Bruce Schneier at Infosecurity Europe 2016
This year's Infosecurity Europe conference had so many great places to be and things to do that it was often hard to choose how best to spend one's limited time and harder still for many to identify a single highlight. For myself personally, however, it had to be the opportunity to hear one of my favourite writers for many years speaking on the keynote stage.
Whilst terms like "security guru" or even "thought leader" are often bandied around and diluted to the point of being meaningless, few of us mere security mortals can reasonably dispute the influence, credibility and respect that Bruce Scheiner holds as a writer, technologist, cryptographer and entrepreneur. You know that when he speaks at an event like this, it is not an opportunity you're going to get every day.
His keynote talk, Privacy, Trust and the Internet of Things, did not disappoint; it presented a considered, sober and balanced view of an often exaggerated subject.
Refreshingly, Schneier offered neither silver bullets nor fatalistic doom mongering but simply a call that (paraphrasing) "we, as security people have to figure these problems out." His view that the Internet of Things (IoT) is effectively creating a global interconnected "robot" entity (even begrudgingly coining a phrase the "world sized web"), one that leverages real AI (although preferring to use the term autonomous rather than artificial intelligence), could have gone off in all sorts of clichéd "Skynet"-type directions.
Instead, it stayed more usefully within the realm of real challenges faced by security professionals.
"We need to start making more ethical and political decisions about how our technologies should work. But because the internet has been so benign until now, we've allowed programmers to have this special light in society to code the world as they see fit. I don't think we can do that anymore. I think this is becoming too critical to allow programmers to do what they want."
Schneier then outlined the disparity between agile development processes and "getting it right first time," for the consequences of getting this piece wrong are potentially just too dire. He hinted, as an example, that if we stay on present course in terms of a lack of standards and accountability, we will soon see ransomware for smart cars (which have become less vehicles with some computer capability and transformed into more powerful computers with an attached vehicle capability that they control).
Let's face it, the extortion business model prospect of gaining payment for returning the reliable control of someone's braking system trumps the present-day model of returning their often backed-up encrypted files.
On the controversial topic of government intervention in cyber security and technology more broadly, Schneier presented a sound case as to why this is now simply an inevitability rather than a debate.
"More government involvement in cyber security is inevitable simply because the systems are more real—we're getting into the world of catastrophic risks as our computers become more physical."
The context for such a statement on which he elaborated, however, is that we actually need smart, informed government involvement rather than reactive "stupid" involvement. He went on to say that if we don't pre-empt that approach and instead carry on as we are (with policy makers who don't really understand technology and technologists who don't understand government, referencing the Apple/FBI case), then we will most certainly get the latter.
He pointed out the huge difference between devices like smartphones (whose security has naturally evolved through the disposability and continual upgrade of the devices to more secure platforms) and domestic appliances like thermostats, which may be replaced rarely if ever.
He also talked a lot about ethics and the need for a possibly more altruistic technologist path of practice. In particular, he drew parallels to the practice of Public Interest Law, which despite its less financially lucrative incentives (raising questions many years ago about which of the brightest and best would go into it) now enjoys a 10% take up at Harvard where he is a fellow.
In fact, Schneier covered so much in the short time he spoke that it's impossible to capture much of it meaningfully here. I hope someone makes available videos or transcripts of the talk soon.
As a final observation, Schneier's continued enthusiasm for the industry and eye on the new was a breath of fresh air that dispels some of the cynicism you sometimes hear about Infosecurity Europe as an event. He had clearly walked around the public show floor before speaking and made a concerted point of praising new companies and solutions providers in attendance which he hadn't previously come across.
As a neat parting touch from someone with their feet still firmly on their ground despite their clear status in the industry, he even offered to make anyone who turned up at a certain stand afterward a cocktail! I had other commitments, so I have no idea how that panned out in reality, but it was a great gesture nonetheless.
Hearing someone like Schneier speak can be a real inspiration and reminder that what we all do as security professionals can make a difference to the world we live in and leave behind. It was an inspired keynote speaker booking and my Infosecurity Europe 2016 highlight, for sure!