Q&A: Schneier on Trust, NSA Spying and the End of US Internet Hegemony
Bruce Schneier is the man who literally wrote the book on modern encryption, publishing Applied Cryptography in 1994, and for the past 20 years has been an important and sometimes outspoken voice in the security industry.
He founded the firm Counterpane Internet Security (later sold to BT), and is also a board member of the Electronic Frontier Foundation and an Advisory Board Member of the Electronic Privacy Information Center.
More recently he's been working on documents released by Edward Snowden on NSA activities and presented his findings at this year's RSA conference in San Francisco. The Register took the opportunity of sitting down with Schneier at the event and chewing through the current state of security, privacy and government intrusion online.
The Reg: This conference opened with a statement from RSA chief Art Coviello regarding the use of the flawed NSA-championed Dual Elliptic Curve Deterministic Random Bit Generator in an encryption toolkit product.
Coviello said RSA did all it could to secure its software. What's your take on the affair?
Schneier: I believe that's true. When NIST came out with that RNG standard, it was one of four choices available, and those choices tracked other crypto suites. It made sense in a holistic way that there should be an elliptic curve in there. It was slower, it was kludgier, but some people thought that was a plus, not a minus.
By 2007 there was the first inkling that there might be a backdoor, but it was just guessing and it is part of the NIST standard. Any toolkit that says "we're compliant" [with a particular standard], which I'm sure is a requirement for all sorts of contracts, had to implement it.
My guess is that RSA didn't know anything was amiss and when a large customer comes in with technical changes that don't really matter you just do them. I think RSA was more a victim here, and I think it's been unfortunate that over the last couple of months they haven't been able to tell their story clearly.
It's hard to tease out who did what and when. Certainly, I didn't boycott the RSA conference—I'm here for myself and the attendees, not for RSA—and if I was going to list companies to boycott because of their NSA collaboration, RSA wouldn't even make the top 10.
Who would be your top 10?
I think AT&T certainly would be on top, but I personally use AT&T's cellphone service. It's really hard to pick. That's the worst poison of these NSA actions; that we no longer know who to trust.
We cannot trust any phone company, any operating system provider, any application's vendor, any security company. We simply don't know who is colluding, who has been compelled to collude, who is being owned surreptitiously, and all the transparency reports and denials don't really tell us anything.
In your last-but-one book Liars and Outliers you went into great detail about the importance of trust. In the wake of NSA spying, has trust been irretrievably lost?
I really think some of losses in trust are going to be very difficult, if not impossible to get back. The NSA deliberately subverted products and standards. We rely on these things for our security and there was the implicit assumption that those in charge of them were making them as good as they could.
Additionally, US companies are going to find it very hard to get users to trust them again. The best slogan a company like Google can say now is "we're secure, except for the attacks we don't know about and the attacks we are prohibited by law from telling you about," which is a sucky marketing slogan.
Even if the NSA says, like they are saying, "no, we haven't subverted standards," no one believes them. If the President says he's changed the NSA's policy so they don't do this any more, how do we know there isn't another even more secret organization that he formed to get around those rules? In a sense there's been a blind trust that we've had all these years that we finally have been shown was ill-founded, and I don't know if it's possible—at least with current technology—to get it back.
So what's your solution?
You can imagine some future technology where you can prove assurance, where you can prove that a piece of software or hardware does what you believe it does and nothing more. That's not beyond the realm of possibility. We don't know how to do that but it seems plausible that someday we will. Until then the problems are not technical, they are political and social, and there aren't technical solutions to those kind of problems.
You've written that the NSA now needs to be broken up. What's the best way to do it?
I see it along three lines. First anything done against Americans needs to be done by the FBI. We have rules for domestic surveillance, we have laws, we have procedures, and the FBI should be the organization to follow them. This should not be intelligence, it should not be the military, and should be done by civilian law enforcement.
Second, these days eavesdropping equals network attack. This is why we freak out so much when the Chinese do it to us, because it's the same sort of techniques and attacks. Because of that it needs to be under a military command—US Cyber Command.
Finally, the NSA should focus on defense, security and defense. Cryptography, computer security, network security, critical infrastructure security, all the things they can do in the open to make everybody on the planet more secure.
What did you make of the appointment of Vice Admiral Michael Rogers as the new head of the NSA?
I think it means no change. Obama's review group actually said things along the lines of what I'm saying: break up the NSA and Cyber Command. The group's recommendations were really better than I expected. They talked about putting computer security ahead of signals intelligence, they talked about not subverting standards, and they talked about breaking [apart] the NSA and Cyber Command, and I think those suggestions should have been taken seriously.
Snowden, a whistleblower or traitor?
It's not simple. His actions were very complex and they are ongoing. Right now I believe that the abuses he has exposed are incredibly important, and they are why we're having the debates we are having now and why we're having these policy changes. The benefit of that far outweighs the damage that he might have done.
That being said, we are right in the middle of this. Those are the kind of questions that are answered by history books, not by newspapers.
What about the fallout? We're already seeing corporate profits being hit by the revelations from Snowden.
Unfortunately there's not going to be a lot of fallout. What we are learning is what the NSA is doing, but really this is what any well-funded nation state would do. This is what the Russians, Chinese, French and Israelis do.
So when you're looking to buy a cloud service, or a software program, or a piece of hardware, you kind of have to pick your adversary. You pick who you trust and you pick who you want spying on you. What are you going to do—buy Huawei equipment because you don't trust Juniper?
If you have to choose who your spook is, the US is probably a pretty good one. Much as I hate to say this, I think once things settle down people are going to say: "Better the US than the Russians." While we need to have huge policy debates, in the near-term there often aren't options that are spy-free.
Right now who do you want recording your location data—Apple or Google? There's no "nobody" option, there should be and there will be. But right now it's pick who you hate the least. That's the cold reality, and I wish it wasn't so.
And for the US as a whole?
We need to figure out who we can trust and we need a new internet governance model. The former governance model was largely a benign US dictatorship; the world believed the US was acting in the world's best interests and looked the other way.
That's gone, that's over, and it's not coming back. Unfortunately some of the alternatives, like the International Telecommunications Union, are way worse. So we need to work out governance now that no one trusts US benevolence.
What about your personal security? You don't even lock down your home Wi-Fi.
I believe in securing the endpoints. I believe having an open network is polite, like having a bathroom that isn't locked. I don't do anything magic at all.
Are you worried that you are personally under surveillance?
Yes, 100 per cent: I'm a target. If the FBI tried to get a warrant on my computer based on the fact that I have worked with Snowden documents then the odds they would get it are 100 per cent. And I do take pains. But look at that NSA Tailored Access Operations catalogue from 2008. The fact that I'm running an air-gapped computer is irrelevant—if the NSA wanted in, they would get in.
The reason they are not is because they know that if it ever got out that they attacked US journalists, the shit-storm would be ginormous. I do think the NSA tries to follow the law, and the Attorney General has said [the US government] is not going to prosecute the journalists.
Do you think the NSA knows what Snowden took?
They have no idea. That duty damage report made some big assumptions that everything Snowden touched he took, and everything he took he gave to journalists. We know both of those are not true, but if you're doing a prudent damage assessment then that's what you assume—you have to.
What we learned about stealing is that if you break into a server and want 10 documents and the server contains 10,000, it is easier, faster and safer to take them all. Control-A, control-C, and control-V and you're done. In this world where search is cheaper than sort, taking them all is the best way.
We believe he no longer has any documents himself. We believe that before he left for Russia he encrypted them in a way that he could not decrypt them. That was a self-defense mechanism, as protection, and we can do that, we have mathematical ways to do that. It's not hard. He's savvy.
How do you think this situation will look five years down the line?
I think five years is too soon. I think ten years from now this will be looked back on as the start of restoring privacy and security. In five years it's going to be in the middle of the process.
You left Counterpane recently. For the record, that wasn't because BT was unhappy with what you've been saying about the NSA?
Absolutely not. BT was largely supportive of all my writings and outspokenness. The only thing they would get antsy about is when I talked about UK politics, which honestly is fine because between Ross Anderson and Privacy International, they have [that topic] pretty much covered. I didn't feel I was missing anything because I didn't understand the complexities of UK politics; I was happy to not have opinions on that.
Besides from that, they were nothing but supportive and it was time to do something new.
I formed Counterpane in 1999 and BT took it over in 2006, so it was all running for a long time. Honestly, I was itching to go back to a startup. I wanted something new.
So what's your new role as CTO of Co3 systems about?
Co3 provides coordination software for incident response. You remember a decade ago I was talking about protection, detection and response. I founded Counterpane to do detection, and Co3 is about response and coordination.
It turns out that's a really big area now. Look at the Target breach, their response was incompetent. So the CO3 system automates coordination - you put in your policies, or if you're a small firm it knows best practice, it knows the laws and regulations, and it sends the emails, tracks the actions and makes sure that the FBI as alerted and laws are followed and then documents it all so that when you're sued afterwards you can prove you did it.
We have feeds from threat intelligence and detection systems, and the software makes instant response not a disaster. The problem with people's emergency response plans is that they only ever look at them in an emergency, and that's not when you want to start looking for this stuff - you want it to be as automated as possible so you don't forget anything.
Two things are going on here. Attacks are getting more complicated and the laws are getting more complicated. Both have to be covered to handle litigious lawsuits after the effect. So it's kind of a no brainer.