Stammberger: So there were a lot of security conferences out there 25 years ago, but they were not very much fun to go to. They focused mostly on government buyers, military folks, mathematicians, and cryptographers and network professionals. But they weren’t really addressing any of the other constituencies that we see as part of the computer security community today.
So back in 1991, I was employee number six at RSA and I got sent to a lot of really boring computer security conferences. And Jim Bidzos, who was my boss at the time and the CEO, really wanted to bring more of the politics and the activism and the markets into the event. So we put together an event in 1991 and we attracted about 75 people to the Hotel Sofitel in Redwood Shores and we thought it was a huge success!
And part of the thing that was interesting about it was the variety of people that were there. Sure, there were cryptographers, there were network folks, there were government employees, but there also were spooks, there were venture capitalists, bankers, and marketers and industry analysts. All these people who had never really spent time at a computer security conference before.
And it has thrived, but there is definitely a different feel to an RSA Conference…
Stammberger: One of the more fun aspects of the RSA conference – for a long time in the late ’90s, when tech conference were getting pretty tired – the RSA conference was known as one of the few technology conferences where you could have a really good time. (Editor’s note: we were seated in a booth of a company with a wine and cheese bar discussing this) And I remember the first RSA conference we held in 1991, at the end of the conference, the next day, I was presented by the hotel a truly astonishing bar bill that more than all the other expenses of the conference combined. And people tell me that the legend to this day, that loss still holds; more alcohol is served than all the other expenses involved.
It’s been a conference about building community, but also pushing people to stretch beyond the relationships they are usually comfortable with, and getting the geeks and programmers to talk to the spooks and the bankers, and getting government folks talking to people in industry solving business problems. Getting all these people together in a business context sure, but a social one as well, it’s really the secret sauce of the RSA Conference. The key is bringing all these different communities together.
So it was more than just a tech conference
Stammberger: I think at the time we didn’t quite realize we were doing something so fundamentally different. We were more interested in broadening the discussions, the issues that were critical at the time. Things like the NSA’s proposed Clipper Chip – this piece of hardware that would be built into every PC, every Mac, every cell phone – that would have an open back door for the government. So, anytime they wanted to, or when they got a warrant, they could decrypt and look at all the information on the device.
Now at the time, there was some considerable concern in the community that this would just slide right through because the standards making process is one of proposal, a public commentary period, and then it is adopted! But nobody was really paying attention to cryptography standards at the time because the cryptography industry, outside the government and banks, didn’t really exist.
So we made an issue out of it. We started putting together grassroots awareness around the impact that a standard like that would have on everyday citizens. And this was before many people were using the internet, it was still the ARPANET. So it was especially important we thought to raise the awareness, to get more constituencies commenting on what would eventually be a national standard.
And the direct result of that was that proposal was withdrawn and the Clipper Chip never went anywhere.
It’s interesting we are talking about the Clipper Chip given what is happening today with Apple and the FBI.
Stammberger: It is a little bit like deja vu all over again. It’s the intelligence communities and law enforcement (that are) not happy that they are finding it harder and harder to break into devices and communications that used to be fairly straightforward for them to tap. And the arguments that they are making now are exactly the arguments they made 23 years ago, that this isn’t about spying on citizens, this isn’t about invading privacy – this is about law enforcement, this is about stopping terrorists. But I think what a lot of activists and intellectuals at the time, very smart people, were saying that if we look at the history of these organizations when they are given these capabilities, they inevitably abuse them. And it’s not a question of if, it’s a question of when.
And there are also a few particular issues with what is happening today. When does Apple’s obligation to do free engineering work for the government stop? Basically, when can a company be compelled to do that kind of work, what are the standards by which the government makes a decision?
It’s not just an issue of privacy anymore. The government has gone beyond the security argument entirely now and are saying if you build a safe or a house of sufficient strength so we cannot knock it down, you also have to build a device that is capable of knocking it down for us. That is a very strange and legally wobbly position to take.
Is this also that governments see things differently than folks in the trade. We are more aware of hackers, black hats…
Stammberger: Yeah, exactly, the Black Hat Conference is one of my favorites. In 1995, I wanted to merge it with the RSA Conference, but that happened in an alternate universe. I still go to that show. And that’s another argument about building these backdoors into these systems. Because when you build them into systems, the governments agencies are not the only ones that find them. Other very clever people find them as well. So there are fundamental reasons for building constructs, whether physical or digital, that are inherently secure and difficult to break into.