Background

According to an item contributed by Security Bsides to Infosec Island

We1 received an initially overwhelming response from sponsors but were notified2 that contractually companies that sponsor RSA cannot sponsor another event in a 5 mile radius. If RSA enforces this contract with their sponsors we could lose 90% of sponsorship dollars. This means that the potentially 500 attendees registered for BSidesSF (juxtaposed against a probable 15,000 at RSA) may not have an event in a few weeks.

The issue appears to revolve around the “Competing Events” section of the sponsorship/exhibitor contract used by the RSA Conference, which says

During the period from February 27-March 2, 2012, Company shall not independently reserve space or otherwise sponsor or host an event within five (5) miles of the Exhibition for the purpose of holding a hospitality suite, seminar or any other promotional or educational activity without the prior written consent of RSA Conference, which consent shall not be unreasonably withheld. Company acknowledges and agrees that events that conflict with previously scheduled RSA Conference activities shall be one reason RSA Conference to withhold such consent.

The second sentence is particularly interesting, since it suggests that events which “conflict” are inherently “competing”.

This is the crux of the matter: The RSA Conference seems to view BSidesSF as a competitor, while many in the infosec community view it as a complement, or as an entirely unrelated beast.

Comparison to BlackHat

The B-Sides phenomenon began in 2009 in relation not to the RSA Conference, but to BlackHat USA:

BSides was born out of number of rejections to the CFP for Black Hat USA 2009. A number of quality speakers were rejected, not due to lack of quality but lack of space and time.Any constrained system must operate within the bounds to which it has defined itself. Conferences constrain themselves to the eight hours a day for however many days they run. Our goal is to provide people with options by removing those barriers and providing more options for speakers, topics, and events.

Bsides’s History, Securitybsides.com

I interpret this to mean that at its genesis, BSides thought of itself as a direct alternative to Black Hat – the presenters could as well have been presenters at BH, indeed they tried to be. However, because only so many slots were available, others were selected, and BSides as an alternative venue was born. Indeed, to the extent that presenters attract a similar audience irrespective of the venue at which they present within a given locality, BSides is not merely an alternative to Black Hat for speakers, but is a direct competitor for attendees.

In evaluating the RSA Conference’s stance, then, it might be instructive to look at the agreement BlackHat uses. The relevant section of the Black Hat USA 2011 Contract states

Exhibitor agrees that it may not use any Organizer event to leverage any other event in which Exhibitor is a sponsor or participant, and therefore agrees that it may not may not[sic] promote its products or organization within 500 yards of any Event locations, except (i) in advertising contained in periodicals or similar regularly published media or (ii) as permitted by this contract or by UBM in writing. In the interest of the success of the Event, Exhibitor agrees not to extend invitations, call meetings or otherwise encourage absence of exhibitors or invited guests from the Event or Event Facility during the official hours of the Event or any function sponsored in connection with the Event by Organizer or its official sponsors.

By my reading, Black Hat’s contract terms are more equitable. The contract seeks to prohibit product promotion within 500 yards, not 5 miles, and to restrict only actions that “encourage absence” from its event. This interpretation may be somewhat generous to Black Hat, since their is no distance qualifier to the “encourage absence” variety of the prohibition against “leverag[ing] any other event”.

So, to summarize so far, we have RSA looking to restrain competing, or perhaps only conflicting, events within a 5 mile radius, and Black Hat looking to restrain others who seek to “leverage” Black Hat for their own benefit, whether they do so by unapproved promotion within 1500 feet of the event, or encouraging absence anywhere.

What’s this all about?

Since I feel myself getting neck deep in the weeds on this, let me take a step back and discuss what I think motivates contractual terms like these.

A conference organizer expends significant resources, sometimes making commitments years in advance, to build an event the success of which depends on attendance. The more participants, the better. Indeed, as any RSA, BH, or Defcon attendee will agree, these events also create a network effect. Since conference organizers seek to maximize aggregate attendee benefit (either to capture it in the form of ticket pricing, just “to help the community”), they must defend the network effect and confront threats to attendance. Contractual terms are one way to do these things, where the threats come from the event’s own participants.

So, why would a sponsor or exhibitor threaten an event they are paying to be at? Don’t they realize they are undercutting themselves?

In a word, no. There are a couple of explanations for this. First, they may be hedging. Sure, RSA is very very likely to be a great conference, with tons of attendees with checkbooks in hand. However, there’s a very slim chance it’ll totally suck. By investing a small amount in an alternative that stands to do well if RSA does poorly, an exhibitor can partially protect against this very undesirable outcome.

Second, there is heterogeneity among sponsors/exhibitors and among their customers. A firm looking to maximize the “impressions” it makes with a finite budget may be better of sponsoring BSides with the money it otherwise could have used to buy a larger booth at RSA. A second firm may do better with the bigger booth.

From a purely selfish perspective, RSA may want to ban hedging. Whether it is in their interest to do so depends on how many exhibitors would elect not to exhibit because, absent the hedge, RSA is too risky. I suspect this is very very few firms, and that the organizers do not really care about this.

But do they care about the second, and likely much more relevant, tactic? In numeric terms, it’s hard to see why they would. The RSA people (unhelpfully) do not provide attendance figures, but 2005 is reported to have had 11,000 registered attendees and 275 vendors, with a trade report showing an estimate of 17,000 attendees and 325 vendors for 2012. Meanwhile, last year’s BSidesSF had about 20 sponsors and 400 attendees (I believe that that last figure is from a source whose company at the time was both sponsoring BSides and exhibiting at RSA). These numbers are, I note, consistent with those used by Bsides in their call for action.

In short, unless RSA has some good reason to think that the 20ish BSides sponsors and 400ish BSides attendees are some sort of insurgency, and that that insurgency has a real chance of achieving success at RSA’s expense, they shouldn’t care.

Insurgent, Complement, or Something Completely Different

All parties – RSA, BSides, exhibitors at one or both events, and attendees of one or both events – benefit from a vibrant community. This is all the more true when one event does not benefit at the expense of the other, but human nature being what it is, some may seek to capitalize on RSA’s success in a manner that is not beneficial to the infosec community generally.

Unsurprisingly, the convention and exposition business has seen this movie before, and has even created a very informative white paper on the subject. Indeed, because scenarios like this have played out so frequently, they have come out with an ethics statement condemning “Outboarding”:

Outboarding is defined by the International Association for Exhibition Management (IAEM) as the creation of a concurrent event that is related to an existing exhibition or event but that is not sanctioned by the organizer and which seeks to benefit from the audience the organizer attracts. IAEM considers Outboarding to be unethical business conduct and should not be condoned nor tolerated.

Further,

The predictable and inevitable consequences of Outboarding diminish the size and diffuse the quality of the audience that event sponsors work very hard to gather. Outboarding reduces the value of an event for exhibitors and sponsors who likewise have significant resources invested in the event.

Now, I read this ethical statement as a bit self-serving, but even by its own standards it’s not at all clear it applies to the RSA/BSides situation. Does BSides “seek to benefit” from the audience RSA attracts? I don’t know the demographics, but it doesn’t seem that way to me. Maybe RSA has a different view. If they do, I’d like to know why. Perhaps some in the BSides community have conducted themselves in a way that erodes trust.

What can be done?

In any case, there are concrete steps that can be taken against this kind of poaching, and that can act as institutional bulwarks against BSides acting counter to RSA and vice-versa. I do not know the history, but it seems to me that Black Hat and Defcon have managed to coexist effectively, both with one another and with BsidesLV, so this really can work.

The carrot The events can be arranged to overlap minimally. Bsides does little to build goodwill if it is scheduled to coincide with peak RSA conference days.

Incentives to attend both events can be provided. Since RSA is the one doing the worrying, they can drive traffic to their event through the relatively costless measure of offering free expo passes to all BSides attendees.

Attendee enjoyment can be maximized by keeping the events close together geographically RSA attendees will be much less likely to “blow off” a whole day if they can easily wander over to BSides to see a talk or two, then come back. RSA might consider “keeping its (perceived) enemies closer” by providing subsidized or free venue space to Bsides.

…or the stick Perhaps RSA has offered to do some or all of these. If so, they should try again. On the other hand, the reports we do have suggest that RSA is taking a rather different tack - threatening to withhold future waivers from Bsides sponsors.

How would this work? Presumably, like RSA, Bsides has an agreement with sponsors, who can’t just decide not to pay because RSA shows them the instruments. So, the way this plays out is:

  1. RSA threatens

  2. Sponsors cannot back out lest they lose both money and goodwill, so they stay in

  3. RSA follows through, taking some sort of punitive action against sponsors, such as banning them from future conferences

However, RSA is itself a sponsor. Therefore, RSA must choose between playing favorites in a almost comically self-serving way, or must punish itself (which rules out banning as a punishment)

Clearly, cooler heads need to prevail. RSA should back away from the brinksmanship it seems to be considering. Bsides should reflect on the actions of its members and sponsors which may have led RSA to believe its motives were threatening, and should approach RSA to ask what the real reasons for this recent change in tone are. It may be a simple misunderstanding, or it may be something deeper. Whatever it is, it should come out now so we as a community can move forward (hopefully, together).

1I take this to refer to the organizers of the BSidesSF event

2It’s unclear who did the notifying, but the urgent tone suggests that it came from the RSA Conference officially.