Information is our Only Security Weapon: Bruce Schneier at Linux.conf.au
Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.
These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.
“Camera companies are pushing it, but all the actual data points the other way,” Schneier said. “RFID is another one — the industry pushing it is very much distorting facts.”
The discussion of public security — which has always been clouded by emotional decision making — has been railroaded by groups with vested interests such as security vendors and political groups, he said.
Public discussion which should be a security debate can be coloured by politics, he said.
“In the US, a lot of security discussions become political – my side good, your side bad. It’s very hard to say ‘I’m going to defer to the experts’ because the political sphere is so polarised there are paid experts on all sides.”
It will take a generation before US attitudes towards public security move beyond the post-September 11 climate of fear, he added.
The lesson for the computer security industry is to cater to real security issues while also considering the impact which fear and other emotions have on individual and organisational decision making.
Historically, the computing industry is littered with good products which failed to gain market traction over less secure solutions, he said, pointing to the firewall market as one example.
Schneier noted that despite the well known impact of emotional and psychological thinking on security decisions, information remains the greatest weapon that we have in creating good security solutions.
The best security solution will fail if it doesn’t cater to both the reality and perceptions to do with security, Schneier warned.
“For most of my career I would insult “security theatre” and “snake oil” for being dumb. In fact, they’re not dumb. As security designers we need to address both the feeling and the reality of security. We can’t ignore one.
“It’s not enough to make someone secure, that person needs to also realise they’ve been made secure. If no-one realises it, no-one’s going to buy it,” Schneier said.
The goal must be to get the reality and perception matching up — so that security solutions aren’t lulling users into a false sense of security, or letting them exist in an unnecessary climate of fear.
“How do you stop the stupid stuff from outweighing the reality? The way to get people to notice that reality and feeling haven’t converged is information. Information is the best weapon we have.”
In the IT industry, this information is a scarce resource, he said.
“In IT there isn’t a lot of data. Our bosses ask us for it all the time. We don’t have the data because people don’t report or they don’t know they’ve been attacked.
“If there’s enough information out there, you get a natural convergence between feeling and reality. In the business world, information is how the problem fixes itself,” he said.