Bruce Schneier: "It Is Not Prevention or Detection, It Is Response"
Coverage of this interview also appeared in International Business Times.
As well as being a renowned cryptographer, influential security expert and outspoken conference favourite, Bruce Schneier has had his share of coverage in recent months as the Prism story unfolded. He chose to leave his position as BT's security futurologist at the end of last month and has now turned his hand to incident response.
Schneier recently left BT, who acquired his company Counterpane in 2006, to join Co3 Systems as chief technology officer this month. I began by asking him what attracted him to a relatively unknown company.
He said that working for a start up is fun and something that he wanted to do, as incident response is a space that needs work. "If you go back to the definition of security being protection, detection and response, this feels like the last area that needs work, and the idea of incident response coordination and working on a response is really important and something that isn't there," he said.
I asked what he meant by this not being done yet. He said that there is a huge market for response and, while a lot of response services have emerged, there are not a lot of response products and that is what Co3 offers. "That has become important now, and two things are driving it: firstly attacks have got more sophisticated. We are seeing more targeted attacks and you need a sophisticated response; secondly the regulatory environment in the United States is much more complicated and dangerous, so there are a lot of laws you have to follow or else you risk being fined, or face lawsuits and you need to demonstrate in court that you do things properly," he said.
"So those two together shows that you cannot do ad hoc response anymore, and the problem with emergency response is that you do it in a panic. It is easy to respond in the moment and anything that will automate things, and anything that will make the coordination more effective, is really valuable."
I asked Schneier if this area is effectively a final frontier for the industry, who need to learn more about incident response? He said that, rather than being that extreme, as an industry we need to be more sophisticated as this is nothing new. "There will be a time when your response will say "call in someone else", but your thermometer doesn't replace the doctor, you know to call the doctor," he said.
"I think we started seeing this at conferences three or four years ago where we went from being told buy my thing and you'll be safe' to you're going to get hacked and you have a problem', and I thought that was very refreshing as for too long tried to throw imperfect solutions at this. So the fact that we are striving to say things like yes we know this is imperfect' is a good sign."
Looking back at the RSA attack from 2010, Schneier said that was a big deal and called the response "terrible" as the coordination to such a big attack "was all pretty much ad hoc", but with a coordinated response you would know what to do, what to say and how to fix it.
Talking specifically about Co3 Systems, Schneier said that it offers a way to coordinate a response. "It is not prevention or detection, it is response, and it doesn't make attacks less likely to happen, it makes it less bad when they do, and that could be not getting smacked with a class action lawsuit," he said.
I concluded by asking if he felt that companies needed to be prepared in the face of a potential attack. He said he did because of sophisticated attacks and legal trends. "For those two reasons, it becomes important to do something like this and there are different reasons for different sized companies, so those two things make it very useful and I am surprised by how much demand there is."