Page 19 of 46
Earlier this month, I gave a talk about the NSA at MIT. The video is available.
ETA: The video doesn’t display on some Firefox browsers. If you have trouble, try a different browser.
ETA: or you can try this direct link to the video.
I’m sure this is a pirated copy.
Looking at it, it’s amazing how long ago twenty years was.
This morning, I spent an hour in a closed room with six members of Congress: Rep. Lofgren, Rep. Sensenbrenner, Rep. Bobby Scott, Rep. Goodlatte, Rep. Mike Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren had asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me—as someone with access to the Snowden documents—to explain to them what the NSA was doing. Of course, I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.
Surreal part of setting up this meeting: I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top secret documents that had not been made public. The problem is that I, as someone without a clearance, would not be allowed into the SCIF. So we had to have the meeting in a regular room.
EDITED TO ADD: This really was an extraordinary thing.
I have an official Twitter feed of my blog; it’s @schneierblog. There’s also an unofficial feed at @Bruce_Schneier. I have nothing to do with that one.
I wouldn’t mind the unofficial feed—if people are reading my blog, who cares—except that it isn’t working right, and hasn’t been for some time. It publishes some posts weeks late and skips others entirely. I’m only hoping that this one will show up there.
It’s also kind of annoying that @Bruce_Schneier keeps following people, who think it’s me. It’s not; I never log in to Twitter and I don’t follow anyone there.
So if you want to read my blog on Twitter, please make sure you’re following @schneierblog. And if you are the person who runs the @Bruce_Schneier account—if anyone is even running it anymore—please e-mail me at the address on my Contact page. I’d rather see it fixed than shut down, but better for it to be shut down than continue in its broken state.
For decades, I’ve said that good security is a combination of protection, detection, and response. In 1999, when I formed Counterpane Internet Security, I focused the company on what was then the nascent area of detection. Since then, there have been many products and services that focus on detection, and it’s a huge part of the information security industry. Now, it’s time for response. While there are many companies that offer services to aid in incident response—mitigation, forensics, recovery, compliance—there are no comprehensive products in this area.
Well, almost none. Co3 Systems provides a coordination system for incident response. I think of it as a social networking site for incident response, though the company doesn’t use this term. The idea is that the system generates your incident response plan on installation, and when something happens, automatically executes it. It collects information about the incident, assigns and tracks tasks, and logs everything you do. It links you with information you might need, companies you might want to talk to, and regulations you might be required to comply with. And it logs everything, so you can demonstrate that you followed your response plan and thus the law—or see how and where you fell short.
Years ago, attacks were both less frequent and less serious, and compliance requirements were more modest. But today, companies get breached all the time, and regulatory requirements are complicated—and getting more so all the time. Ad hoc incident response isn’t enough anymore. There are lots of things you need to do when you’re attacked, both to secure your network from the attackers and to secure your company from litigation.
The problem with any emergency response plan is that you only need it in an emergency. Emergencies are both complicated and stressful, and it’s easy for things to fall through the cracks. It’s critical to have something—a system, a checklist, even a person—that tracks everything and makes sure that everything that has to get done is.
Co3 Systems is great in an emergency, but of course you really want to have installed and configured it before the emergency.
It will also serve you better if you use it regularly. Co3 Systems is designed to be valuable for all incident response, both the mundane and the critical. The system can record and assess everything that appears abnormal. The incident response plans it generates make it easy, and the intelligence feeds make it useful. If Co3 Systems is already in place, when something turns out to be a real incident, it’s easy to escalate it to the next level, and you’ll be using tools you’re already familiar with.
Co3 Systems works either from a private cloud or on your network. I think the cloud makes more sense; you don’t want to coordinate incident response from the network that is under attack. And it’s constantly getting better as more partner companies integrate their information feeds and best practices. The company has launched some of these partnerships already, and there are some major names soon to be announced.
Today I am joining Co3 Systems as its Chief Technology Officer. I’ve been on the company’s advisory board for about a year, and was an informal adviser to CEO John Bruce before that. John and I worked together at Counterpane in the early 2000s, and we both think this is a natural extension to what we tried to build there. I also know CMO Ted Julian from his days at @Stake. Together, we’re going to build the incident response product.
I’m really excited about this—and the fact that the company headquarters are just three T stops inbound to Harvard and the Berkman Center makes it even more perfect.
The Register reported that I am leaving BT at the end of the year. It quoted BT as saying:
We hired Bruce because of his thought leadership in security and as part of our acquisition of Counterpane. We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has nothing to do with his recent blogs. We hired Bruce because of his thought leadership in security, not because we agree with everything he says. In fact, it’s his ability to challenge our assumptions that made him especially valuable to BT.
Yes, it’s true. And contrary to rumors, this has nothing to do with the NSA or GCHQ. No, BT wasn’t always happy with my writings on the topic, but it knew that I am an independent thinker and didn’t try to muzzle me in any way. I’m just ready to leave. I spent seven years at BT, and seven years at Counterpane Internet Security, Inc., before BT bought us. It’s past time for something new.
As to what comes next: answer cloudy; ask again later.
More news here. And a Slashdot and Hacker News thread.
Last week, Eben Moglen and I had a conversation about NSA surveillance. Audio and video are online.
EDITED TO ADD: The site seems to be down, so here’s a YouTube link.
I have a new book. It’s Carry On: Sound Advice from Schneier on Security, and it’s my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.)
There’s nothing in this book that hasn’t been published before, and nothing you can’t get free off my website. But if you’re looking for my recent writings in a convenient-to-carry hardcover-book format, this is the book for you.
I’m also happy with the cover.
The Kindle and Nook versions are available now, and they’re 50% off for some limited amount of time.
Unfortunately, the paper book isn’t due in stores—either online or brick-and-mortar—until 12/27, which makes it a pretty lousy Christmas gift, though Amazon and B&N both claim it’ll be in stock there on December 16. And if you don’t mind waiting until after the new year, I will sell you a signed copy of the book here.
Suggestions for a title of my third collection of essays, to be published in five-ish years, are appreciated.
0-Day Clothing has taken 25 Bruce Schneier Facts and turned them into T-shirts just in time for Christmas.
I just did an AMA on Reddit.
Sidebar photo of Bruce Schneier by Joe MacInnis.