Schneier: Government, Big Data Pose Bigger 'Net Threat than Criminals
As Bruce Schneier spent the past decade watching the growing rash of phishers, malware attacks, and identity theft, a new Internet threat has emerged that poses even greater risks, the security expert said.
Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They’re also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don’t recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.
“Taken as a whole, there’s a lot of things going on that affect our industry from outside our industry,” Schneier, who is the author of five security books, said during a Wednesday keynote at the 24th General Meeting of the Messaging Anti-Abuse Working Group. “These are things that might be imposed on us. More capability, more usability, less control.”
The first of three pillars propping up this outside threat are big data collectors, which in addition to Apple and Google, Schneier identified as Amazon and Facebook. (Notice Microsoft didn’t make the cut.) The goal of their data collection is for marketers to be able to make snap decisions about the product tastes, credit worthiness, and employment suitability of millions of people. Often, this information is fed into systems maintained by governments.
Schneier didn’t discuss the effect this unprecedented level of data scavenging has on individual privacy. Instead, he focused on how it ties the hands of people working at ISPs and software companies who work to secure their customers’ personal information.
“We in security face enormous threats here because there are things we might want to do that we won’t be able to do,” he told about 400 people attending the three-day San Francisco conference. “You could see a law that limits what we can do about cookie deletion.” Laws that require smartphones or other devices to be equipped with unique identifiers aren’t a stretch, either, he said.
Schneier said the threat is often obfuscated by the tremendous technical advances the big data players have offered. Google mail is a safer alternative for average users because there’s almost no chance they’ll ever lose a message. Apple’s iPhone is wildly popular because it’s easy to use and to date has proved largely impervious to real-world malware attacks. But behind the security and reliability, there are threats many don’t consider.
“I can’t find a program that will erase the data on this thing to a reasonable assurance without jailbreaking it,” he said, holding up his iPhone. “For me that’s bad.”
The age of feudal security
He called the new model “feudal security” in which Kindle Fire owners trust their security to Amazon, iPhone users trust their Apple, and so on. As a result, the devices no longer come with general-purpose capabilities. Open environments are increasingly being replaced with closed systems that are designed to give users less control.
In addition to the threat from big data — which Schneier coined “the risks of Layer 8 and Layer 9 attacks” — he said Internet users are being harmed by the surge in government attempts to redesign Internet infrastructure. As more and more of the world goes online, it’s a given more crime will follow, he said. As a result, laws such as the 1994 Communications Assistance for Law Enforcement Act — which mandated telecom companies redesign switches and other gears so law enforcement agents could tap them — are slowly being extended to Internet technologies, possibly such as Skype and Hushmail.
Another example is a push among governments in Europe to require ISPs to store logs of user activity for 12 months or longer in case the information is needed in an investigation.
“Here, we have an example of government coming in an effort they believe will make us all safer,” he said. “I look at it and say it’s much less safe because once you have that data you’re going to have to secure it. And the securest thing you can do is to delete it. So again we’re seeing people who are not Internet security people trying to push a security policy.”
The third force of this outside, nontechnical threat is posed by a “cyberwar” arms race, in which countries around the planet develop weapons such as the Stuxnet worm, case each other’s networks, and possibly even plant backdoors in case they’re needed during a time of war.
“We’re now living in a world where nations are stockpiling cyber weapons,” he said. “The military industrial complex is alive and well and quite happy to spend lots of money on cyber weapons and cyberwar and cyber defense. This feels incredibly destabilizing to me. I’m not convinced these things couldn’t go off by accident “
Schneier’s hour-long talk barely touched on his newest book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, which was published earlier this month. He said Wednesday’s talk was a preview of one he’s scheduled to give next Tuesday at the RSA security conference.