RSA Conference is the largest annual information security industry conference, held primarily in San Francisco. Named after RSA Security (the company founded by the inventors of the RSA public-key cryptosystem), the conference brings together security practitioners, vendors, researchers, and executives for a combination of technical sessions, vendor exhibitions, and policy discussions. Schneier is a frequent and prominent speaker whose presentations regularly challenge industry complacency and market-driven security thinking.
Conference Context
RSA Conference emerged from the cryptographic research community in the early 1990s but grew rapidly into the primary gathering of the commercial information security industry. Its dual character — serious technical research track alongside a massive vendor expo — mirrors a tension Schneier has analyzed throughout his career: the gap between security as practiced by experts applying security-mindset and security as marketed by vendors optimizing for perception and sales.
Schneier's relationship to the conference is productive tension. He speaks there regularly and reaches an audience of security professionals who work within the commercial and corporate structures he often critiques. His presentations have introduced and popularized concepts including security-theater, security-economics, and hacking-as-systems-subversion to practitioner audiences who would not otherwise encounter academic or policy-oriented analysis.
The 2014 Boycott Controversy
In 2014, following the snowden-revelations and the disclosure that RSA Security had accepted $10 million from nsa to make the compromised Dual EC DRBG random number generator the default in its BSAFE security toolkit, a number of security researchers announced boycotts of RSA Conference. The controversy directly intersected Schneier's core themes: nsa's corruption of cryptographic standards, the misalignment of commercial security vendors' interests with actual security, and the trust-framework implications of a major security company acting against its customers' security interests.
Schneier wrote about the controversy on the schneier-on-security-blog, analyzing the RSA Security payment as an instance of the same structural problem he had identified in data-and-goliath: powerful institutions — in this case a government intelligence agency — exploiting their position to subvert the security infrastructure that everyone else relies on. The conference as an institution was distinct from RSA Security as a company, but the naming overlap made the controversy unusually vivid.
Function in the Security Ecosystem
For the security community, RSA Conference functions as the industry's annual checkpoint: the venue where the past year's major incidents and the next year's emerging threats are analyzed, where vendor announcements are made, and where the practitioner community maintains professional relationships across company boundaries. Schneier's consistent presence at the conference — whether speaking, participating in panels, or being prominently discussed in his absence during controversy years — reflects his standing as the field's most recognized public intellectual.
His RSA Conference keynotes and presentations, often archived on the schneier-on-security-blog, function as applied demonstrations of security-mindset: taking the current landscape of threats, policies, and security products and analyzing them through the frameworks developed across applied-cryptography, secrets-and-lies, and subsequent works.