Security Vision: Bruce Schneier
Tech entrepreneur Bruce Schneier is one of America's best-known computer security experts. His testimony before Congress helped defeat legal restrictions on cryptography sought by the FBI and the National Security Agency when an appellate court ruled in 1999 that crypto algorithms were a form of speech covered by the First Amendment.
Schneier co-founded security services company Counterpane Internet Security, where he serves as chief technologist. Arguing that constant vigilance, not technology, is the best defense against computer break-ins, Schneier believes security breaches are nonetheless fated to increase as networking systems become more complex.
What's going to be different about the state of Internet and network security three years from now?
I think we're finally past the era where people believe in magic security dust, that all they need to do is buy the right set of products and their network will be imbued with the property of "secure." Security is a process. It's a journey.
Will security breaches become fewer or more frequent?
They will increase. As more of our infrastructure moves online, as more things that someone might want to access or steal move online, there will be more security breaches. As our networking systems become more complex, there will be more security breaches. As our computers get more powerful and more useful, there will be more security breaches. Everything about computer networks points to more security breaches in the future.
Will security firms come up with the secret weapon that turns the tables on cyberintruders, thus banishing illegal hacks to memory?
If only it were possible...There are no secret weapons; there never will be. People have this recurring fantasy that technology will someday magically make them secure. A few months ago someone asked me: 'When will we be able to prevent computer hacking?' I thought about it and responded with another question: 'We've been a civilization for 4,000 years; when are we going to prevent murder?' The answer is that we're not. There's nothing I can sell you--there's no product on the drawing board--that will prevent murder. Cyberspace is no different. The best thing we can do in cyberspace is exactly what we do in the real world: do our best to manage the risks.
In a recent Crypto-Gram, you say the federal cybersecurity plan is nothing but a paper tiger and that the government needs to step in with legislation. What kind of regulation is needed?
Laws can be both good and bad. If the law is "companies are liable for their actions," that would be good. If the law is "companies are required to use SecureProduct 2.0," that would be bad. I don't think that "law" necessarily means "regulation." It could just as easily mean "free market."
I would like the software industry to be just as liable for the effects of their products as any other industry. If Firestone makes a tire with a systemic flaw, it is liable. If Microsoft produces an operating system with three systemic flaws per week, it is not liable. Something is wrong there.
In the absence of such measures, are we headed for a devastating attack on the Internet or other computer networks in the near future? By devastating, I mean one that wreaks havoc, such as the shutdown of airports or businesses.
I'm not convinced that your two examples count as devastating. Weather shuts down airports and businesses all the time, and they survive. So, yes, there will be lots of attacks that cause all sorts of problems. But the "devastation" will be less than the government likes to paint.
If cyberterrorism is not a big risk, as you stated in another Crypto-Gram, then what is really at stake?
Crime. Mostly the same kinds of crime you see in the real world: fraud, theft and so on.
Why should people be worried about Internet security?
Because their privacy and financial security may be compromised. Terrorism is so rare in the United States, so why should people be worried about home security? There are lots of other attackers. Remember, even after Sept. 11 the odds of dying in a terrorist attack are still so close to zero as to make them not worth worrying about. But everyone you know knows someone who died in an automobile accident.
Do you think the first cyberwar between nations will be fought in this decade?
It depends on what you mean. Already we've had wars that have a cyber component. If you mean a war that is fought only in cyberspace, I don't think that will happen in this century.
What is the biggest wild card in Internet security? What is the aspect or element that is hardest to control or predict?
Should people be licensed to use the Internet, like people are licensed to drive a car?
Of course not. That's idiotic. Should people be licensed to have children?
Is network security too complex for small companies, or even large ones, to handle on their own?
Yes. It always has been. Almost every firewall out there is configured wrong, most of them so badly as to be useless to stop attackers. Almost every network has hundreds of vulnerabilities that render it Swiss cheese to attackers. Companies don't have the time or the expertise. But that's the way modern society works. People don't have the time or the expertise to be their own doctors. Instead, they outsource. People don't have the time or expertise to be their own criminal investigative unit, to build their own house, or to fix their own car. We outsource because we have a common problem and need to share in a common solution. Network security is no different.