Latest Essays

NIST’s Post-Quantum Cryptography Standards Competition

  • IEEE Security & Privacy
  • September/October 2022

Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit (a quantum bit) to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional computers.

Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible. Even so, we already know that that such a computer could potentially factor large numbers and compute discrete logs, and break the RSA and Diffie-Hellman public-key algorithms in all of the useful key sizes…

When Corporate Interests and International Cyber Agreements Collide

  • Bruce Schneier and Tarah Wheeler
  • The Cipher Brief
  • May 5, 2022

The Paris Call for Trust and Stability in Cyberspace is an initiative launched by French President Emmanuel Macron during the 2018 UNESCO’s Internet Governance Forum. It’s an attempt by the world’s governments to come together and create a set of international norms and standards for a reliable, trustworthy, safe, and secure Internet. It’s not an international treaty, but it does impose obligations on the signatories. It’s a major milestone for global Internet security and safety.

Corporate interests are all over this initiative, sponsoring and managing different parts of the process. As part of the Call, the French company Cigref and the Russian company Kaspersky chaired …

Why Vaccine Cards Are So Easily Forged

Sometimes a little security theater isn’t the worst thing.

  • The Atlantic
  • March 8, 2022

My proof of COVID vaccination is recorded on an easy-to-forge paper card. With little trouble, I could print a blank form, fill it out, and snap a photo. Small imperfections wouldn’t pose any problem; you can’t see whether the paper’s weight is right in a digital image. When I fly internationally, I have to show a negative COVID test result. That, too, would be easy to fake. I could change the date on an old test, or put my name on someone else’s test, or even just make something up on my computer. After all, there’s no standard format for test results; airlines accept anything that looks plausible…

Letter to the US Senate Judiciary Committee on App Stores

  • Bruce Schneier
  • January 31, 2022

View or Download in PDF Format

The Honorable Dick Durbin
Chair
Committee on Judiciary
711 Hart Senate Office Building
Washington, D.C. 20510

The Honorable Amy Klobuchar
Chair
Subcommittee on Competition Policy,
Antitrust, and Consumer Rights
425 Dirksen Senate Office Building
Washington, D.C. 20510

The Honorable Chuck Grassley
Ranking Member
Committee on Judiciary
135 Hart Senate Office Building
Washington, D.C. 20510

The Honorable Mike Lee
Ranking Member
Subcommittee on Competition Policy,
Antitrust, and Consumer Rights
361A Russell Senate Office Building…

Robot Hacking Games

  • IEEE Security & Privacy
  • January/February 2022

View or Download in PDF Format

Hacker “Capture the Flag” has been a mainstay at hacker gatherings since the mid-1990s. It’s like the outdoor game, but played on computer networks. Teams of hackers defend their own computers while attacking other teams’. It’s a controlled setting for what computer hackers do in real life: finding and fixing vulnerabilities in their own systems and exploiting them in others’. It’s the software vulnerability lifecycle.

These days, dozens of teams from around the world compete in weekend-long marathon events held all over the world. People train for months. Winning is a big deal. If you’re into this sort of thing, it’s pretty much the most fun you can possibly have on the Internet without committing multiple felonies…

How to Cut Down on Ransomware Attacks Without Banning Bitcoin

  • Bruce Schneier and Nicholas Weaver
  • Slate
  • June 17, 2021

Ransomware isn’t new; the idea dates back to 1986 with the “Brain” computer virus. Now, it’s become the criminal business model of the internet for two reasons. The first is the realization that no one values data more than its original owner, and it makes more sense to ransom it back to them—sometimes with the added extortion of threatening to make it public—than it does to sell it to anyone else. The second is a safe way of collecting ransoms: Bitcoin.

This is where the suggestion to ban cryptocurrencies as a way to “solve” ransomware comes from. Lee Reiners, executive director of the Global Financial Markets Center at Duke Law, …

Hacked Drones and Busted Logistics Are the Cyber Future of Warfare

  • Bruce Schneier and Tarah Wheeler
  • Brookings TechStream
  • June 5, 2021

“If you think any of these systems are going to work as expected in wartime, you’re fooling yourself.”

That was Bruce’s response at a conference hosted by U.S. Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the internet. That may be necessary to keep in touch with civilian companies like FedEx in peacetime or when fighting terrorists or insurgents. But in a new era facing off with China or Russia, it is dangerously complacent.

Any 21st century war will include cyber operations. Weapons and support systems will be successfully attacked. …

Russia’s Hacking Success Shows How Vulnerable the Cloud Is

The cloud is everywhere. It’s critical to computing. And it’s under attack.

  • Foreign Policy
  • May 24, 2021

Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and U.S. federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network identity systems to then access cloud accounts and pilfer emails and files.

Hackers said by the U.S. government to have been working for the Kremlin targeted a widely used Microsoft cloud service that synchronizes user identities. The hackers …

‘Grassroots’ Bot Campaigns Are Coming. Governments Don’t Have a Plan to Stop Them.

Artificial intelligence software can easily pass for real public comments

  • Henry Farrell and Bruce Schneier
  • The Washington Post
  • May 20, 2021

This month, the New York state attorney general issued a report on a scheme by “U.S. Companies and Partisans [to] Hack Democracy.” This wasn’t another attempt by Republicans to make it harder for Black people and urban residents to vote. It was a concerted attack on another core element of U.S. democracy—the ability of citizens to express their voice to their political representatives. And it was carried out by generating millions of fake comments and fake emails purporting to come from real citizens.

This attack was detected because it was relatively crude. But artificial intelligence technologies are making it possible to generate genuine-seeming comments at scale, drowning out the voices of real citizens in a tidal wave of fake ones…

Hackers Used to Be Humans. Soon, AIs Will Hack Humanity

Like crafty genies, AIs will grant our wishes, and then hack them, exploiting our social, political, and economic systems like never before.

  • Bruce Schneier
  • Wired
  • April 19, 2021

If you don’t have enough to worry about already, consider a world where AIs are hackers.

Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long.

As I lay out in a report I just published, artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit them at unprecedented speed, scale, and scope. After hacking humanity, AI systems will then hack other AI systems, and humans will be little more than collateral damage…

Sidebar photo of Bruce Schneier by Joe MacInnis.