Living in an Insecure World

By John C. Tanner
Telecom Asia
September 8, 2008

It's been ten years since Bruce Schneier - founder of security monitoring firm Counterpane Internet Security - launched  his newsletter, Crypto-Gram, which expanded from covering computer security issues to a broader investigation into security issues of all sorts. Now Counterpane belongs to BT, where Schneier is chief security technology officer, and as he tells global technology editor John C Tanner security is still a hard sell

Telecom Asia: Your background is computer security and cryptography - how did you end up applying that knowledge into the world at large?

Schneier: I think it's just what happens when I start looking at something. I start looking at the bigger picture. The first sort of major milestone was the post 9/11 issue. I just couldn't stop writing, and that's how I processed what happened.

It seems you're better known now for your writings on security than for the company you founded, Counterpane. For those who don't know, what did Counterpane do before it was bought by BT, and what's its status now?

Counterpane is part of BT professional services in BT Americas, though it's selling worldwide. And it's still doing what it was doing, and the core is real-time security monitoring. The idea is that there are lots of security products out there, but if you're not watching them, they don't do any good. So that's always been what it was, and then there's a whole suite of services built around security monitoring.

There's all sorts of management, device management, configuration help, but all built around real-time monitoring. That's a critical piece BT needed, and we started working together, and then they decided to just to buy us. The other thing we get out of it is that BT also bought INS. So this amalgamated group is the INS security consulting services and our managed security services.

How would you differentiate that from the other managed security services out there?

There really aren't. I mean, name three.

Well, all of BT's competitors have some sort of managed security services.

Well yeah, but "some sort" of managed security service is what it is. Everyone says they do managed services, but real-time security monitoring, you don't see that. So I don't see a lot of competitors.

Do you still find you have to manage customer expectations on security? I ask because BT recently released a survey showing that enterprises still take a tick-box approach to security and think they're more secure than they were ten years ago.

Sure, and I want to get out of that game entirely, where the only reason you buy security is because things you buy suck. No one ever wants to buy security. You want to buy something you want, and if it isn't good you're stuck buying security. And that's the way the computing industry has been because the outbreaks of computer viruses are so bad you have to buy security separately. But if we sell things people actually want, actually sell functionality as opposed to what we do which is preventing functionality, then it's a way easier game, I'm much happier in there.

But yes, you're right, there's a whole lot of under-spending in security because people treat it as a checkbox. You go to your house and say "Well I bought a door lock: check! Alright kids, you're safe!" It's silly when I say it that way, but that's the way people think.

It's ironic that people are more aware of the need for good network security, but habits don't change, and even when they do, the systems they have to secure are getting more complex, which just makes it harder.

This is the difficulty of selling security, and it's interesting - I didn't realize this until a month ago, but prospect theory explains why security is hard to sell.

What's prospect theory?

It's behavioral economics. Basically it explains how people react to risk, and the moral is, we are risk adverse when it comes to gains, and risk seeking when it comes to losses. Most people will take a sure small gain rather than take a risk for a greater gain, but will risk a greater loss than accept a sure smaller loss. As a species, that's the way our brains are wired. Knowing that, when you sell security, you're selling a negative, and that's hard because we're more likely to take the chance than spend the money to make the risk go away.

You've written about how it's getting harder for people to evaluate security products because there are so many of them making all sorts of claims. What are some tips to help customers navigate that maze?

I don't think there are any tips. It's like asking tips on buying safety features for your car - there aren't any. You buy a car with safety features built in. Or come to BT and say, "We want this service and you better make it secure," and then stop caring how. Put it in your contract, and if it's not secure you don't pay them.

We have to get away from the reality of the customer having to do the engineering. Do I have to pay attention to building safety when I have a light fixture installed? No, the electrician does that.

That's the problem with Counterpane - it's at a point where the buyers aren't capable of buying what the sellers are selling. Well that's okay, we just need different buyers now. We need intermediaries between the end-user and the seller, and that's going to be all these VARs, system integrators and consultancies.

On the other hand, customers rely on vendors like Microsoft to engineer the security for them, and they're constantly issuing patches after the fact.

Yes, but if you can sue them if they don't do security right, then you can rely on that. The reason Microsoft gets away with selling crap is you can't do anything if they do. There's no recourse, so why would they make it better? But if you have the right contract, it's going to be done well. The problem is going to be getting there. I mean, I'm describing a future that's not here yet. And getting there is going to be ugly, as it is right now. But that's where you have to end up.

That's an example of letting the market hold companies accountable for security, but you've also advocated legislation for things like data theft and data loss. How can legislation help where the market can't?

The problem with identity theft or data theft is that society hasn't figured out who should be protecting the data. I don't know about in China, but basically, the problem in the US is that data is owned by the collector, not by the person who it is about. That is a big mistake. When a data broker gets my personal data, it is theirs; they can do whatever they want with it. They can protect it or not, or give it away or publish it, and I can't do anything about it.

Data should be owned by the person whom it's about. But it's not, and you think that the person who has it should be protecting it, but the market fails because if they lose the data, you suffer the loss. So the market won't make that work. You need some other mechanism, like liabilities and regulations.

Take identity theft. With identity theft, there are two ways to solve the problem: you make identity information harder to steal, or you make it harder to use it once it's stolen. Making it harder to steal is a waste of time, so make it harder to use.

One of the consistent themes in your writings has been to focus on threats, not specific tactics. How can companies develop a security framework that does this?

Well, you figure out what the threat is. Phishing is just a tactic. The crime is fraudulent impersonation, and if you stop one tactic you'll get another. In terrorism, if the tactic is using airplanes as bombs, you can defend against that, which works if you happen to guess right what the bad guys are going to do next. Defending the Super Bowl only works if they're going to attack the Super Bowl. If they're not, you just wasted all your money. But investigating the terror group is valuable regardless of what they're doing.

So it's stuff like that - figuring out where you can get the most leverage for your defense. It often means really looking at who the attacker is and what his goal is. For fraud and any theft, stop worrying about identity and worry about the security of the transaction, because no matter how the attacker gets into the system, the thing they have in common is that they make a fraudulent transaction.

As networks get more complex, security gets harder, and humans being error-prone, technology can only do so much. Ultimately, how optimistic are you in the end that these problems will get sorted out?

Extremely optimistic. We'll always be reactive, so you can never get ahead of the threats. If you play that game, you'll lose. But the internet is pretty safe. I mean yes there is always fraud and there's always crime and there's always hacks, but overall we do pretty well.

Look at our society. We've been around a few thousand years, and we still can't prevent murder and burglary. We live in an insecure world, and we do okay. Society is resilient, and we're used to living in a world where threats exist. In the US, we've decided that we can live with 42,000 automobile deaths a year. We don't say it that way, but it's true. If we didn't like it, we'd lower the speed limits, lower alcohol limits, put in third-generation airbags or whatever. The same thing happens for all threats, and life goes on.

earlier story: Net Value: Combat Cyber Threats
later story: Security Is a State of Mind
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..