Bruce Schneier: Get Ready for More "Organizational Doxing"
Bruce Schneier has been writing about security issues on his blog, his blog, Schneier on Security, since 2004, and in a monthly newsletter since 1998. He writes books, articles, and academic papers. Currently, he is the Chief Technology Officer of Resilient Systems, a fellow at Harvard's Berkman Center, and a board member of Electronic Frontier Foundation.
What do you see as the greatest cyber risks today?
I don't like ranking risks, and I worry that concentrating on the 'greatest' risk obscures all of the other risks. Basically, the big cyber risks are what everyone is talking about. It's not like they're hidden or subtle. They're risks against our data: copying it, deleting it, modifying it, barring us access from it. They're follow-on risks, because the Internet is so pervasive in modern society. They're everything we're actually worried about.
What will the greatest threats be in 5 years' time?
If I can't rank threats in size order today, I surely can't rank them for five years in the future.
One threat that I think will become increasingly important is the practice of hacking an organization and publishing all of its internal documents and communication. In hacker terminology, this is organizational doxing.
This is what outside hackers did to both the cyberweapons arms manufacturer (and all-around unethical company) Hacking Team and the government of Saudi Arabia last month. This is what insiders Edward Snowden and Chelsea Manning did to the NSA and the State Department, respectively. This is what North Korea did to Sony last year, and what the hacker group Anonymous did to HBGary Federal in 2010.
It's a devastating attack, and a very effective activist tool. I expect we're going to see more of this type of attack in the coming years, as more individuals and groups realize its power.
The other future threat I am worried about is the Internet of Things. These low-cost computers built into all sorts of devices will both be sensing the world around them and semi-autonomously making changes based on that sensing. They're going to be no more secure than our computers and phones, but they'll be so inexpensive that there won't be any viable patching or upgrade path. This is going to be a huge threat that we don't fully understand.
Is the insurance industry doing enough to adequately address these risks?
Taking that to mean 'IT security risks in general,' I don't think so. What I want the insurance industry to do is mandate standards of security. I want the insurance industry to basically say to organizations that they won't pay out for cyber breaches if the organizations don't have good security practices. Insurance companies won't be able to mandate specific products, services, and configurations—the Internet is much too complicated to have things like fire safety codes—but they will be able to push the general level of security higher. Organizations know that they need insurance.
What keeps you awake at night?
Not much, really. Most of the doomsday scenarios you generally hear in response to a question like this are hyperbole. Of course there will be attacks, and they will be successful, but my guess is that we'll muddle through pretty much as we've always done.
I am worried about data and privacy, but not because of threats from hackers or criminals. I am worried about the legal uses of our data. I am worried about the corporations that have us under pretty much constant surveillance—think about your smart phone if you don't believe me—and the governments that use that data for their own ends. I worry about the death of ephemeral conversation as more of what we say is recorded and saved. I worry about tagged photo databases, and search engine histories, and companies that capture our social networks. I worry about how data is being stored forever, and how it's used for both social control and psychological manipulation. We've never lived in a world of ubiquitous surveillance before, and I worry about the effects of that world on new ideas—and, by extension, social progress.
In your opinion, what is the single most important cyber risk development in the past 12 months?
The rise of incident response as a viable product and service category. Incident response has always been a thing, but it's been the orphan stepchild of Internet security. That is changing. We're seeing more companies providing incident-response products and services, and that's a good thing.
Think of it this way. The 1990s was the decade of prevention. We all bought things like antivirus and firewalls, falsely believing that they were enough to keep us safe. The 2000s was the decade of response: IDSs and log monitoring in an attempt to catch the bad guys as they were attacking us. This is the decade of response. And when you finally tie together prevention, detection, and response, you have real security. You have resilience in the face of insecurity. And that's an important development.