Interview: BT's Bruce Schneier

Many interests make up the pieces in the mind of Bruce Schneier
Many interests make up the pieces in the mind of Bruce Schneier
Outside-the-box thinking is not enough in today’s environment, says Schneier. “In security, there is no box.”
Outside-the-box thinking is not enough in today’s environment, says Schneier. “In security, there is no box.”
Bruce Schneier, BT (Image by Geoffrey Stone)
Bruce Schneier, BT (Image by Geoffrey Stone)

Bruce Schneier is, without question, a superstar of the security industry. Often labeled as a security “expert” or “guru”, there is perhaps nobody in the field that is more often quoted or respected. His name is as synonymous with security as Michael Jordan’s is with basketball, or the Beatles are with rock and roll. But, as he told me when I sat down with him in London this spring, ‘Bruce Schneier the security celebrity’ was spawned from rather accidental beginnings.

“I actually don’t have a good creation myth, which I should – I should have made one up a decade ago, because I’m always asked, where did you get your security interest?”, he responds jokingly. “The truth is, I’ve always been interested in security”.

Rather than just making a blanket statement about ‘being interested in security’, Schneier goes on to define precisely what this means, completely negating the need for any follow up. You see, one of the first things I notice is that his mind is constantly moving, as if he is processing about a dozen different things at once.

“I basically say, this is a mindset you’re born with: How do I subvert this system?” Hacking, he explains, is just a deconstruction of how something works. Security hacking, however, “is how does this fail, [and] what happens when it fails?” So, for Schneier, his interest in security stems not from a love of how things work, but from a desire to see how things fall apart.

“Every good security engineer is part criminal, but they might not act on their criminal urges”, he admits, careful to point out the motivational differences of, let’s say, a mechanical engineer from that of a security practitioner.

Yet Schneier confesses that if a security person’s brain is engaged, then they are always thinking about how they can subvert a particular defense mechanism. “They walk into a store and say, ‘I could steal stuff here’, because that’s the just the way their mind thinks. They walk into a voting booth and say, ‘I could vote twice’. What separates the criminals from the non-criminals is whether you do it or not, but the security engineer naturally sees [the holes].”

Voting, and the issue of fraud, was something that we would be sure to revisit later on in our conversation. For now though, I wanted to know what chain of events led Bruce Schneier to become BT’s chief security technology officer and all the points in between.

To Rochester and Beyond

Schneier chose an educational path that, by his own admission, was a bit misdirected. He attended the University of Rochester, majoring in physics, which he thought of as “basically math boundary conditions”. After receiving his degree in 1984, he soon realized that there were two options before him − neither of which seemed too appealing. Schneier tells me that had he wanted to get a job in engineering, the places where he applied would ask him where his engineering degree was from, or his masters in physics.

“So I kind of got the wrong degree”, he remembers. Luckily for Schneier, a Navy recruiter came knocking, as he progresses through a lighthearted recount of his entrance into security.

The government, he recalls, did not want to pay two different people to do cryptography for it, even though there was a need for such skills in both the Navy and the National Security Agency (NSA). “So they hired me”, he continues. “I kind of scrunched my resume around so I looked kinda like a double agent, and I ended up working in cryptography, not for the NSA, but for the government.” In the end, he goes on, it was the Navy that signed his first post-graduate paychecks.

In 1990 Schneier took a position with AT&T Bell Labs, and, just as quickly, was laid off in 1991. Yes, even the man who some have dubbed “Bruce Almighty” was not immune to the cycles of downsizing that often plague the business world.

Shortly after being sent on his way by AT&T, Schneier formed Counterpane, a managed network security services firm. “The rest is history”, he says frankly, as the company he founded was purchased by BT, one of the world’s largest telecommunications providers, in 2006. Since this purchase, Schneier has served as the company’s chief security technology officer and unofficial “security evangelist”.

A Common Thread

If you read through the list of publications that Schneier has authored, you can’t help but wonder how one person can spread their interests over such a wide array of subjects. What I gather from reading his work, and speaking directly with the source, is that security encompasses many disciplines, among them many we never consider, such as neuroscience, anthropology, evolution, psychology, and the list goes on.

While he himself does not claim to be an “expert” in many of the areas he’s mused about over the years – including airport security, elections, terrorism, and natural disasters – there is something that ties all of these things together. “The common thread is security”, Schneier contends. “I’m a meta person”, he says, a common refrain throughout our conversation. “I’m an expert in, really, the intersection of security technology and people…and the things I do and think and write apply to airlines and to firewalls, and to a home burglar alarm, and to tax cheats and voting machines, and ID cards and security cameras – and everything.”

”Really, my career’s been an endless series of generalizations. I have always been a meta, meta, meta guy. I’m always looking for connections on how things fit, and looking for the bigger way of thinking about things. Cryptography’s a tool”, he adds, paying homage to his beginnings as a government cryptographer. “But it has to work inside a computer, inside a network. So then I generalized out to computer security and network security.”

For now, at least, these connections and generalizations continue to grow out from Schneier’s brain in search of more answers, more questions, and more connections.

Security is Anarchy

Stated simply, Schneier says he is – at his core – a puzzle solver. And, reflexively speaking, all security problems are puzzles waiting to be solved. Putting yourself into the shoes of your adversary, however, is what he believes sets apart the truly gifted in the security field.

Schneier recalled a time when he attended a security conference with one of his NSA colleagues, where he and other attendees found themselves discussing the methods of one particular system attack. “That’s cheating”, one of the attendees said, to which Schneier’s colleague, Brian Snow, said: “In security, there’s no such thing as cheating.”

“And he was right”, Schneier affirms. “It’s that thinking outside the box. In security, there is no box.”

I then asked him whether rules in the world of IT security exist. If you think of the game as one of defender versus attacker, Schneier says, one in which the defender (or system designer) makes up the initial rules, then, by definition, it becomes anarchy, with attackers refusing to play by any predetermined rules.

“There’s no agreement by attackers to play by any of your rules”, he declares. “So if you have a rule, you’re only fooling yourself.”

One Person, One Vote?

Did all those people in Broward County really vote for Pat Buchannan in 2000? Its questions like these that have had me long-intrigued by the subjects of elections and politics, so I was struck by one particular focus of Schneier’s. In Florida it was the infamous manual butterfly ballot that confounded so many, so surely the push to implement electronic voting systems would deliver greater security and accuracy?

I asked him, keeping in mind that he’s not a voting ‘expert’, whether voting fraud is easy to pull off. He replied by first establishing some definitions.

“Voter fraud, which is like voting when you shouldn’t, is effectively a media myth – it never happens”, Schneier proclaims. “Vote fraud, stuff like votes disappearing, tabulators being manipulated – that stuff is scarily easy.”
‘How does he know?’, I wonder to myself, quickly realizing that he’s likely already worked out several ways to crack the voting machines or processes he has encountered.

"I’m an expert in, really, the intersection of security technology and people"

Schneier, who to this point had been more than direct with a quick, frank response was not afraid to ‘get political’. “So there’s the Republican trope of, all those illegal immigrants are voting – that’s complete bullshit. The scary thing that either side can manipulate – machines – is very worrying.”

He then recalls various incidents where machines contributed to what he calls ‘vote fraud’. In one case a candidate received a negative number of votes – “clearly a buffer overflow, flowed over, or was it a signed integer? Do you know what happened? Was it done on purpose, or by accident? We just don’t know.

“Very often you don’t know, through the mechanism, the intention of the person”, he says of today’s electronic voting systems. Schneier also believes most of the electronic-based voting systems we have in place today are not up to task, although he acknowledges there are a few good ones.

The problem with many of the systems, and larger society in general, is what he calls the “trust me” aspect of computers. It is the trust we place on electronic evidence that makes it such an attractive target to manipulate, while at the same time providing an air of near irrefutability – a paradox with interesting implications that Schneier is keen to point out.

He says that vote fraud and trust in electronic evidence are interrelated. “In courtrooms, electronic evidence is presented, and there is often only minimal ways for the defense to cross-examine it.”

As a rather extreme example, he talks about using a breathalyzer as evidence against drunk driving. “The defense would say, ‘I want to see the software that accused me, and the prosecutor would say, well you can’t, it’s a machine. The vendors would say, you can’t see, it’s our proprietary technology.” Yet, as he points out, such evidence is routinely allowed in a US courtroom.

There was such a case, he recalls, where the machine did the averaging incorrectly. “There was a fundamental error in the code that caused it to produce bad data. So maybe we do need to allow the defense to review any source code that’s used in a courtroom.”

It’s these types of questions that Schneier is exploring at the moment, as our laws, in many cases, have yet to catch up with the actual technology. He asks rhetorically: “How can you effectively cross-examine robots? How can you cross-examine a computer?” Both are very intriguing questions.

The Security Evangelist

I brought our time to a close by asking BT’s chief security technology officer what security technology was essential from an enterprise’s perspective. His answer took me somewhat by surprise, yet was still on point: “probably door locks.” Schneier said that what can be considered essential is all relative, and depends on what you are trying to protect. Nonetheless, he adds that door locks are “essential security technology”, but also taking steps at a higher level to keep your assets safe.

In his current role at BT, Schneier says he’s part strategist and part evangelist. He plays an active role in formulating BT’s own long-term security strategy and “what things BT should do as service offerings”.

The rest of his time is spent spreading the security gospel, whether at conferences much like the one we were meeting at (Infosecurity Europe), or with BT’s customers. I asked him what type of discussions he has with the firm’s customers. “Whatever they want to know”, Schneier replies. “It’s often nothing about BT, because what I’m really doing – me as a personality – in talking about security creates a reflective glow on the company.
So a lot of what I do for BT is, be me.”

Getting paid to simply be yourself – I can’t think of a better job than his.

What’s hot on Infosecurity Magazine?