Net Value: Combat Cyber Threats
One of the meetings held in conjunction with the recent World Congress on Information Technology (WCIT) 2008 in Kuala Lumpur was the Infosec.my information security conference and the International Multilateral Partnership Against Cyber Terrorism (IMPACT) World Cyber Security Summit. While the thought of combating cyber terrorism is exciting, Bruce Schneier, founder and chief technical officer of BT Counterpane, thinks the term “cyber terrorism” is misleading and its usage cheapens the meaning of terrorism.
“Cyber terrorism is a myth,” he says. “We all know what terrorism is; it involves innocent people being killed in a very public way, in an attempt to cause terror in the greater population.”
However, Schneier does believe very much in cyber threats and thinks governments should do more, such as cooperating to use their collective bargaining power to demand more security from software vendors. While email@example.com was unable to catch up with Schneier, we managed to conduct an e-mail interview with him.
firstname.lastname@example.org : The cyber-crime war on Internet civilians — who is winning?
Schneier: People like to toss around terms like ‘cyber war’, ‘cyber terrorism’ and ‘cyber crime’ without really thinking about their meanings. Now, we have ‘the cyber-crime war’, which mixes crime and war in some mysterious way. Let’s split the terms. First, there is no cyber war at the moment. No country has declared war. No country is attacking another country militarily (in that way). There is no war, so there is no cyber war. Of course, there is cyber crime. Crime has existed since the beginning of society, and isn’t going anywhere anytime soon. Of course, when you realise that cyber crime is just crime in cyberspace, the question of ‘who is winning?’ makes no sense. There’s no winning or losing; there are just increasing and decreasing crime rates. Right now, international cyber crime is increasing, it’s becoming more common, more serious, and more professional, but the Internet is still a safe place for most of us to conduct business and social interactions.
Do you subscribe to the notion of cyber terrorism and if so, what is your definition of it? Can and should it be classified differently from cyber crime?
Cyber terrorism is largely a media myth. Again, it’s the muddling of the various terms without really thinking about their differences. Someone recently told me that the ‘T’ is going to change from ‘Terrorism’ to ‘Threats’, which makes a big difference. We need a lot of international cooperation to deal with cyber threats, because so many of them are international.
What is your view of strategic activities such as intelligence gathering, some of which are carried out using similar techniques as cyber criminals. Is that something that should be considered illegal or even classified as cyber terrorism?
Of course, it shouldn’t be classified as cyber terrorism. These days, people like to call anything they don’t like ‘terrorism’, but that just makes the word meaningless. We all know what terrorism is; it involves innocent people being killed in a very public way, in an attempt to cause terror in the greater population. When someone gathers information, he is not committing an act of terrorism, he is gathering information. This may or may not be a crime, depending on whether the person breaks any laws to gather that information.
What policies and regulations do you think countries can and should look at implementing, both nationally and internationally, so as to further the cause of network security?
Governments can do several important things. First, they should fund security research in government and university laboratories. Lots of important results come out of security research, and we need more of it. Second, they should use their buying power to encourage vendors to make their products more secure. This is a big one; if a consortium of countries demands a particular security feature from a vendor, that vendor will implement that feature and all its customers will benefit. And third, to mandate strong security through regulation. And here I mean smart regulation that dictates results and not methods. A free market is the best vehicle for coming up with creative solutions to problems, but it needs direction as to what problems to try to solve. Regulation provides that direction.
Do you see a need for open standards to be developed for security software much like how the telecommunication industry has developed inter-operability standards for its equipment and do you think such a move will benefit the industry and consumers?
Open standards help everyone, except the vendors that use closed standards to increase their market share. They benefit consumers, and ultimately they benefit the industry. There’s a myth in security that secrecy is somehow a benefit. It isn’t, secrecy is used more often to hide bad security than anything else.
How would you grade the open source software community in terms of how they have approached security?
It’s too broad a question. There are open source software packages that have approached security well, and there are open source software packages that have approached security poorly. Open source doesn’t magically mean more secure; it only means there is a greater potential for people to examine the code and fix any vulnerabilities found.
What is your opinion on ethical disclosure of software vulnerabilities? Does a person who discovers such a vulnerability have a right to profit from it?
The ethics of vulnerability disclosure is complicated, but the ethics of vulnerability research are not. We are all better off because people engage in vulnerability research. Of course, I prefer if these vulnerabilities are disclosed to the vendors first, and are not auctioned off in the black market to spammers and identity thieves. But the alternative, where no one is allowed to engage in vulnerability research and our systems are rife with exploitable vulnerabilities, is much worse.