"Surveillance Shouldn’t Be the Business Model of the Internet. We Can Change It"

Dubbed a 'security guru' by The Economist, Bruce Schneier has authored several books, including NYT bestseller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, as well as hundreds of articles and academic papers. In 2013, the American security technologist was invited to brief a US Congress group about the documents revealed by whistleblower Edward Snowden, and to explain 'what the NSA (National Security Agency) was doing'. In an email interview to Kim Arora , he spoke about the recent Wannacry ransomware attack, cybersecurity, and threats to privacy. Excerpts:

With the Wannacry ransomware attack, we saw how neglecting to install a security update in time led to massive losses worldwide. How do we need to change the way we think about data security?
Promptly installing security updates is one of the most important things you can do to improve your security. That was true well before Wannacry, and it's still true. Most people follow this advice, and it's the primary reason Wannacry wasn't nearly as devastating as it could have been. Hopefully this very public malware attack will convince everyone else.

We keep installing apps which demand access to so much of our private information. Have people given up on trying to protect privacy?
No, people have not given up. Every study and survey conducted confirms that people are no less concerned about their privacy today than they ever were. People install apps that spy on them because they see no alternative. They want what the apps provide, and don't fully understand the surveillance implications of what they're giving up. The app makers like this, of course. They don't want people making informed decisions; they prefer learned helplessness. It doesn't have to be this way, of course. We decided that surveillance is the business model of the internet. We can change it. All it takes is regulation.

How do you see ransomware attacks in the future developing with the Internet of Things?
It's not a good combination. Internet of Things devices will be lower cost and will have even worse security than our computers and phones. Many of them are not patchable, even if there were engineering teams at the companies to write the patches. And they will have implications to life and property. Researchers have already demonstrated ransomware against home thermostats. Imagine them against your car, your home appliances, or medical devices.

With CryptoWall, WannaCry and other similar attacks Bitcoin seems to be the preferred mode of payment, where geographical tracing becomes a problem. How can law enforcement catch up to be able to get to the hackers in these cases?
It's very hard to find and prosecute malware writers, even without Bitcoin. Bitcoin does provide ransomware makers with an untraceable payment system, which makes it harder to find these people. But law enforcement has other techniques at its disposal. The more serious problem is that cybercriminals like to operate out of countries with ineffective police and laws, making it hard to prosecute them even if we can identify them.

We've seen here and with earlier ransomware attacks the lengths to which hackers go to explain to their victims about paying in Bitcoin. Some even set up call centres to do this! How do you see this phenomenon?
Ransomware is a business, albeit an illegal business. If people can't pay, the ransomware makers don't make money. So it makes perfect sense for those businesses to set up call centres to assist their victims. That they can't be stopped even with this is another illustration that Bitcoin isn't the only reason they can get away with their crimes.

After the Sony hack last year, the attack on Bangladesh Bank, and with Wannacry now — the suspicion has always landed on North Korea. Is that justified?
The suspicion lands where the evidence points. In recent months, we've seen many attacks attributed to both Russia and China. The North Korean attribution, still tentative, is based on forensic analysis of the code. As we learn more, we'll know whether it is a proper attribution or not.

In a blog you wrote, it seems that you regard Edward Snowden as somewhat of a hero. Is he being judged unfairly?
I think he is being judged fairly. What he did is public, and the effects of it — both positive and negative — are largely public. Different people have different opinions of his actions, but I don't think that either "side" is being unfair. I believe history will judge him a whistleblower and a positive force for change, because history will better see the big picture.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.