Perspectives from the Field: Bruce Schneier, Encryption Expert

By Joab Jackson
Washington Technology
March 24, 2003

Bruce Schneier contends that the strongest security systems benefit from redundancy and variety. And as the Homeland Security Department consolidates a number of different agencies, Schneier warns that entrusting a centralized authority with securing the nation may make the country less, rather than more, secure.

Few in the field of information technology security have more expertise and industry respect than Schneier. Not only is he the author of "Applied Cryptography," one of the seminal textbooks on encryption, but his Two fish encryption algorithm was a finalist far the National Institute of Standards and Technology's new Federal Advanced Encryption Standard. He is also founder and chief technical officer of managed security service provider Counterpane Internet Security Inc., Cupertino, Calif., and publishes his own Crypto-Gram newsletter (http://www.counterpane .com/crypto-gram.html). Schneier Spoke with Staff Writer Joab Jackson to discuss how best to secure the nation's IT and physical infrastructures.

WT: Why is the Homeland Security Department's plan to centralize our nation's security a move in the wrong direction?

Schneier: Centralizing security responsibilities has the downside of making our security more brittle by instituting a commonality of approach and a uniformity of thinking Unless the new department distributes security responsibility even as it centralizes coordination, it won't improve our nation's security.

WT: What do you mean by "brittle?"

Schneier: Brittleness refers to the way a system fails. Microsoft Windows is a brittle system. A small insecurity breaks the entire system, and often the entire network. The credit-card system is resilient. It can tolerate all sorts of insecurities and still work profitably.

WT: What should Homeland Security Secretary Tom Ridge keep in mind when standing up the department?

Schneier: Security decisions need to be made as close to the problem as possible. Protecting potential terrorist targets should be done by people who understand the targets. This mode of operation has more opportunities for abuse, so competent oversight is vital. But it is also more robust and is the best way to make security work.

Also, security analysis needs to happen as far away from the sources as possible. Intelligence involves finding relevant information amongst enormous reams of irrelevant data, and then organizing all those disparate pieces of information into coherent predictions. It can't be the sole purview of anyone, not the FBI, CIA, National Security Agency or the Homeland Security Department. The whole picture is larger than any single agency, and each only has access to a small slice of it.

WT: The government is moving toward enterprise architecture to streamline systems and eliminate redundancy. Wouldn't a distributed approach be more cost-effective?

Schneier: Yes. Security is an expense. Less security is cheaper than more security. This is why we need to evaluate the tradeoffs before making may security decision.

WT: Won't a distributed form of security result in more variance in the quality of security?

Schneier: Of course. All large bureaucracies will result in boondoggles. That's part of the price you have to pay.

WT: Overall, what do you think about the state of the art in IT security?

Schneier: It doesn't matter how good or bad the tools are. The problems in IT security are not about technology, they're about using technology.

We have all the tools necessary to secure the Internet. We just can't convince software developers to embed them in their products, and we can't convince users to install, configure and properly use them.

WT: Do you use a distributed approach with your own clients at Counterpane? If so, how?

Schneier: Counterpane's monitoring system has been built for redundancy from the ground up. We have multiple monitoring centers, multiple people, multiple networks, multiple systems. But more importantly, monitoring provides resilient security within a network. Vulnerabilities are inevitable, and no matter how hard you try, your network is going to be riddled with security holes.

But if you have enough pressure plates, electric eyes and motion sensors in your home, you're going to catch the burglar, regardless of how he breaks in. If you're monitoring your network at enough points, you're going to catch the intruder, regardless of which vulnerability he uses to break in.

WT: Is it valid to compare physical security with IT-related security? Aren't there fundamental differences?

Schneier: Definitely. There's the notion of a class break: A burglar can break into a home, while a hacker can develop a tool that can break into millions of computers. There's automation: A burglar has to break into each home individually, while a hacker can write a tool that breaks into millions of computers automatically. There's action at a distance: A burglar needs to drive to your house in order to break in, while a hacker can do it from half way around the planet. And there's technique propagation: A burglar needs to learn how to break into houses, while a hacker can use automatic tools written by someone else.

earlier story: Three Minutes With Security Expert Bruce Schneier
later story: Author Q&A: Bruce vs. Bruce
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..