Schneier: Make Wide-Scale Surveillance Too Expensive

Lessons from NSA revelations hit at heart of the "fundamental issue of the information age," says Bruce Schneier

By Ericka Chickowski
Dark Reading
November 6, 2013

Other articles about the IETF plenary session appeared in MIT Technology Review, Intellectual Property Watch, and The Economist, and Help Net Security.

As custodians of the Internet mull over the lessons that revelations about National Security Agency (NSA) surveillance offer about the insecurity of the Internet's infrastructure, architects must find ways to make wholesale spying more expensive. So said noted cryptographer and security evangelist Bruce Schneier in a talk today about Internet hardening at the Internet Engineering Task Force (IETF) plenary session.

"There are a lot of technical things we can do. The goal is to make eavesdropping expensive," Schneier said. "That's the way to think about this, is to force the NSA to abandon wholesale collection in favor of targeted collection of information." As things stand now, the NSA's surveillance efforts are aided and abetted by the information economy as it stands today, he explained. With data being collected about consumers at every step of their movement online and very little of it being purged from corporate systems, it is only a matter of time that someone puts that data to use.

"This is not a question of malice in anybody's heart, this is the way computers work. So what you're ending up with is basically a public-private surveillance partnership," he says. "NSA surveillance largely piggybacks on corporate capabilities—through cooperation, through bribery, through threats and through compulsion. Fundamentally, surveillance is the business model of the Internet. The NSA didn't wake up and say let's just spy on everybody. They looked up and said, 'Wow, corporations are spying on everybody. Let's get ourselves a cut.'"

According to Schneier, groups like IETF need to find a way to get everyone to understand that a secure Internet is in everybody's best interest. And beyond the political and legal solutions to the problems, technologists must find ways to make it more onerous for wide-scale surveillance to be carried out.

This starts first with ubiquitous encryption on the Internet backbone, Schneier said, along with useable application layer encryption. Additionally, thought needs to put into target dispersal.

"We were safer when our email was at 10,000 ISPs than it was at 10," he said. "It makes it easier for the NSA and others to collect. So anything to disperse targets makes sense."

Additionally, increasing use of endpoint security products and better integrated anonymity tools can help thwart widespread spying. Finally, security and technology assurance needs to be fixed, so that back doors aren't left behind for any one person or group to take advantage.

"This is a hard one, but it's an important one," he said. "We need some way to guarantee, to determine, and to have some confidence that the software we have does what it's supposed to do and nothing else."

Additionally, people need to understand that while the NSA is in the limelight at the moment, it is a symptom of a much bigger disease. Not only is the NSA not the only government agency across the world to engage in these behaviors, but so too are private organizations to some extent.

"This is a fundamental problem of data-sharing and of surveillance as a business model. This is about the benefits of big data versus the individual risks of big data," he said. "When you look at behavioral data of advertising, of health data of education data, of movement data, the question becomes how do we design systems that benefit society as a whole while protecting people individual. I believe this is the fundamental issue of the information age."

earlier story: Former DHS/NSA Official Attacks Bruce Schneier With Bizarre, Factually Incorrect, Nonsensical Rant
later story: Security Expert Seeks to Make Surveillance Costly Again
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..