It's political economy, stupid

Bruce Schneier is an American computer security expert, cryptographer, and writer. His books include Applied Cryptography (1996), Secrets and Lies (2000), and Beyond Fear (2003). He publishes a free monthly newsletter, 'Cryptogram', and blogs at http://www.schneier.com/blog/. He is the founder and chief technology officer of Counterpane Internet Security. This autumn he'll be speaking at ISSE 2006 in Rome, on the topic of the economics of security. He recently spoke with Brian McKenna for Infosecurity.

Your book Beyond Fear: thinking sensibly about security in an uncertain world addressed the threat landscape in the long wake of 9/11. It's five years on from the attack on the twin towers. Why haven't we seen any cyberterrorism?

Cyberterrorism is largely a media myth. It is both very hard to do, and not very effective from a terrorist's perspectice. Terrorists want to kill people and induce fear, not disrupt your email access for a day. That's inconvenience, not terror.

You do hear people in, or former people from, the intelligence community in the US and UK who say the computer networks that comprise the 'critical national infrastructure' are more vulnerable to attack than we might suppose. What do you say to that?

Our critical information infrastructure is very fragile, but more to accident or inadvertent attack from worms and viruses than to deliberate targeted attack from terrorists.

Apropos, the recent terror plot in the UK: in 'Cryptogram' you've said 'this [the UK government's programme of airport restrictions] isn't security, it's security theater'. Yet you also express admiration for the job done by the British security forces. Has the UK government been wrong to put on this theatre?

As a short term measure, what they did makes a lot of sense. Those airplane security measures focused on that plot, because authorities believed they had not captured everyone involved. As I said in my blog at the time, it was reasonable to assume that a few lone plotters, knowing their compatriots were in jail and fearing their own arrest, would try to finish the job on their own.

So, the excessive security measures seemed prudent. But only temporarily. Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the security, it's that focusing on tactics is a losing proposition.

So, cyberterrrorism is hyped by the media. On the media also, you said at RSA, in February, that media coverage of information security, in general, seemed “random”. What prompted you to say that, and what do you think the explanation is?

These are complex technological issues, and the press simply lack the context to evaluate what's a story and what isn't. For example, CNN made a big deal of the Zotob worm [September 2005]. Why? Because they got hit!

That's less true of the computer press. Primarily it's the mainstream press who are guilty. But the trade press can get influenced by what's reported in the mainstream.

Everyone says there's been shift from hacking and malicious writing for kicks to a for profit model. How much reality is there to this? Isn't it over-hyped, just as cyberterrorism is?

Definitely not. I was one of the first people to point to this trend, and I still say that cybercrime is under-hyped. The press is picking up on identity theft, but that is just one piece of the story. The real story is fraud, and how computers and networks are a vehicle for fraud.

What would you say to the observation that while internet crime is organized, it's not 'organized crime' in the traditional sense?

Internet crime encompasses the entire spectrum, from individuals to highly organized crime syndicates.

You've said that we don't have any real data for internet crime; that he costs are ill understood, and so on. How can we make streetwise sense of the threat landscape if we don't have reliable data?

It's very difficult. We have very bad data on cybercrime. It's hard to collect the data; the victims often don't know they are victims; and there is a lot of secrecy there in terms of companies being hit. And that makes it very difficult to allocate funding to tackle the problem, and so on. I don't have a good answer for this.

In terms of the legal context of security and its economics, you said at RSA that understanding the regulations that have proliferated in recent years, has become like reading the Talmud! An amusing remark but what is the force of it? Are these regulations a good thing, or just a nuisance?

They are very complicated, and a lot of auditors have gotten rich because of them. And, yes, it is a pain for IT security managers to be in compliance with them. But on the whole regulation is a good idea. It's made computer systems more secure, and it's made IT security professionals more strategic, which is a good thing.

Regulation is part of injecting an economic rationale into security, as is making software vendors liable for buggy software. In economic terms, it's crucial that the people who can fix a problem are incentivized to do so. And the business press has actually been good here, because its coverage of Sarbanes-Oxley et al. means managers get to find out about why security controls are important.

One of the big themes of Beyond Fear is what we could call the ‘law of unintended consequences’: how security solutions cause other risks. There are some good examples of this at the head of a 2003 profile on you in The Atlantic Monthly by Charles Mann. Can you give a recent example of this?

The interdiction on liquids on planes is a good example. The effort spent screening for them means we're spending less time screening for the really dangerous stuff. Airplanes are less safe because of that policy.

Another core tenet of your thinking, which comes out in that Atlantic piece, is a security dyad of 'brittle/ductile'. Brittle security, when it fails, fails badly because is lacks resilience; ductile security, on the other hand, can bounce back from failure. Again, have you got a recent example in mind?

In Beyond Fear, I used the terms 'fragile' and 'resilient.' The recent terror plot arrests in the UK are a good example. That was a triumph of old-fashioned intelligence and investigation. Police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot. That's resilient security; it works regardless of the plot.

On the other hand, airport security screening is fragile. It's a last line of defence, and not a very good one at that. Sure, it'll catch the sloppy and the stupid -- and that's a good enough reason not to do away with it entirely -- but
it won't catch a well-planned plot. And if the terrorists choose
another target, it's completely wasted security.

You're well known as a thought leader in information security. Who do you look to for thought leadership?

I don't look to specific people; I just look around. We are all capable of being thought leaders.

Links to Bruce Schneier on:

Cyberterrorism: http://www.schneier.com/crypto-gram-0306.html#1
Lessons of the London arrests: http://www.schneier.com/blog/archives/2006/08/terrorism_secur.html