The Insider

By Stefan Hammond
Computerworld
February 12, 2008

Bruce Schneier, founder and CTO of Counterpane, outlines the cybercrime landscape enterprises face today. He explains to CWHK's Stefan Hammond that insiders are a problem, managed security services are a solution, and a determined crew with a chainsaw and a truck is a big problem.

CWHK: Computer security never seems to get better, only worse. Why?

Bruce Schneier: Because security is fundamentally not a technology problem--it's a people problem. And while the technology continues to improve, increasing complexity makes the problem worse.

It's war. But it's much more interesting, and it's always pervasive.

CWHK: It used to be "script-kiddies" writing goofy viruses, but it's more dangerous nowadays.

BS: Starting about five years ago, hacking shifted from a hobbyist activity to a criminal professional activity. We see that in the structure of current viruses and worms, and in the rise of spam, identity theft and fraud. Current threats represent criminal pursuit--it is a for-profit venture. And criminals are far more dangerous than hackers.

They are also far more professional. Large-scale cybercrime is difficult. Stealing the money is only the first step. Then you have to move the money into a dummy account, probably offshore, and then convert it into something you can withdraw and use. So there's an entire financial back-end that has to be built in order to make this work.

So this crime is moving upmarket. We're seeing organized-crime gangs using identity theft and other online fraud as a way to make serious money. They're mostly coming out of Russia and eastern Europe.

CWHK: Why those areas?

BS: Because of the lack of serious law enforcement. Russia/eastern Europe is the primary breeding ground for this kind of criminal activity, Asia is second. Then sub-Saharan Africa and South America. Basically, you're looking for a place with ineffective computer crime laws, bribable police forces, and no extradition treaties. So you look for places where the police aren't going to bother. After all, if you're stealing from banks outside their country, why should they bother?

CWHK: How much do you estimate is currently being stolen by cybercriminals?

BS: We have no idea. So much isn't even reported, and there are many instances where the victims don't even know they're being attacked.

CWHK: Do you see any progress in enforcement?

BS: Not really. It comes down to where the "push" is. The US government has terrorism as its highest priority, so they're pushing ID cards and focusing on airport security. Meanwhile the media industries are pushing Digital Rights Management for music and movies. No one's pushing cybercrime--it's not "sexy."

To help with enforcement, we really need good information-sharing--for example, on Interpol. We need unified laws and ways to prosecute across borders. But our fear of this terrorism is sucking up the energy that would have gone into fighting cybercrime.

CWHK: OK, but we're talking about a lot of money that's being systematically stolen.

BS: It's systematic and it could greatly affect the future of the Internet. We're not yet at the point where people are saying: "this e-commerce thing is dangerous." But it could happen. How many more basis-points do we have to lose before people start to seriously question the safety of Internet commerce, before everyone's got a story about a friend of theirs who lost a lot of money? We're at the cusp of what could be a serious crisis of confidence, and the Net's moving faster than a lot of our existing processes.

CWHK: Law enforcement tends to move slower than Net speed, but do want to catch the bad guys. What should they be doing that they're not?

BS: We need to get better at prosecuting. Security comes from deterrence, and that means higher conviction rates and better sentences. How you get those is through better crime laws, a better conviction-rate, and more savvy police. It's an economic problem; we need to raise the cost, and risk, of being a criminal.

CWHK: On an enterprise-level, what can an individual enterprise do to help "lock things down"?

BS: The same thing you do in a world where you can't trust the police: you have to do it yourself. You hire private security. On the Internet, that means buying firewalls, IDSs, and hopefully hiring Counterpane to monitor them. You have to take charge of doing your own security, because you can't rely on greater society doing it for you.

CWHK: In-house or outsourced?

BS: Either is fine. The trend now is towards outsourcing, which makes sense for many reasons. But even if it's something as simple as putting in a firewall, you can't rely on society--you must purchase security.

CWHK: We read reports of online gaming being targeted for extortion.

BS: Yes. Online gaming, online gambling, online porn: the "fringe" industries. Those are the main targets right now.

There's no publicity on this, but it is moving mainstream. It's not the biggest companies that get hit. The huge multinationals--the ones with their names on top of the buildings--they're not gonna fall for it. But the medium-sized companies are likely to write the check. It's an interesting crime-niche that we're seeing a lot more frequently now, but no one will speak on the record-victims don't want to draw attention to themselves.

CWHK: But people will pay.

BS: Oh yes, definitely. People have paid.

CWHK: But doesn't that give incentive to the criminals to go out and find new targets?

BS: It gives them the incentive to find somebody else. If you're a criminal, and I can make you attack some other party, I win. It's a classic "prisoner's dilemma" problem: individual interests are contrary to group interests.

CWHK: How does that work?

BS: The way it works is that the amount is low enough, so you pay up and the bad guys leave you alone. It's a protection racket. The incentive for governmental bodies may be to get rid of the crime, but the incentive for the company is to deflect it. If I'm a store running a security system, and a burglar attacks the store next door, that's a win. But if I'm a police department, that's a failure--I haven't reduced the crime rate. So a lot of people who succumb to the extortion are really saying to the bad guys: here's some money, go away and attack somebody else. Preferably my competitors.

To break this cycle, government needs to step in with greater deterrence measures.

CWHK: We're talking about cybersecurity, but of course physical security is part of the equation.

BS: I just blogged about an incident: somebody broke into a datacenter and stole a lot of data. And they did it with a chainsaw and a truck.

They cut a hole in the wall and stole ten servers. Of course the data was unencrypted because the servers were live online. It's probably an inside job: someone knew what to take, where the cameras were, and what wall to cut through.

CWHK: More and more, insiders are coming under scrutiny as cybercrime risks.

BS: Sure, but that's been true forever. For enterprises, the weakest link is often the insider-problem. Your people can cause havoc within your organization, so you have to hire trustworthy people, you have to minimize the amount that you trust them, and you do some education on good practices.

CWHK: Which are?

BS: Don't take work home, choose good passwords...but you must assume that's all going to fail. Do it anyway. But when the bid is due in 24 hours, all the security practices go out the window, and you're going to take your work home if you have to. And nobody will say you did wrong, even if you broke security. Because when security fights with business functionality, security loses.

CWHK: On a macro scale as well.

BS: Yes. You can't say: "I'm sorry sir, you can't have a JV with this Malaysian company, Malaysia's not cybersecure!" Your bosses will say: "Shut up, we're making millions of dollars." And they'll be right. You can't tell Amazon they can't accept orders without SSL, of course they can! The job of security is to do your best with what you have, and they're not going to win by banning Blackberrys or thumb-drives or saying "no, you can't do that."

It's hard because technology moves so fast. It moves faster than our human ability to internalize it. And once you've figured it out, it will have changed. We're getting to the point where you can't rely on people to have good intuition, because we don't have the time to develop that intuition.

CWHK: Based on IT reportage, the majority of malware seems to affect the Windows operating system. Some say it's because of market-share, others say the OS is inherently less secure. What's your opinion?

BS: The answer is: we don't know. But it's probably some of both.

Windows has made a lot of bad security choices over the decades that [Microsoft] is trying desperately to undo, and it's a slow and ugly process. Mac has made better security choices-they seem to be on a better footing.

But if you're a bad guy writing a virus, and you write it for Windows, you have ten times the potential targets. The economies of malware means you're going to target that platform. But to the user it doesn't matter--my wife has a Mac and she laughs every time there's a [Windows-based] security problem. Is it because the Mac [OS] is better, or because nobody's targeting the Mac? She doesn't care. She's safer. She's more secure.

CWHK: What do you use?

BS: I use Windows. It's been a corporate standard for years, and it's just easier to use the platform my company supports.

CWHK: What about desktop Linux?

BS: Like the Mac, it's a much less vulnerable platform--certainly a combination of [an OS that's] more secure out of the box, and far fewer people writing vulnerabilities for it.

CWHK: You established Counterpane in 1999--what was the genesis of the company?

BS: I founded it because there were a lot of security products out there that were being used badly, and the missing element was human expertise. We were always a service--we never built anything, we just made things that already existed work. Real-time security monitoring and management and a lot of services around that. We now have about 100 employees, and were acquired by BT about a year ago.

BT, in its surprising wisdom hasn't broken us. Seriously. So many acquisitions like this turn into disasters, but BT has largely left us alone. They've given us global reach, because before we were primarily operating in the US. And, compared to the kind of contracts that BT does, Counterpane's a rounding error. We're doing more business than ever with a roster of international companies that continues to impress me.

earlier story: Talking Security with Bruce Almighty
later story: Computer Security's Dubious Future
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..