Data Guru Says Secret to Security Is to Focus on People

By Karlin Lillington
The Irish Times
October 3, 2008

WHEN IT comes to security, Bruce Schneier would like people to stop worrying about what he calls "movie plot" scenarios. Exploding aircraft, attacks on landmark buildings, the whole category of "cyberterrorism" all rankle with Schneier, who thinks the ultimate security risk is "people."

He may not be a household name, but he is quite possibly the most namechecked security expert in the world among technologists - and science fiction fans.

Schneier, who with ponytail and greying beard looks pleasingly like an eminent cryptologist should look, created two of the best-known security algorithms, nicknamed Blowfish and Twofish, and wrote Applied Cryptography, the bible of the digital security industry. The Economist hails him as "a security guru." He is even mentioned in The Da Vinci Code.

But many probably know him as the brains behind Solitaire, the secret code based on a deck of cards featured prominently in the second World War sections of Neal Stephenson's epic novel Cryptonomicon (Schneier wrote an appendix to the book).

"He needed a code, so I designed Solitaire," says Schneier.

BT this week brought him to Dublin to talk to a variety of groups about "human psychology and decision making and the economics of security." BT acquired Schneier's security company Counterpane Internet Security two years ago.

The challenge with Cryptonomicon, he says, was coming up with a code based on something readily available in the 1940s. A pack of cards did the trick nicely: "54 factorial is pretty good," he quips.

Anyone who reads his Crypto-gram blog and monthly newsletter (www.schneier.com/crypto-gram.html) won't be surprised that his interests stretch from debunking what he considers the pointless security of airport checkpoints to considering the vagaries of human behaviour to analysing playing-card algorithms.

He is fresh from a World Economic Forum meeting in China, where he hopes he might have convinced some global leaders to reconsider the received thinking on terrorism.

"People think human threats are greater than natural threats - bin Laden versus earthquakes." Far more people die annually in natural disasters - or monthly in car crashes - than in terrorist attacks, he argues.

Yet billions of dollars go towards upping security provisions that make air travel tiresome for travellers instead of the counter-intelligence that actually apprehends criminals and terrorists, he says.

He is dismissive of the notion that terrorists are waiting to launch online attacks on national infrastructure - cyberterrorism - which he calls "a complete media invention" that sounds exciting but, like most imagined terrorist attacks, unlikely.

"We underestimate the risk of crime, and overestimate the risk of terrorism," he says.

He thinks we also spend a lot of money building technology fortresses around data when the weakest links are people - who let criminals into buildings, reveal passwords and lose laptops. Hence his argument that organisations need to do a risk assessment to figure out how much and what type of security is appropriate.

Not letting people into a building is better security much of the time than investing in numerous costly software programmes, he has argued.

We also underestimate the value of privacy and the need to protect our personal data, he believes.

A long-time adviser to the Electronic Privacy Information Center, a Washington DC privacy advocacy group, Schneier says that "data is the pollution problem of the internet - how you dispose of it safely . . . We are in the very formative years of the internet and we've got to get this right - it really matters that we don't get this wrong."

He is aware of the Irish Government's data retention laws that give citizens few protections and place few restrictions on Garda access to three years of phone call data, and winces when discussing them. The problem, he notes, is that "as soon as you have data, you have risk." Store it for years, and you have even more risk.

Creating massive databases to address crime and terrorism is the kind of sloppy security thinking that makes him write more mainstream books such as Secrets and Lies, on computer and network security, and Beyond Fear, on security, terrorism and crime. A new book that collects together six years of his essays, Schneier on Security, was launched on Monday.

Even though his business is the technology of security, he likes writing and talking about the human elements behind crime, terrorism and security. "My goal is to always get people to think differently," he says. "It's more interesting than explaining the hot new firewall technologies."

earlier story: Security Is a State of Mind
later story: The Things He Carried
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..