Latest Essays

Democracy's Dilemma

  • Henry Farrell and Bruce Schneier
  • Boston Review
  • May 15, 2019

This essay originally appeared as part of a Boston Review forum. Responses can be found on the Boston Review site.

The Internet was going to set us all free. At least, that is what U.S. policy makers, pundits, and scholars believed in the 2000s.

Read More →

Russia's Attacks on Our Democratic Systems Call for Diverse Countermeasures

  • Bruce Schneier
  • The Hill
  • May 7, 2019

What do attacks on the integrity of our voting systems, the census and the judiciary all have in common? They're all intended to reduce our faith in systems necessary for our democracy to function, and they're also targets of Russian propaganda efforts.

To understand how these efforts can effectively undermine a democracy, it helps to think of a government as an information system. In this conceptualization, there are two types of knowledge that governments use to function.

Read More →

Toward an Information Operations Kill Chain

  • Bruce Schneier
  • Lawfare
  • April 24, 2019

Cyberattacks don't magically happen; they involve a series of steps. And far from being helpless, defenders can disrupt the attack at any of those steps. This framing has led to something called the "cybersecurity kill chain": a way of thinking about cyber defense in terms of disrupting the attacker's process.

On a similar note, it's time to conceptualize the "information operations kill chain." Information attacks against democracies, whether they're attempts to polarize political processes or to increase mistrust in social institutions, also involve a series of steps.

Read More →

A New Privacy Constitution for Facebook

Mark Zuckerberg wants to fix the social network. Here’s what he’ll need to do.

  • Bruce Schneier and Adam Shostack
  • OneZero
  • March 8, 2019

Facebook is making a new and stronger commitment to privacy. Last month, the company hired three of its most vociferous critics and installed them in senior technical positions. And on Wednesday, Mark Zuckerberg wrote that the company will pivot to focus on private conversations over the public sharing that has long defined the platform, even while conceding that "frankly we don't currently have a strong reputation for building privacy protective services."

There is ample reason to question Zuckerberg's pronouncement: The company has made—and broken—many privacy promises over the years. And if you read his 3,000-word post carefully, Zuckerberg says nothing about changing Facebook's surveillance capitalism business model.

Read More →

Cybersecurity for the Public Interest

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2019

The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there's no way to provide this capability without also weakening the security of every user of those devices and communications systems.

It's an impassioned debate, acrimonious at times, but there are real technologies that can be brought to bear on the problem: key-escrow technologies, code obfuscation technologies, and backdoors with different properties.

Read More →

There's No Good Reason to Trust Blockchain Technology

  • Bruce Schneier
  • Wired
  • February 6, 2019

In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: "We have proposed a system for electronic transactions without relying on trust." He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great promise, but it's just not true. Yes, bitcoin eliminates certain trusted intermediaries that are inherent in other payment systems like credit cards. But you still have to trust bitcoin—and everything about it.

Read More →

The Public-Interest Technologist Track at the RSA Conference

  • Bruce Schneier
  • RSA Conference Blogs
  • January 29, 2019

Our work in cybersecurity is inexorably intertwined with public policy and—more generally—the public interest. It's obvious in the debates on encryption and vulnerability disclosure, but it's also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial intelligence, social media platforms, and pretty much everything else related to IT.

This societal dimension to our traditionally technical area is bringing with it a need for public-interest technologists.

Defining this term is difficult.

Read More →

Defending Democratic Mechanisms and Institutions against Information Attacks

  • Henry Farrell and Bruce Schneier
  • Defusing Disinfo
  • January 28, 2019

To better understand influence attacks, we proposed an approach that models democracy itself as an information system and explains how democracies are vulnerable to certain forms of information attacks that autocracies naturally resist. Our model combines ideas from both international security and computer security, avoiding the limitations of both in explaining how influence attacks may damage democracy as a whole.

Our initial account is necessarily limited. Building a truly comprehensive understanding of democracy as an information system will be a Herculean labor, involving the collective endeavors of political scientists and theorists, computer scientists, scholars of complexity, and others.

Read More →

Evaluating the GCHQ Exceptional Access Proposal

  • Bruce Schneier
  • Lawfare
  • January 17, 2019

The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI—and some of their peer agencies in the U.K., Australia, and elsewhere—argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdroping. Sometimes their complaint is about communications systems, like voice or messaging apps. Sometimes it's about end-user devices.

Read More →

Machine Learning Will Transform How We Detect Software Vulnerabilities

  • Bruce Schneier
  • SecurityIntelligence
  • December 18, 2018

No one doubts that artificial intelligence (AI) and machine learning will transform cybersecurity. We just don't know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders — and the resultant arms race between the two — I want to talk about software vulnerabilities.

All software contains bugs.

Read More →

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.