What’s to Be Done about Data? Q&A with Bruce Schneier

Bruce Schneier has been called a "security guru" by the Economist. He has written 13 books and hundreds of articles, and his influential newsletter Crypto-Gram and his blog Schneier on Security have over 250,000 readers. He has testified before the U.S. Congress, is a frequent guest on television and radio, and has served on several U.S. government committees. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a board member of the Electronic Frontier Foundation, and the Chief Technology Officer at Resilient Systems.

In March, Schneier published Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, which quickly reached the New York Times best-seller list and garnered numerous reviews, interviews, and book talks. The book is a comprehensive and engaging summary of today's security and privacy issues and a list of recommendations for governments, corporations, and individuals.

Schneier sums up his impressive career as "an endless series of generalizations" and says he likes to work at the intersection of security, technology, and people. Indeed, he is the rare security expert who can move easily from writing about the arcane details of cryptography to explaining privacy issues to general audiences. The following is an edited transcript of Schneier's recent phone conversation with CTO Straight Talk Managing Editor Gil Press.

Let's start by putting today's security issues in a historical context. How has the security industry evolved?

Security is a combination of protection, detection, and response. You need protection to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security, and manage the fallout.

In the 1990s, we focused mostly on protection. A lot of products were offered that would protect your computers and networks. By 2000, we realized that detection needed to be formalized as well, and we saw many new detection products and services. This decade is one of response. Over the past few years, we've started seeing products and services focused on IR [incident response].

Security teams are incorporating these products and services into their security portfolios because of three trends. The first is cloud computing. More of our data is held in the cloud by other companies, and more of our networks are outsourced. This makes response more complicated, because we might not have visibility into parts of our critical network infrastructures. The second trend is that attacks are getting more sophisticated. The rise of APT [advanced persistent threat]—targeted attacks for reasons other than simple financial theft—brings with it a new sort of attacker, which requires a new threat model.

And the third factor driving the adoption of IR solutions is that companies continue to underinvest in protection and detection, both of which are imperfect even under the best of circumstances. Incident response picks up the slack.

Has the introduction of incident response solutions changed the nature of the market for security products and services?

Security is a mix of people, process, and technology. What has changed over the years are the ratios. Protection systems are almost all about technology, with some assistance from people and process. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with critical assistance from process and technology.

This is new for the security industry. For most of its life, the industry has been plagued by the fact that it's difficult for buyers to tell the difference between good and bad products. Price is the driver because there's no good way to test for quality. But because IR is people-focused in ways protection and detection are not, better products will do better because buyers will quickly be able to determine that they're better.

There are new solutions in the current stage of the life of the security industry, but there are also new types of security threats.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus—people using common hacking tools against thousands of networks worldwide. These low-end attacks include actions like sending spam out to millions of e-mail addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered "zero-day" vulnerabilities in software, systems, and networks. This is the sort of attack that affected Target, JPMorgan Chase, and most of the other commercial networks that you've heard about in the past year or so.

Even scarier are the high-skill, high-focus attacks—the type that hit Sony. Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies. Often, it isn't. We're much better at relative security than we are at absolute security.

Let's turn from security to privacy. How are the two linked?

You can't have privacy without security. If our personal spaces and records are not secure, we have less privacy—we feel exposed and vulnerable, less secure. Fundamentally, the argument for privacy is a moral one. It is something we ought to have—not because it is profitable or efficient, but because it is moral.

Traditionally, companies have been paying less attention to privacy concerns than to security threats. Is this changing?

We are seeing the rising importance of customer and user privacy in an increasing number of corporations. Many now have Chief Privacy Officers, senior executives responsible for managing the legal and reputational risk of the personal data the corporation holds. These executives are establishing rules and regulations even in the absence of government mandate. They're doing this because it's good for business.

The Sony attack made clear the link between security and privacy, when hundreds of private e-mails and personal information of Sony's employees were made public.

While companies need to improve their security against attacks, there's another equally important but much-less-discussed lesson here—companies should have an aggressive deletion policy. Everything is now digital, and storage is cheap—so why not save it all? But saving data, especially e-mail and informal chats, is a liability. It's also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.

If Sony had had an aggressive data deletion policy, much of what was leaked couldn't have been stolen and wouldn't have been published. Companies should develop and implement an organization-wide deletion policy. The ultimate way to secure data is to delete it.

Deleting data goes against the fundamental premise of big data—that more data is better.

The key is to understand how much data is needed for what purpose. By and large, companies could make do collecting much less data, and storing it for shorter periods of time, than they do now. For example, many retailers rely on ubiquitous surveillance to measure the effectiveness of advertisements, infer buying patterns, and so on. But they don't really need everyone's data to do that. A representative sample is good enough for those applications and was common when data collection was expensive.

You also argue that with the right legal and regulatory environment, we will see the rise of businesses based on collecting less data and better protecting what is collected.

Surveillance became the business model of the Internet because it was the easiest thing that made money and there were no rules regulating it. It has remained the business model of the Internet because the costs are low, the potential gains are enormous, and—at least in the U.S.—there are still no rules regulating it. By both regulating the collection and use of our data, and raising the costs of retaining our data, we will incent new business models that don't rely on surveillance. Credit card companies don't have to track every purchase in order to bill us and prevent fraud. The Internet can be built with strong anonymity protections. Electronic cash can be both secure and anonymous. All of these things are possible—we just have to want them. If we succeed in raising the cost of surveillance and data collection, new businesses that don't rely on it will rise up and take the place of the current ones that do.

In addition to highlighting specific security and privacy issues in your work, you talk about them in the larger societal context of the way we live now—online, all the time.

Data is the pollution problem of the information age, and protecting privacy is the environmental challenge. Almost all computers produce personal information. It stays around, festering. How we deal with it, how we contain it, and how we dispose of it are central to the health of our information economy. Just as we look back today at the early decades of the industrial age and wonder how our ancestors could have ignored pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we addressed the challenge of data collection and misuse.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.