Bruce Schneier, it is safe to say, is the security experts expert, an accolade that has attached to only a select few of generation. Currently the CTO of Counterpane Internet Security, a company he founded in 1999, he has made his now considerable reputation on the back of his super-expertise in cryptography.
The long list of achievements has an interesting mix of technical wizardry he is credited with designing the Blowfish encryption scheme to which he has added an unexpected dash of publishing panache. His best-selling 1996 book, Applied Cryptography (significantly revised in 1999), is still seen as one of the best technical volumes on a subject that doesnt easily jump off the page. It has been said that this was the book the US authorities didnt want published but, then again, in the mid-1990s, the US authorities didnt want any book that explained encryption to be published. Undeterred, Schneier went on to publish a clutch of other high-regarded books, including most recently, Beyond Fear: Thinking Sensibly about Security in an Uncertain World in 2003.
The books are a clue to his growing reputation. He is technical, yes, but not so much that he cant explain what in the hell he is talking about to a non-expert. Thats a down-to-earth talent that shines through in his blogs, which often, refreshingly, tackle the politics of security.
One person we spoke to who had worked with him talked of him in the highest terms, and without the fearful wariness that sometimes creeps into the voice when discussing well-known figures. Computing and security is an industry chock full of false Messiahs, but we think Schneier falls into the category of the genuine.
The following interview was conducted by email. The communication was not encrypted.
Techworld: After decades of being taking for granted, security has moved to the top of people's list of issues. Does this herald an important change in IT or is it a another technological fashion?
Schneier: It represents a maturation of the Information Technology industry. It's easy to ignore security when IT is a minor aspect of your business, but much harder when it is the central core. As IT became critical infrastructure, security became more important. It's a vital change, since security in one form or another is critical to everything we do in IT.
Q: Some have said security systems are now being oversold by a greedy industry. Would you agree with that?
Security systems have been oversold for as long as I can remember. I think one of the biggest problems of the security industry is that, again and again, we've promised customers results that we didn't deliver on. We've tried to convince people that if they buy whatever product we're selling their security problems will magically disappear. It's not like that. Security is a process, not a product.
Q: Does government and regulation have any role to play in moving the security forwards?
Government has a very important role. Security is a trade-off; both individuals and organizations make those trade-offs from their own perspective. We don't live in a socialist society, nor do we expect corporations to behave like charitable institutions, so the only way to improve security is to affect that trade-off. Government has a critical role to play in that process. By increasing the downside of having bad security - laws, regulations, liabilities - government increases the amount of money, time, convenience, etc., that companies and individuals are willing to "spend" on security. Right now, for most corporations, the effects of bad security are largely an externality. Government is the best institution for bringing that externality internal, and making it relevant to the corporation's decision process. Unless we correctly hack the economics, no amount of technical security advances will matter.
Q: Why do you think so many large, rich companies have tended to underestimate the importance of security until it embarrassed them?
It's easy to underestimate something that's only a theoretical probability, especially in the face of competing priorities that are much more tangible. This has always been true for abstract things like security, reliability, safety, etc.
Q: Can you name the events, people and technologies that have most influenced your attitude to your chosen field?
My career has been a repeated series of generalizations. I started out in cryptography - mathematical security - with my first book, "Applied Cryptography." Then I realised that the best cryptography can't secure anything if the computer isn't secure, and the most secure computer in the world can fail if attached to an insecure network. So I wrote "Secrets and Lies" and began working in computer and network security. I founded Counterpane Internet Security, Inc., as a Managed Security Monitoring company, because even good computer and network security products don't work unless there are intelligent people monitoring and managing them 24x7. My more recent work is in non-computer security, because even the best computer security only works if everything around it is insecure. Security is only as strong as the weakest link, and finding that weakest link has resulted in generalization after generalization.
Q: It's a truism that security systems are fallible. why do you think > this has been the case and can they ever be secured?
All security systems are fallible. Explaining why would require a book, and I recommend that interested parties read my latest: "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." Basically, as long as security systems involve people, they will be fallible - although there are some good security techniques for dealing with trusted people.
Q: What security holes deserve to keep us awake at night?
The ones that are easy to exploit and result in the most damage when exploited. It very much depends on the details of the system, but I worry more about common vulnerabilities than the rare and spectacular ones. I think that, today, we are grossly overestimating the risk of cyberterrorism and equally underestimating the risk of cybercrime. We worry more about the rare terrorist than the more common abuse of power by police and government. What keeps me awake at night are the security holes people aren't worried about because they're not rationally assessing risk.
Q: Does security simply come down in the end to rationally assessing risk?
Security comes down to rationally assessing risk, but there's no "simply" about it. Risk assessment is complicated and very difficult. In some cases it's impossible, and the best you can do is make an educated guess. But security is always a trade-off, and risk assessment is critical to making that trade-off accurately and well.
Bruce Scneier will be attending the Infosecurity Europe Show, as will Counterpane CEO Paul Stich.