 
|
Extended version of article in May/June 2007 issue Interview: Bruce Schneier (page two)BT Counterpane’s founder and chief technology officer talks to SA Mathieson at Infosecurity Europe "Infosecurity always gets in the way of business. Security gets in the way - that's its job, whether it's a door lock, or airport security, or a network firewall. We want it to get in the way because it does something good. You don't want it, because it makes your life more difficult, and there's inherently a battle between getting things done and being secure. And usually getting things done wins, which is why a lot of security is so poor. "In a sense, security is a tax on the honest. When I got to the show, I had to stand in line and get a badge. Why did I have to get a badge? Because if I don't, some people will try to sneak in. If everyone was honest, I could have saved a whole bunch of time." "These are not technological problems, so be careful of technological solutions," Schneier warns. As with what he calls "nonsense counter-terrorism policy, people mitigate against particular tactics, rather than the broad threat, so the tactics just change. If I can't use a USB key, I'll use something else. If you can't blow up an airplane, blow up a shopping mall. We're not solving the problems," he says. "It's real important to look at the broad threats, rather than the particulars of a tactic. "The real security is, you can't download and carry around sensitive data, and the only way you're going to solve that is by hiring honest people," he says. It is possible to create draconian security - Counterpane has such a system for staff who work on sensitive customer data, with terminals without printers, USB ports, disc-drives or external network connections. "You can do that. Does it get in the way? By God it does. But that's the point, because we have to guarantee the security of our customer's data. In most instances, companies can't be that draconian." Schneier believes that the wider world will better understand risk in the future, although this may take some time. He praises a recent report by the Royal Academy of Engineering [PDF link] which argues that security and privacy are not in opposition, and that we can have both: "Isn't that a good report? Did you read it?" he asks. Some reports suggested this was naïve. "It's not naïve, it's difficult," he replies. "But if don't have an ideal to shoot for, we're never going to get anywhere close. I love it that they said those things - they put a stake in the ground and said, this is where we should go. They didn't say we will get there tomorrow, they didn't say it's going to be perfect, they didn't say it will be easy, they said this is what we should do. And I think the recommendations were spot on. "There are sensible solutions. I don't have near-term optimism. I think we're living in a time of stupid security. I think our fears of terrorism make us do all kinds of crazy, stupid, self-destructive things. But long-term, 10, 15 years, yes, I'm very optimistic that we will maintain privacy and liberty, we will continue the march towards freedom of the past millennium, and it will not be reversed. "Martin Luther King Jr. said, the arc of history is long but it bends towards justice. And yeah, these past five years have been pretty terrible for freedom and liberties, privacy and democracy, but you know 100 years ago women couldn't vote. 200 years ago in my country, blacks were slaves. Things get better - they get better slowly though."More from Infosecurity Europe 2007 Extended version of interview with Ray Stanton Online-only interview with Eugene Kaspersky Cybercrime
unreported due to reputation risks More from the May/June issue Perfect database security
is a fairytale, says William Knight
|
|
