RSA 2012: Three Greatest (And Suprising) Internet Security Dangers

By Antone Gonsalves
CRN
February 29, 2012

Cybercriminals are not the greatest threat to Internet security. It's the many forces trying to bend the world's computer network to fit their interests.

That's according to Bruce Schneier, a renowned security technologist and author of several books, including "Applied Cryptography." Schneier told attendees Tuesday at the RSA Conference that the three greatest dangers are Big Data companies, poorly thought out government regulations, and the cyberwar arms race.

These threats foster instability through those lobbying for changes that further their self-interests, instead of what's better universally, Schneier said. "The security community doesn't have a lobby, common sense doesn't have a lobby and technical excellence doesn't have a lobby."

Schneier defined Big Data companies as those that collect massive amounts of data from people, including photos, documents, video, search and buying patterns, and much more. Companies such as Google, Facebook, Apple and Amazon collect the data to become more valuable to advertisers or to sell products.

Security issues stem from the loss of control, or what Schneier called "feudal security," where people depend on a large organization to protect their private information. At the same time, the lobbying efforts of these companies have mostly led to a "hands-off policy" in the U.S. by government regulators, placing consumers at a disadvantage when it comes to data control.

Poorly written laws affecting security are coming from politicians siding with the law enforcement lobby that is using the Internet to catch criminals. For example, technological changes that allow eavesdropping by police diminish privacy and do not necessarily make the Internet more secure for everyone else.

"Our security won't be improved if Skype redesigns itself, so [encrypted communications] is in clear text somewhere in the middle or if there's an FBI access key being passed around," Schneier said.

Other debates in government include the ordering of an Internet "kill switch" that the president could use to protect the nation against a cyberthreat. Such a switch was used in Egypt to quell dissent that led to the fall of President Hosni Mubarak.

"Once I put that capability in, now I have to ensure that only the president can push the button," Schneier said. "I don't trust my ability to ensure that."

The third threat is the technological arms race brought on by the hype around cyberwars. The U.S., China, Russia and the U.K. are preparing for such a possibility with defensive and offensive technologies.

The defensive capabilities likely will lead to government taking over "something somewhere," while the offensive approach is driving the acquisition of cyberweaponry, Schneier said.

"Just like the Cold War, I think we are in the early years of a cyberwar arms race," he said. "We are stockpiling cyberweapons because we fear that everybody else is and we don't want to be left behind," he said.

As a result, Schneier expects more government and military control and involvement in standards and, therefore, "less stability for all of us."

"I think there's going to be a lot more secrecy," Schneier said. "One of the effects of all three of these risks is increased secrecy in the way things are done."

With so many forces battling for changes to the Internet, where does the Internet Engineering Task Force, an open international community of network designers, operators, vendors and researchers involved in the evolution of the Internet architecture, fit in?

"In the coming decade, the future of the Internet is going to be decided not by the IETF," Schneier said. "It's going to be decided more and more by people outside the IETF. And that worries me, because I'm not sure they can do a great job."

earlier story: RSA 2012: Schneier Reveals Three Biggest Information Security Risks in 2012
later story: Government, Business, Military are Internet Security Threats
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..