GIT-Interview with Bruce Schneier about Infosecurity

17.09.2012 - GIT-Interview with Bruce Schneier about Infosecurity. Bruce Schneier is an internationally renowned security technologist and author. His first bestseller, ‘Applied Cryptography’, ...

GIT-Interview with Bruce Schneier about Infosecurity. Bruce Schneier is an internationally renowned security technologist and author. His first bestseller, ‘Applied Cryptography’, explained how the arcane science of secret codes actually works, and was described by Wired as “the book the National Security Agency wanted never to be published.” His book on computer and network security, ‘Secrets and Lies’, was called by Fortune “[a] jewel box of little surprises you can actually use.” His current book, ‘Beyond Fear’, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security. Schneier also publishes a free monthly newsletter, Crypto-Gram, with over 130,000 readers. He has also written articles for many major newspapers, and has testified on security before the United States Congress on many occasions and delivered the keynote speech on Internet Security at Secure 2007, last June in Bad Homburg, Germany. GIT SECURITY + MANAGEMENT interviewed Bruce Schneier on infosecurity.

We are indeed living in the Internet age and more and more we are relying on computers at work and at home. Do you feel that, the more we rely on them, the more we are exposed to the infosecurity threats or are we getting better in understanding them?

B Schneier: It’s a mixture of both. Security is very much affected by the details, and as computers become more embedded in our lives – both the obvious computers we use for so many things, and the embedded computers everywhere – we are much more affected by infosecurity threats.

At the same time, we are getting better at understanding them. For the most part, it’s generational. The generation that is growing up with the Internet is much more security savvy.

It’s not that they aren’t vulnerable to the threats, it’s that they have a more intuitive understanding of them. Unfortunately, I think things are going to get worse before they get better.

Infosecurity is a matter of technology more than education and familiarity, and our increased reliance on computers makes us more vulnerable across the board.

We fear the unknown and therefore expect the threats to come from the outside. We all have read about how much we ignore the peer-to-peer threat. Would you have any suggestion on how this mind frame can be changed?

B Schneier: I don’t think it can be. Our brains are programmed to be more afraid of the strange than the familiar. Whether it is murder, kidnapping, or computer intrusions, we are more worried about the outsider attack even though the insider threat is much greater. The trick is really going to be to build security systems that protect against both.

People will use them because they fear the stranger, but they’ll protect against the familiar as well.

What are the latest trends when it comes to threats and how to stop them?

B Schneier: The big trend in infosecurity is crime. Over the past few years, hacking has transitioned from a hobbyist game to a criminal enterprise. Today, most hacking is criminal in nature, whether it’s stealing passwords and account information for identity theft, or stealing CPU cycles for sending spam or DNS extortion.

Unfortunately, there is no single magic technological answer to stopping them. We stop crime through police investigation, arrest, and conviction. This works, but is hard, given the very international nature of infosecurity crime. But that’s the way to think.

We stop this kind of crime through a combination of prevention, detection, and response.

Are we all following the latest trend and the ultimate solution when it comes to technology trying to stop those threats or are we starting to question their power against the unexpected? Are we being sheep or thinkers?

B Schneier: There isn’t an ultimate solution – to any security problem. Murder has been with us for millennia, and isn’t going away anytime soon. It’s the same with kidnapping, theft, assault, and pretty much every other crime. Often all we can do is deal with the threats as they arise. That being said, we need to address some pretty fundamental security problems, and we’re not very good at doing that.

It’s less that we’re being sheep and more that there isn’t a good economic incentive for businesses to do this, and government isn’t really ready to force the issue.

In order to understand the threats to come, to be able to see the detail in the big picture, is it required a mathematical, scientific mind or do we need to follow more our human instincts?

B Schneier: It’s both. Infosecurity is fundamentally about technology, so knowledge of the details of the technology is essential. But security – any security – is fundamentally about people. This is one of the reasons security is so hard; it straddles many disciplines.

How much better are getting in distinguishing between real threats and imaginary ones?

B Schneier: We’re getting better. I formed my company, now BT Counterpane, in 1999, to do security monitoring. We spent millions on technology to differentiate real network attacks from false alarms. This technology, combined with our people and processes, is what sets us apart from other companies offering security monitoring.

So it’s not easy, but it can be done.

Between governments and private sector, which one is getting the best out of the solutions presently available?

B Schneier: Both sides are equally mediocre. Neither is doing better than the other.

How do you feel the infosecurity situation will be in a decade or two? Is the future as unpredictable as it more or less was 20 years ago?

B Schneier: Today, infosecurity is less about technology, and more about applying technology. We have many, many technologies that simply aren’t being deployed for completely non-technical reasons. That makes the future very hard to predict. But in general, I am pessimistic about the near-term future and optimistic about the long-term future.

Mr Schneier, thanks for taking the time to answer our questions.

The event

Secure 2007 was the 6th annual congress for IT security with an accompanying exhibition. The congress, organised by Management Circle, has set up as a significant branch event for security in Germany. This year’s Secure took place on 26 and 27 June in Bad Homburg near Frankfurt am Main.

The congress focused on topical security issues, new technical developments and solutions for the optimum protection of the enterprise IT. More than 25 renowned speakers discussed current trends and challenges, among them Bruce Schneier.