“Have a Good Bullshit Detector,” Advises Computer Security Expert Bruce Schneier
Cyberspace seems more insecure than it has for a long time. In an interview, security guru Bruce Schneier proposes a radical solution: Top-tier managers should have to go to prison if they fail to protect their company networks against hacker attacks.
Summary
- Bruce Schneier, security expert, says improved defense measures against cyberattacks are urgently needed.
- Quantum computers do not pose a fundamental threat to cryptosecurity, Schneier says, but cryptographic agility will be important.
- The main problems in the field of cybersecurity are economic and regulatory, he says, rather than technological shortcomings.
Cybersecurity is facing a tough challenge. Hospitals, schools and companies are constantly falling victim to ransomware attacks. Criminals are draining life savings from unsuspecting citizens through “pig-butchering” attacks. Even American government systems do not seem immune to hackers—Chinese attackers recently penetrated the largest telecommunications networks in the U.S. and tapped into Donald Trump’s phone lines.
The future doesn’t seem very promising either: Some experts warn that the quantum computers currently under development could crack the encryption safeguarding today’s computer systems.
But is computer security really that bad? Few people can answer the question better than Bruce Schneier. The 61-year-old American is regarded as the elder statesman of the cybersecurity industry. As a cryptologist, he has developed important encryption methods himself. Today, he teaches at Harvard University and sits on the board of the civil rights organization Electronic Frontier Foundation.
Whether lecturing at Harvard or attending specialist conferences, Schneier is instantly recognizable: A ponytail, full gray beard and newsboy cap are his trademarks. His approach to answering questions is just as distinctive—concise, direct and provocative.
The monthly newsletter of his blog “Schneier on Security” is read by 250,000 recipients. In his latest book “A Hacker’s Mind,” Schneier explains how all areas of society can be cracked with a hacking mentality.
Mr. Schneier, some experts are of the opinion that computer security will soon deteriorate massively when quantum computers arrive and it will be possible to crack any existing encryption. As a cryptologist, how concerned are you about this risk?
Not really very much, for a whole bunch of reasons: One is we don’t know how soon this is going to happen, if ever. Quantum computers currently don’t exist, and no one knows when—or even if—we’ll be able to build one. They seem to always remain “10 years in the future,” which means no one has any idea.
And two, the math is well ahead of the physics here. We are creating post-quantum encryption algorithms faster than the quantum people are breaking non-quantum-resistant algorithms. So I think we’re fine.
So the current cybersecurity systems won’t need any adjustments?
The federal agency in charge, NIST, has a whole set of post-quantum algorithms that they have already released and are continuing to release. So that’s good. The people who are panicking are people who don’t understand cryptography. A common misperception is that crypto is going to break everything. It’s not true. The real importance is crypto agility: It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. In the face of all that uncertainty, agility is the only way to maintain security.
But progress is certainly being made in the development of quantum computers. Google has just broken the barrier to fault-tolerant quantum computers.
Breakthroughs in error correction is where we need the work, so good for Google for recently reporting breakthroughs in that field. We’ll see how much of a leap forward that will be. In the short term, cryptographers are putting considerable effort into designing and analyzing quantum-resistant algorithms, and those are likely to remain secure for decades.
Generative AI is not a dream of the future, but already a reality. What are the most important changes that AI brings to cybersecurity?
If you go to industry conferences, every company has an AI strategy. Most of it is marketing bullshit, but some of it is real. Now we’re starting to see AI embedded in things like spam detection, vulnerability scanning and source code analysis. We see more machine learning techniques. They’re not revolutions, but they’re definitely evolutions.
I’ve seen AI pen testing technologies. [Pen testing, or penetration testing simulates attacks on computer systems.] So far, they are mediocre like all AI technology, but they’re going to get a lot better. I expect this to permeate every aspect of cybersecurity.
Does generative AI benefit the attackers more than the defenders?
In the long term, we have no idea. In the near term, my guess is that AI techniques benefit the defender more. You are already being attacked at computer speeds, so the fact that the defender can do that too now is a big deal. There are a bunch of tools trying to speed up the defense—like intrusion detection systems [that monitor a network for malicious activity or policy violations] for vulnerability scanning. Lots of companies are working on creating AI cybersecurity products. They are not very good just yet, but they will get a lot better.
But there is little sign of an improved defense today. Ransomware attacks and sophisticated scams are the epidemics of the internet age. Why are cybercriminals so successful?
You are right, it’s really, really bad. Some of it is cryptocurrency. The cybercrime industry would not exist without Bitcoin. But scams like “pig butchering” come down to bank regulation. Why aren’t the banks liable for this? If they were, they’d fix it. A lot of it is due to the professionalization of the criminal industry. There are some really impressive cybercrime gangs that have become something like global brands. So some of it is getting after them and law enforcement arresting them. But it’s really hard because of the geopolitics. Now Russia is going to let them live on their soil.
Let’s talk about state-sponsored hacking. Chinese hackers recently penetrated the telecommunications systems in the U.S. Is the U.S. government doing too little to protect its systems?
Of course we are doing too little. But doing a lot is expensive and hard to do. It tells you either we are not the best in the world or being the best is not enough. We’re in a world where attack is easier than defense. Defense is hard and expensive and pisses off corporations. I’m not surprised, also not by the extent of [the attacks]. It’s a matter of trade-offs of costs and benefits.
Is this an example of how private companies should have used more technology to better protect themselves?
The [cybersecurity] industry is doing great stuff, but it’s not the industry, it’s the economics of using it. I mean, I go to [trade fairs that are] full of really fantastic products and services—that nobody buys. Companies are more willing to take the chance of an intrusion than to spend the money.
Why is that?
We could blame capitalism. Companies get their quarterly stock price by saving money, not by being secure. And it’s probably the lack of regulation that gets companies taking their chances rather than being secure. You don’t get rewarded for security, you get rewarded for saving money. It really is the system in which this is all embedded.
In your view, should there be higher fines if companies are unable to keep hackers out of their networks?
It’d be nice. Or maybe we can jail people. You know, financial penalties is the cost of doing business. In jail, executives suddenly notice. But this is a problem way bigger than cybersecurity. I would like to see incentives change—either liabilities or regulation or something. It would be nice [to make companies] responsible, because right now they’re externalities.
These are actually really big problems because, yes, you’re right. The Chinese got into the telecom networks. But tell me how the telephone network is going to suffer because of that. Show me where this matters to my stock price or my profit line.
Probably nowhere, you’re right. But the Americans, for their part, are masters at monitoring other nations. Do you believe that the surveillance internet makes the world fundamentally safer or less safe?
Much less safe. It would be better if we could actually secure the internet rather than use it for surveillance. This is an actual real problem. It’s sheer conceit: The U.S. thinks we’re doing all this spying and we don’t want to not spy. So we’re going to make sure everybody can spy. It is a stupid thing to do. A world where nobody spies is better than a world where everybody spies.
As a cybersecurity expert, what is your advice on how everyone can improve their own internet security?
Some very general, basic advice is: Update your software, keep good backups and have a good bullshit detector—that is, a healthy dose of skepticism. That already covers a lot of ground.