An Interview with Bruce Schneier on the Internet of Things, Global Surveillance, and Cybersecurity

Bruce Schneier is a world-renowned cryptographer and security technologist whom the Economist has dubbed an "internet-security guru." Schneier has authored a dozen books since 1993, with his next book—Click Here to Kill Everybody: Peril and Promise in a Hyper-Connected World—due for release in September 2018, and set to tackle the burgeoning trends of cybercrime, corporate surveillance, and how to mitigate the catastrophic risks from unsecured devices.

Earlier this year, Schneier wrote a chilling article in New York Magazine detailing the pressing dangers of unsecured IoT devices and, more recently, consulted on bipartisan legislation that will ensure devices purchased by the U.S. government meet specific security standards.

On top of all that, Schneier frequently blogs on internet and security matters and runs a monthly newsletter, "Crypto-gram," that has amassed a following exceeding 250,000—so we thought he'd be perfect for an ExpressVPN cybersecurity Q+A.

We asked Bruce Schneier what his thoughts were on the origin of the problems that permeate improve their cybersecurity practices.

1. Firstly, thank you so much for talking to us! We appreciate you have a busy schedule, so let's get straight to it—why does the problem of unsecured technologies exist in the first place?

Security is an afterthought in product design and not something that's taken seriously enough. Companies are rewarded for features, price, and time-to-market. It's easy to slough off security because it's not immediately obvious that you've done so.

2. You've previously called surveillance "the business model of the internet." What does this mean to the average internet user?

It means that they are spied on 24×7. They're spied on when they surf the web. They're spied on when they send e-mail. They're spied on whenever they use their smartphones. Companies like Facebook are the largest surveillance organizations on the planet, and they need to be recognized as such.

3. Why is there such little market incentive to provide security if this is something consumers demand in their products?

Customers don't know how to make buying decisions based on security because the details are complex and specialized, so there's minimal incentive for companies to provide it. They're rewarded for price, features, and time to market—it's smarter for them to take the chance with security.

This is no different from any other industry. We don't get safety or security improvements without government intervention. It's true for cars, planes, medical devices, pharmaceuticals, workplace safety, restaurant sanitation, food safety, nuclear power plant safety, and—most recently—the safety of financial instruments.

4. If companies lack the incentive to do it, what type of mass event do you think could force a better knowledge of cybersecurity onto the general public?

I have no idea. I used to think that it was whatever massive data breach was in the news, but I've given up on that. I'm afraid that it's going to be a security event involving the Internet-of-Things killing people that will wake people up to the dangers. As long as that event doesn't involve guns, we might then have a sane and reasoned conversation about government regulation.

5. Speaking of government regulation, you recently consulted on legislation proposed by Senators Warner and Gardner to improve IoT cybersecurity this year—what do you hope this first step will accomplish?

As first steps, it's very minimal. It doesn't impose any security regulations on anybody. All it says is that IoT devices purchased by the federal government meet some basic security standards. And even this modest improvement isn't going anywhere.

6. Thanks again for speaking to us. Finally, what's a good cybersecurity best practice we can all start doing right away?

Enable two-factor authentication wherever possible. And maintain good backups.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.