Latest Essays

U.S. Elections Are a Mess, Even Though There’s No Evidence This One Was Hacked

Unproven reports of possible discrepancies in the Rust Belt just show how untrustworthy the system is.

  • Bruce Schneier
  • The Washington Post
  • November 23, 2016

Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania.

The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman, the director of the University of Michigan Center for Computer Security and Society, both respected in the community.

Read More →

Testimony at the U.S. House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks”

  • Bruce Schneier
  • November 16, 2016

Testimony of Bruce Schneier
Fellow, Berkman-Klein Center at Harvard University
Lecturer and Fellow, Harvard Kennedy School of Government
Special Advisor to IBM Security and CTO of Resilient: An IBM Company

Before the

U.S. House of Representatives
Committee on Energy and Commerce
Subcommittee on Communications and Technology, and the
Subcommittee on Commerce, Manufacturing, and Trade

Joint Hearing Entitled
“Understanding the Role of Connected Devices in Recent Cyber Attacks”

November 16, 2016
10:00 AM

Watch the Video on House.gov

Good morning. Chairmen Walden and Burgess, Ranking Members Eshoo and Schakowsky, members of the committee: thank you for the opportunity to testify on this matter. Although I have an affiliation with both Harvard University and IBM, I am testifying in my personal capacity as a cybersecurity expert and nothing I say should be construed as the official position of either of those organizations.

Read More →

American Elections Will Be Hacked

  • Bruce Schneier
  • The New York Times
  • November 9, 2016

It's over. The voting went smoothly. As of the time of writing, there are no serious fraud allegations, nor credible evidence that anyone tampered with voting rolls or voting machines. And most important, the results are not in doubt.

Read More →

Your WiFi-Connected Thermostat Can Take Down the Whole Internet. We Need New Regulations.

  • Bruce Schneier
  • The Washington Post
  • November 3, 2016

Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.

Read More →

Lessons From the Dyn DDoS Attack

  • Bruce Schneier
  • SecurityIntelligence
  • November 1, 2016

A week ago Friday, someone took down numerous popular websites in a massive distributed denial-of-service (DDoS) attack against the domain name provider Dyn. DDoS attacks are neither new nor sophisticated. The attacker sends a massive amount of traffic, causing the victim's system to slow to a crawl and eventually crash. There are more or less clever variants, but basically, it's a datapipe-size battle between attacker and victim.

Read More →

Cybersecurity Issues for the Next Administration

Solutions require both corporate regulation and international cooperation

  • Bruce Schneier
  • Time
  • October 13, 2016

This essay appeared on Time.com as part of a special section called Let's Talk About the Issues.

On today's Internet, too much power is concentrated in too few hands. In the early days of the Internet, individuals were empowered. Now governments and corporations hold the balance of power. If we are to leave a better Internet for the next generations, governments need to rebalance Internet power more towards the individual.

Read More →

We Need to Save the Internet from the Internet of Things

  • Bruce Schneier
  • Motherboard
  • October 6, 2016

Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.

Read More →

How Long Until Hackers Start Faking Leaked Documents?

There’s nothing stopping attackers from manipulating the data they make public.

  • Bruce Schneier
  • The Atlantic
  • September 13, 2016

In the past few years, the devastating effects of hackers breaking into an organization's network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to Sony, to the National Security Agency, to the cyber-arms weapons manufacturer Hacking Team, to the online adultery site Ashley Madison, and to the Panamanian tax-evasion law firm Mossack Fonseca.

This style of attack is known as organizational doxing. The hackers, in some cases individuals and in others nation-states, are out to make political points by revealing proprietary, secret, and sometimes incriminating information.

Read More →

Someone Is Learning How to Take Down the Internet

  • Bruce Schneier
  • Lawfare
  • September 13, 2016

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.

Read More →

Stop Trying to Fix the User

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2016

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.