Encryption Expert Teaches Security

By Brian Bergstein
Associated Press
September 24, 2006

MINNEAPOLIS (AP) - It must say something about our times that Bruce Schneier, a geeky computer encryption expert turned all-purpose security guru, occasionally gets recognized in public. "My life is just plain surreal," he says.

Schneier, 43, has made it so by popping up whenever technology and regular life intersect, weighing in on everything from the uselessness of post-Sept. 11 airport security measures to the perils of electronic voting machines and new passports with radio chips.

He does it by writing books, essays, a frequently updated Web log and an e-mail newsletter with 125,000 subscribers. It helps that he has never met a reporter whose phone calls he will not return. "I'm a media slut," he admits.

That might make it tempting to dismiss the bearded, ponytailed Schneier as being in the business of promoting Schneier. Of course there's some of that - he has a program "ego-scan" his book-sales ranking on Amazon.com every hour.

But that doesn't detract from the respect he engenders.

A former Pentagon and Bell Labs technologist who invented important methods of cryptography and wrote a textbook on the subject (meriting him a mention in "The Da Vinci Code"), Schneier has testified to Congress and shared ideas with Rand Corp. researchers. Even though he has denigrated the billions spent on airport security as almost entirely wasted, the Transportation Security Administration asked him for advice about its passenger-screening program.

"Bruce Schneier is a master of explaining security, and a master of telling us why security and freedom are the same thing, why security can't ever be had at freedom's expense," says Cory Doctorow, an author and fellow at the Electronic Frontier Foundation.

Schneier sees himself as a teacher dispensing clear-headed lessons in an era poisoned by irrational fears of terrorism. "I'd like everyone to take a deep breath and listen for a minute," he wrote in a recent online essay.

His favorite topic these days is the intersection of security, economics and psychology.

For example, Schneier blasts almost all airport screening measures as meaningless "security theater" that makes people incorrectly believe they are safer. After all, who says the next terrorist attack will involve the methods used last time? Who says it even has to involve airplanes?

"The game of having all these tactics is one we can't win because terrorists get to see it in advance," he says. "By definition you're going to pick a plot we're not going to catch. It's a game we can't win. Let's stop playing it."

Instead, Schneier says the game ought to be about stopping bad people - mainly through better intelligence and police work. That money would be much better spent, he says, than making sure security screeners confiscate corkscrews or any other particular item from passengers.

"Airport security only works against the sloppy and the stupid," he contends. "We can't keep weapons out of prisons; we can't hope to keep them out of airports or subways."

Taken to its logical end, Schneier's alternative security recipe of better policing could seem to be a call for stronger surveillance or data mining. But Schneier - a member of the American Civil Liberties Union - says he opposes many such tactics not so much on privacy grounds but because they're bad security.

How so? Because snooping through vast storehouses of personal records in search of clues to terrorist activity invariably turns up too many wrong leads to be cost-effective, he argues. These methods can sniff out the predictable crime of credit card fraud, for example, but terrorism is much rarer, he notes.

This being Bruce Schneier, he's quick to illustrate this lesson. Having lunch in a hip bistro, Schneier points out that the restaurant serves food even before the patrons pay. It would seem to be bad security - people might walk out on the bill. Yet the practice makes social sense.

"People are inherently good," Schneier says. "Otherwise, society would fall apart."

To some ears, Schneier's analyses are too simplistic.

"I regard his views, frankly, as dangerous," says Clark Kent Ervin, a former Department of Homeland Security inspector general who argues that incompetence at the agency has left gaping security holes.

He says Schneier erroneously claims "the threat is exaggerated and we're overreacting."

"Some people (including policymakers) take this view seriously and, therefore, are deluded into thinking that we're safer than we are," says Ervin, director of the homeland security program at the Aspen Institute. "His writings can be used as an excuse by DHS and its supporters for DHS' not having done more."

Although his career began at the Department of Defense - he won't say what he did there - Schneier is used to challenging prevailing ideas in government. In the 1990s, he objected to Clinton administration attempts to stifle the spread of encryption, the science of obscuring data to keep it secret. Schneier stressed then that computer cryptography was of huge economic value because of the security it gave companies and people against intruders.

But Schneier soon saw that those claims were overstated.

While encryption has its place - it is what secures Web-based banking and shopping - Schneier realized that too often it was deployed in silly ways. For example, some companies let employees unlock encrypted files with simple passwords, which often ended up being easy to steal or guess.

In other words, all the technical sophistication in the world can lock data from prying eyes, but if people leave the keys in the open, not much security results.

Since then, Schneier has been on his mission to explain that security is a complex system unlikely to be saved by technology alone.

Some commentary seems to emanate from him almost daily, on top of his duties as chief technical officer for Counterpane Internet Security Inc., a network monitoring company he co-founded. He and his wife, Karen Cooper, also find time to contribute restaurant reviews to the Star Tribune of Minneapolis.

Schneier has repeatedly said "we are one attack away from a police state," and says such a civil-liberties crackdown would be even more likely under a Democratic administration. That is from the same school of thought that only an ardent anticommunist like Richard Nixon could get away with engaging with Red China in the 1970s.

But beneath Schneier's someday-I'll-say-I-told-you-so realism is a streak of optimism. He fully expects to change people's minds about the need for cost-effectiveness rather than showmanship in security.

"Eventually we will all come to our senses about security," he says. "I think it's 10 to 20 years. A generation."

A skeptic demurs. Isn't it an insoluble aspect of human nature to be greatly governed by our fears, even when we know they're irrational? Most people know driving is more dangerous than flying, but few of us grip the armrests when a car pulls out of the garage.

"That is what reason is about. That's the beauty of being human," Schneier responds. Being afraid of something and doing it anyway, he contends, "that's what courage actually is."

---

On the Net:

Schneier's blog: http://www.schneier.com/blog

A tongue-in-cheek geek tribute to Schneier:

http://geekz.co.uk/schneierfacts

earlier story: Counterterrorism in America: Security Theater Against Movie-Plot Threats [video]
later story: Expert Urges Detective Work to Battle Terror
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..