Essays in the Category "Laws and Regulations"
Page 9 of 10
Hacking the Business Climate for Network Security
Computer security is at a crossroads. It’s failing, regularly, and with increasingly serious results. CEOs are starting to notice. When they finally get fed up, they’ll demand improvements. (Either that or they’ll abandon the Internet, but I don’t believe that is a likely possibility.) And they’ll get the improvements they demand; corporate America can be an enormously powerful motivator once it gets going.
For this reason, I believe computer security will improve eventually. I don’t think the improvements will come in the short term, and I think that they will be met with considerable resistance. This is because the engine of improvement will be fueled by corporate boardrooms and not computer-science laboratories, and as such won’t have anything to do with technology. Real security improvement will only come through liability: holding software manufacturers accountable for the security and, more generally, the quality of their products. This is an enormous change, and one the computer industry is not going to accept without a fight…
Liability changes everything
Computer security is not a problem that technology can solve. Security solutions have a technological component, but security is fundamentally a people problem. Businesses approach security as they do any other business uncertainty: in terms of risk management. Organizations optimize their activities to minimize their cost-risk product, and understanding those motivations is key to understanding computer security today.
It makes no sense to spend more on security than the original cost of the problem, just as it makes no sense to pay liability compensation for damage done when spending money on security is cheaper. Businesses look for financial sweet spots—-adequate security for a reasonable cost, for example—and if a security solution doesn’t make business sense, a company won’t do it…
Voting and Technology: Who Gets to Count Your Vote?
Paperless voting machines threaten the integrity of democratic process by what they don't do.
Voting problems associated with the 2000 U.S. Presidential election have spurred calls for more accurate voting systems. Unfortunately, many of the new computerized voting systems purchased today have major security and reliability problems.
The ideal voting technology would have five attributes: anonymity, scalability, speed, audit, and accuracy (direct mapping from intent to counted vote). In the rush to improve the first four, accuracy is being sacrificed. Accuracy is not how well the ballots are counted; it’s how well the process maps voter intent into counted votes and the final tally. People misread ballots, punch cards don’t tabulate properly, machines break down, ballots get lost. Mistakes, even fraud, happen…
Testimony before the Subcommittee on Cybersecurity, Science, and Research and Development
Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.
Hearing on “Overview of the Cyber Problem-A Nation Dependent and Dealing with Risk”
Before the Subcommittee on Cybersecurity, Science, and Research and Development
Committee on Homeland Security
United States House of Representatives
June 25, 2003
2318 Rayburn House Office Building
Mr. Chairman, members of the Committee, thank you for the opportunity to testify today regarding cybersecurity, particularly in its relation to homeland defense and our nation’s critical infrastructure. My name is Bruce Schneier, and I have worked in the field of computer security for my entire career. I am the author of seven books on the topic, including the best-selling Secrets and Lies: Digital Security in a Networked World [1]. My newest book is entitled Beyond Fear: Thinking Sensibly About Security in an Uncertain World [2], and will be published in September. In 1999, I founded Counterpane Internet Security, Inc., where I hold the position of Chief Technical Officer. Counterpane Internet Security provides real-time security monitoring for hundreds of organizations, including several offices of the federal government…
American Cyberspace: Can We Fend off Attackers?
Forget It: Bland PR Document Has Only Recommendations
AT 60 pages, the White House’s National Strategy to Secure Cyberspace is an interesting read, but it won’t help to secure cyberspace. It’s a product of consensus, so it doesn’t make any of the hard choices necessary to radically increase cyberspace security. Consensus doesn’t work in security design, and invariably results in bad decisions. It’s the compromises that are harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn’t work because the one crucial party in these negotiations—the attackers—aren’t sitting around the negotiating table with everyone else. They don’t negotiate, and they won’t abide by any security agreements…
Should Vendors be Liable for Their Software's Security Flaws?
Network security is not a technological problem; it’s a business problem. The only way to address it is to focus on business motivations. To improve the security of their products, companies – both vendors and users – must care; for companies to care, the problem must affect stock price. The way to make this happen is to start enforcing liabilities.
The only way to get many companies to spend significant resources to ensure the security of their customers’ data is to hold them liable for misuse of this data. Similarly, the only way to get software vendors to reduce features, lengthen development cycles and invest in secure software development processes is to hold them liable for security vulnerabilities in their products…
Efforts to Limit Encryption Are Bad for Security
In the wake of the devastating attacks on New York’s World Trade Center and the Pentagon, Sen. Judd Gregg (R-N.H.), with backing from other high- ranking government officials, quickly seized the opportunity to propose limits on strong encryption and “key-escrow” systems that insure government access. This is a bad move because it will do little to thwart terrorist activities and it will also reduce the security of our critical infrastructure.
As more and more of our nation’s critical infrastructure goes digital, cryptography is more important than ever. We need all the digital security we can get; the government shouldn’t be doing things that actually reduce it. We’ve been through these arguments before, but legislators seem to have short memories. Here’s why trying to limit cryptography is bad for e-business:…
Arrest of Computer Researcher Is Arrest of First Amendment Rights
The arrest of a Russian computer security researcher was a major setback for computer security research. The FBI nabbed Dmitry Sklyarov after he presented a paper at DefCon, the hacker community convention in Las Vegas, on the strengths and the weaknesses of software to encrypt an electronic book.
Although I’m certain the FBI’s case will never hold up in court, it shows that free speech is secondary to the entertainment industry’s paranoia about copyright protection.
Sklyarov is accused of violating the Digital Millennium Copyright Act (DMCA), which makes publishing critical research on this technology more serious than publishing design information on nuclear weapons…
Testimony before the Senate Subcommittee on Science, Technology, and Space
Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.
Hearing on Internet Security before the Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation
United States Senate
July 16, 2001
253 Russell Senate Office Building
My name is Bruce Schneier. I am the founder and Chief Technical Officer of Counterpane Internet Security. Inc. Counterpane was founded to address the immediate need for increased Internet security, and essentially provides burglar alarm services for computer networks. I am the author of seven books on cryptography and computer security, as well as hundreds of articles and papers on those topics. For several years, I have been a security consultant to many major Internet companies…
The 1999 Crypto Year-in-Review
In 1999, the major developments in cryptography were more political than scientific. Of course, there were scientific conferences and scientific announcements, some of which were significant. But, by far, the most important events happened in the areas of law, court cases and regulation. As we move into the new millennium, these political and regulatory shifts could have resounding effects on the implementation of cryptography, especially in how it relates to balancing privacy concerns with the needs of government and law enforcement.
U.S. Export Control…
Sidebar photo of Bruce Schneier by Joe MacInnis.