"Life is Insecurity"

SAP Info International
March 27, 2006

Which IT security issues are really important? Which are the main topics enterprises are dealing with in 2006? What is the role of encryption? – When people want to know how security really works, they often turn to Bruce Schneier, internationally-renowned security technologist and author. The "security guru" is Co-Founder and CTO of Counterpane Internet Security, Inc. Schneier is best known as a security critic and commentator, his free monthly security newsletter explains the news in a common sense. In conversation with SAP INFO online, Schneier talks candidly about his own fascination for IT security and names the actual and future challenges concerning this topic.

What makes the subject of IT security so interesting for you personally?

Schneier: I have always believed it takes a certain personality type to be interested in security. I've heard it called "paid professional paranoid," but it's more complicated than that. At its core, security is about figuring out how things work and how things can be made to not work. It's about looking at systems and figuring out how to get around them. I think it's the no-rules intellectual challenge of security that intrigues me.

Your security newsletter Crypto-Gram now has around 120,000 subscribers. To what extent does this very high level of interest reflect the need for information?

Schneier: I don't think Crypto-Gram is so popular because it's the best source for security information. There are far better news sources out there, as well as far better publications devoted specifically to IT security. I think Crypto-Gram is popular because I write it in a no-bullshit style. I write about the security issues that interest me – technological, social, political – and spend a lot of time explaining the news. I think people appreciate the common sense, and that I don't have any corporate agenda.

In your book "Beyond Fear" you propose that IT security can be implemented comparatively easily. What would be the creative approach to the subject, beyond the panic-mongering and hype? Which security issues are really important?

Schneier: Security is all about economics. All security decisions are trade-offs, and businesses make those trade-offs primarily economically. This is why we see, for example, so many thefts of personal information from corporate databases. The corporations are not liable for the losses, so they're not going to spend a lot of money securing the data. The way to improve security is to recognize this economic truth and work with it: force the entity that's in the best position to mitigate the risk to be responsible for the risk. And the security issue that's really important right now: crime.

What are the three most important topics that enterprises will have to deal with in 2006, in order to be secure?

Schneier: This question depends a lot on which country you're in, because the economics of security depend a lot on the regulatory environment. But whatever country you're in, regulation and compliance is probably your most important security-related topic right now. After that, crime. Crime crime crime. I don't think there's a number three that even comes close to those two.

How likely is it that the code in today's encryption technology can be broken?

Schneier: The second part of your question should be: "and should anyone even care?" The answer to that second part would be "no." Encryption, even lousy encryption, is generally the strongest part of a computer security system. If a system gets broken, it will invariably be because of a vulnerability somewhere else: the software, the user interface, the network, the installation, etc. So there's basically no point in losing sleep over the encryption. It's like putting a tall spike into the ground and hoping your enemy will run right into it. You can argue about whether the spike should be a mile tall, or a mile-and-a-half tall, but the enemy is just going to go around the spike. That being said, I am sure of two things: First, that there are more powerful cryptanalytic tools against today's encryption algorithms than we know of right now. The second point is that even with these tools the algorithms will be secure against any practical attack.

The history of cryptography shows that regardless of how sophisticated an encryption technology is, sooner or later the code will be broken – often as a result of betrayal. Can the battle between "good and evil" actually be won by technology, or is it up to us as human beings?

Schneier: Of course technology can't solve the security problem. It will always come down to people. Until people are replaced by robots, I guess.

Up to now, Microsoft has been the main target for hackers – do SAP customers need to worry about hackers or business criminals in the near future?

Schneier: Microsoft will be a preferred target for hackers as long as they have a preferred position in the marketplace, but criminals don't care which systems they use to attack your networks. I think that customers of every product need to worry, and if SAP thinks it can hide, it's sadly mistaken.

Would you, as a security expert, be able to earn more money on the "other side"? What do you think will be the "new ideas" in internet crime?

Schneier: Crime rarely pays more than crime prevention. For one, as a criminal you can't learn from your mistakes – you go to jail for them. Because making mistakes is risky, criminals don't tend to learn very fast. And you're not going to see a lot of "new ideas" in Internet crime, just variants of old ideas. I don't think we've seen anything new, really. What we have seen is conventional crime moving to the Internet and taking advantage of the economies of scale inherent in computers.

What is your vision of a "secure" world?

Schneier: One without people. That is, one that will never exist. Life is insecurity, and the sooner we get used to that, the better.

earlier story: Bruce Schneier: Questions & Answers
later story: 2006 Dr. Dobb's Journal Excellence in Programming Award
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..