Essays: 2012 Archives
We're in the early years of a cyberwar arms race. It's expensive, it's destabilising and it threatens the very fabric of the internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.
If you read the press and listen to government leaders, we're already in the middle of a cyberwar.
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone.
Doping in professional sports is back in the news, as the overwhelming evidence against Lance Armstrong led to his being stripped of his seven Tour de France titles and more. But instead of focusing on the issues of performance-enhancing drugs and whether professional athletes be allowed to take them, I'd like to talk about the security and economic aspects of the issue.
Because drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests.
A lot of the debate around President Obama's cybersecurity initiative center on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general.
It's difficult to have any serious policy discussion amongst the fear mongering. Secretary Panetta's recent comments are just the latest; search the Internet for "cyber 9/11," "cyber Peal-Harbor," "cyber Katrina," or -- my favorite -- "cyber Armageddon."
There's an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations.
In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don't recommend reading the entire discussion; we spent 14,000 words talking past each other. But what's interesting is how our debate illustrates the differences between a security engineer and an intelligent layman.
Horrific events, such as the massacre in Aurora, can be catalysts for social and political change. Sometimes it seems that they're the only catalyst; recall how drastically our policies toward terrorism changed after 9/11 despite how moribund they were before.
The problem is that fear can cloud our reasoning, causing us to overreact and to overly focus on the specifics. And the key is to steer our desire for change in that time of fear.
This essay orginally appeared as part of a series of advice columns on how to break into the field of security.
I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.
First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks.
ABSTRACT: The problem of securing biological research data is a difficult and complicated one. Our ability to secure data on computers is not robust enough to ensure the security of existing data sets. Lessons from cryptography illustrate that neither secrecy measures, such as deleting technical details, nor national solutions, such as export controls, will work.
Science and Nature have each published papers on the H5N1 virus in humans after considerable debate about whether the research results in those papers could help terrorists create a bioweapon (1, 2).
We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat.
Brazilian Portuguese translation
Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It's not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it's not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who sell to governments, who buy vulnerabilities with the intent of keeping them secret so they can exploit them.
A Debate between Sam Harris and Bruce Schneier
Return to Part 1
A profile that encompasses "anyone who could conceivably be Muslim" needs to include almost everyone. Anything less and you're missing known Muslim airplane terrorist wannabes.
SH:It includes a lot of people, but I wouldn't say almost everyone. In fact, I just flew out of San Jose this morning and witnessed a performance of security theater so masochistic and absurd that, given our ongoing discussion, it seemed too good to be true.
A Debate between Sam Harris and Bruce SchneierIntroduction by Sam Harris
I recently wrote two articles in defense of "profiling" in the context of airline security (1 & 2), arguing that the TSA should stop doing secondary screenings of people who stand no reasonable chance of being Muslim jihadists. I knew this proposal would be controversial, but I seriously underestimated how inflamed the response would be. Had I worked for a newspaper or a university, I could well have lost my job over it.
One thing that united many of my critics was their admiration for Bruce Schneier.
Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who looks like he or she could conceivably be Muslim."
This is a bad idea. It doesn’t make us any safer -- and it actually puts us all at risk.
The right way to look at security is in terms of cost-benefit trade-offs.
These essays are part of a debate with Kip Hawley, the former Administrator of the TSA. For the full debate, see The Economist's website.
Let us start with the obvious: in the entire decade or so of airport security since the attacks on America on September 11th 2001, the Transportation Security Administration (TSA) has not foiled a single terrorist plot or caught a single terrorist. Its own "Top 10 Good Catches of 2011" does not have a single terrorist on the list. The "good catches" are forbidden items carried by mostly forgetful, and entirely innocent, people -- the sorts of guns and knives that would have been just as easily caught by pre-9/11 screening procedures.
This essay was republished in Wired on February 24, 2014.
Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection -- what attackers can get away with -- and attackers use new technologies to increase it.
I CAN put my cash card into an ATM anywhere in the world and take out a fistful of local currency, while the corresponding amount is debited from my bank account at home. I don't even think twice: regardless of the country, I trust that the system will work.
The whole world runs on trust. We trust that people on the street won't rob us, that the bank we deposited money in last month returns it this month, that the justice system punishes the guilty and exonerates the innocent.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.