RSA Data Security Inc., the company that effectively sets standards for the encryption that protects electronic money and sensitive messages, may be doing the same for the convention business.
The Redwood City, Calif., company managed to keep most of its more than 3,000 paying guests enthralled and in their seats for four full days last week, a testament to both the trendy topicality of this annual event and an unusual mix of entertainment values.
"We try at this conference to combine some intense subject matter with fun and games," said Chuck Stuckey, chairman, president, and chief executive officer of Security Dynamics Technologies Inc., RSA's parent company.
Within a few minutes on the opening morning Jan. 13, the meeting at the Masonic Auditorium in San Francisco segued from Gregorian chants to an edgy hip-hop music interlude to a sober discussion of government cryptography policy with three members of Congress.
Roller coasters work for Disney, so why not RSA?
When he negotiated the acquisition of RSA in 1996, Mr. Stuckey may not have fully appreciated that he was inheriting a conference gold mine. Since the first one in Redwood City in 1991, which attracted 50 computer science diehards and had little to say to the wider business community, the event has doubled in size every year.
Now it is almost all business. People who have come more than two or three times invariably remark how the percentage of suits is up and ponytails down.
"The character changes as a meeting like this moves to larger and larger places," said Peter Freund, an investment banker by trade who is chairman of Certco, a cryptography and digital certification vendor that began as a Bankers Trust New York Corp. venture investment.
And the stakes are rising. The technology of data security has become enmeshed in electronic commerce, which to this community has passed from speculative gamble to tangible opportunity. It is already a crowded industry that could shake out in numerous ways before the final winners become clear.
"After all is said and debated and the decisions are made, there is a need for all of us to make our technologies and products usable by the masses," said Mr. Stuckey. "They need to be interoperable and easier to use than they are today."
Having outgrown the available in-town San Francisco facilities-RSA conference sessions were scattered among several hotels and the theater- size Masonic hall-the event will move next January to the San Jose Convention Center.
Going into the heart of Silicon Valley, the conference organizers are talking about doubling again. Half the available exhibit space, which is considerably larger than that occupied by 68 companies at the 1998 conference (this too doubled), is already spoken for.
But the success of the RSA show may have less to do with location than with its producer-director-star, Jim Bidzos.
He has been RSA Data Security's president and chief executive officer for most of its 16-year life. He leavens a typical high-tech intensity and a penchant for argumentation-no one has more vocally challenged the federal policies restricting exports of encryption products-with a creativity and wit that find outlet in the convention.
Mr. Bidzos has frequently joked about how the meeting had grown into a core business, but this year its size went over the top, and so did his joke.
Referring to RSA's recent appointment of Albert Sisto as chief operating officer, Mr. Bidzos said, "I had to have a COO because this darn crypto stuff is beginning to interfere with our conference business."
The impresario has collaborators, notably marketing director Scott Schnell and conference director Kurt Stammberger. They know the classics and they know Generation X, and that makes for eclecticism.
The preliminary marketing materials had a church motif with a stained- glass window. Brochures told the story of a 15th century Benedictine monk, Johannes Trithemius, whose writings are regarded as the first on what became modern cryptography.
RSA has a tradition of teaching history lessons. Two years ago it was about how the Navajo language served as a code and contributed to the U.S. victory in the Pacific in World War II. Last year it was about the sending of encoded messages via carrier pigeon in World War I.
This year, RSA planted the seed about Trithemius and to tell his story brought in Steve DeCaroli, a PhD candidate in philosophy at the State University of New York's Binghamton University. His paper was titled, "Cryptography, the Renaissance, and the Inquisition." One subplot told how Trithemius' work influenced John Dee, an alchemist and adviser to the court of Queen Elizabeth I, and hence the spread of secret coding methods in diplomatic communications. (Dee's name in coded correspondences was abbreviated as "007.")
On the Masonic Auditorium stage throughout the conference was a replica arch and stained-glass window. But it was all one big Gothic curveball.
At the first session, as smoke filled the room and Gregorian chants emanated from the sound system, a half-dozen men emerged in monks' robes and took places at the front of the stage.
The chants started taking on a backbeat, the robes came off, berets went on, and the Sugar Hill Gang, a top rap group, was strutting its stuff. Mr. Bidzos was among them. He wrote the song and sang some of its verses, like this one:
"I want to encrypt
My Internet mail.
I should be able to do it
Without going to jail."
His government encryption-regulating adversaries never got a wake-up call quite like that.
Even though Mr. Bidzos is orchestrating themes favorable to his positions, he invites speakers with other points of view.
On a panel covering the U.S. government encryption issue were Bruce McConnell of the Office of Management and Budget and Dorothy Denning, a Georgetown University computer science professor who has surprised others in academia by supporting the official positions on cryptography exports.
They were far outnumbered by industry lawyers and consumer advocates-and an almost unanimous audience-who see the restrictions as an unconscionable and ultimately futile limitation on free speech and free trade.
Bruce Heiman, a high-tech industry lawyer with Preston Gates Ellis & Rouvelas Meeds in Washington, ridiculed a series of government policy shifts as something out of "Men in Black." He mimicked Tommy Lee Jones, a star in the film, and ascribed the changes to the memory erasures that were the hallmark of that plot.
The cryptographic majority has rallied around a bill known as SAFE, the Security and Freedom through Encryption Act.
Despite high-level misgivings in Washington, mainly from law-enforcement and intelligence agencies that are concerned about being unable to do their jobs because of an inability to crack the stronger codes, SAFE sailed through the House Judiciary Committee last year after having been co- sponsored by a bipartisan majority of the 435 members of the chamber.
Rep. Robert Goodlatte, R-Va., the principal sponsor and a darling of the strong-crypto movement, marveled at the vastness of the lobbying coalition behind SAFE. "It includes the American Civil Liberties Union and the National Rifle Association," he said. "I don't think those groups are ever on the same side of an issue."
Banking interests are also on board-Rep. Goodlatte mentioned the Online Banking Association-along with the National Retail Federation, U.S. Chamber of Commerce, and many others.
Mr. Goodlatte said he is "excited" about the bill's prospects.
Sen. John Ashcroft, R-Mo., addressing the conference with Rep. Goodlatte via satellite, vowed to help get it through the Senate. He said he fears the regulatory restrictions will "pull the rug out from under our competitive advantage ... U.S. companies will be prevented from competing in that market, and that bothers me."
He added, "National security and law enforcement need to be discussed, but there are also clear interests of the public and the business community in the privacy issue and the right against unreasonable search and seizure."
Mr. Bidzos is still worried about what will happen as the government sinks in its heels. He believes more and more Congress members are getting what is known in the trade as "the briefing" from the National Security Agency, convincing many to lose their strong-crypto enthusiasm.
Sen. Ashcroft dismissed "the briefers" as being "behind the power curve," not recognizing that technological advances make their old arguments obsolete.
"We have to take the national security concern seriously but not take it lying down," said Rep. Goodlatte.
Mr. Bidzos asked Rep. Zoe Lofgren, D-Calif., what she could say about the briefing, and she replied, "I can't describe the content but it's nothing you haven't heard in speeches. Policy makers are living in an analog world."
"It is yesterday's technology being put forward as a cure," Mr. Bidzos said. "And not enough attention is being paid to the constitutional issues."
The rhetoric heated up in the panel led off by the Man in Black, Mr. Heiman.
Susan Landau, a University of Massachusetts professor and co-author with public key cryptography inventor Whitfield Diffie of "Privacy on the Line: the Politics of Wiretapping and Encryption," catalogued what she viewed as government disregard of facts that would argue against its position. For example, she said, few if any terrorist, organized crime, or kidnapping prosecutions were aided by official snooping.
"If all this came out in public," Ms. Landau said, "they wouldn't have a case for their crypto policy."
"The government is trying to hard-wire wiretap capability into the digital information infrastructure," said Marc Rotenberg, director of the Washington-based Electronic Privacy Information Center.
Jerry Berman of the Center for Democracy and Technology, which has been influential in shaping the pro-SAFE side of the debate, said a "Cold War mentality" is at work in the use of "national security to trump civil liberties." The government cannot abide the "new paradigm of individual control over information," he said.
"The business community has been out front against the FBI on this issue because business is at stake," Mr. Berman went on. "Privacy is an essential part of e-commerce, and without it the potential of this new medium will be severely jeopardized."
To all this the Clinton administration official, Mr. McConnell, responded that the White House has not yet endorsed any encryption bill, including one sponsored by Sen. John McCain, R-Ariz., and Sen. Bob Kerrey, D-Neb., that the crypto forces view as the antithesis of SAFE. "Some bills are more strict, some are more liberal," Mr. McConnell said.
Prof. Denning pointed out that the government has not imposed domestic controls on encryption since 1992 and has gradually relaxed export controls. Indeed, mainly for banking and financial purposes, encryption products many times more powerful than the old 40-bit key limit have won Department of Commerce export approval.
If privacy protection, open competition, or constitutional arguments don't sell SAFE, crime-fighting might.
"This is anti-crime legislation of the first order," Rep. Goodlatte said. "It will make credit cards safer on the Internet, medical records safer, and electronic commerce viable."
Later, when Rep. Goodlatte accepted an award from RSA for his public policy leadership, he returned to the point: "We will continue to fight crime. That's what we're doing folks, and let's not forget it."
"The government and legislators are not well educated about security as a crime prevention tool," said Mr. Stuckey of Security Dynamics. "Our effort to pass the SAFE bill this year is critical."
Like most of the "suits" in attendance, bankers enjoyed the lively debates and entertainment but had to stay focused on the pragmatic question of "where is the business?"
There were enough people at the conference employed by banks-to call these technology specialists bankers in the traditional sense might be an injustice-to hold their own mini-convention. Of 90 on the printed registration list, 22 came from Citicorp, many from its advanced development group, which is based in the Los Angeles area.
Seven represented Certco, the Bankers Trust venture; six represented Zions Bancorp. of Utah or its pioneering certification subsidiary, Digital Signature Trust Co.; 12 came from the hometown banking giants, BankAmerica Corp. and Wells Fargo & Co.; and several more worked for banks in other countries.
Another 23 attendees came from jointly owned banking ventures like Visa, MasterCard, Mondex, and Swift.
Eight from San Francisco-based Charles Schwab & Co. and seven from Merrill Lynch & Co. led a contingent of 31 from securities and insurance organizations. The mortgage agencies Fannie Mae and Freddie Mac each sent four. The Federal Reserve System, Federal Deposit Insurance Corp., and Treasury Department had a total of 12.
The numbers were more than justified by the vision articulated by many speakers: that financial institutions will be central to electronic commerce and to distributing the digital certificates that will be needed to authenticate on-line buyers and sellers.
Hopes are high for SET, the MasterCard-Visa Secure Electronic Transaction standard, to spur the certification business. But it may be more fundamental than that.
"Electronic commerce is moving out of the IT (information technology) closet and into the mainstream of businesses," said Jay Simmons, senior vice president of Certco, which introduced its Root CertAuthority and Commerce CertAuthority products at the RSA meeting.
"Banks have an opportunity to re-intermediate themselves in areas of commerce they have been obviated from for years," said Mr. Simmons, a former Citibank executive. "Liability-absorption and mitigation of risk is what banks have the opportunity to provide" by adapting such basics as the "know-your-customer" rule to digital commerce.
"We think it is a small step from certificates to smart cards," which could make the digital credentials as portable and ubiquitous as today's credit cards, said George Hoyem, vice president and general manager of Verifone Inc.'s Internet commerce division.
"We think digital wallets will become the battleground for financial services," he added. "Internet commerce will change the way we all do business."
The Sugar Hill Gang aside, an unassuming banker from Canada stole the business part of the show, earning prolonged applause for doing what others are just beginning to talk about.
Paul Wing, vice president of Bank of Nova Scotia, presented what he called a "public key infrastructure success story." Digital certificates have replaced passwords, simplified sign-on procedures, and improved overall security, he said.
Working with Entrust Technologies, which is not coincidentally Canadian- controlled, Scotiabank has built two certificate authorities. In about four months, one has issued 24,000 digital certificates to Internet banking and brokerage customers. The other, wholesale CA had issued 184 on its way to 5,000 to 10,000 this year, Mr. Wing said.
He expressed supreme confidence in the tightness of the security, the system's resistance to fraud and compromise. And he stressed the speed of implementation; only 13 months ago was the idea presented to senior management. The first live transaction occurred in July and the rollout to customers began in September.
"There was general acceptance that this was a business decision, not a technology decision, and it was based on assessment of risk," Mr. Wing said. "If we left it to the technologists we would still be debating what directory service to use."