“In information security there are very real threats, and the main threat is crime”, Schneier said, although he also pointed out that many information security threats are due to ‘accidents’ rather than malice.
Another trend going forward, is the interaction between IT and physical systems such as ID cards, ATM machines, Oyester cards, etc. “When the physical hits the IT world. I think the security there is a really big deal”, Schneier predicted.
Social networking sites such as Facebook will also pose a potential information security threat as “more and more data is going on there”.
When asked what types of crime will be prevalent, Schneier exclaimed: “Forget cybercrime! Crime is crime. It’s the same stuff that criminals have been after for thousands of thousands of years: mostly money.
“It doesn’t matter [what type] – whatever gets money. Stealing personal data is a precursor to fraud. The only reason you steal personal data, is to commit fraud with it. … Human motivations have not changed – all that changes are the tactics.”
Identity theft is not new. “Identity theft is impersonation fraud.”
Changing tactics
“The tactics are different, but the crime is the same, the motivation is the same.
“If we’re to look for emerging tactics, are these new physical / secure systems. I think it’s socio-technical systems, and some of these purely computer-based socio-technical systems like Facebook – there’s where we can see a lot of new things going on”, Schneier said.
“Criminals go where the money is. And it’s very hard to figure out what the new criminal tactics are going to be. They are cleverer than we are, they spend more time on this.”
He mentioned the scam where hackers took over people’s Facebook accounts, claimed they were stranded somewhere and asked for money ‘to get home’. “It’s an old confidence game, but with a new tactic”, Schneier said.
“There’s going to be something else clever next year. We don’t know what it’s going to be. The good guys are playing catch-up.
“The bad guys tend to use new technology faster because they don’t have a procurement cycle. The technologies tend to benefit the bad guys first. They are faster to adapt than the good guys are. I think that’s fundamentally human”, Schneier mused.
Security and privacy
Asked about how government can secure personal data, Schneier said: “The most important thing is protecting [the data].” This is not, however as easy as it sounds.
“If we could tell government ‘do these two things and you’ll be fine’, and they did it, we would have solved this problem. The fact that we haven’t tells, you that this isn’t an easy problem to solve.”
There is also the issue around privacy when government collects large amounts of data on its citizens. So how can one balance information security with privacy?
“People that talk about balance do not understand the issues. There is no balance”, Schneier responded.
When collecting data, you face the risk of fraud as “fraud means misuse of data”. If you have privacy, you will also get security, Schneier implied, before asking: “Would you feel secure when all your private data is public?”
Asked whether it is possible not to collect private data on individuals, Schneier told Infosecurity: “Your data is not public… and the world runs just fine. I don’t believe the world would collapse unless everything is made public. We know this is true. The world has been running for thousands of years, and it hasn’t collapsed – I think we’re doing ok.”
Challenged further on whether this is possible in the modern world, Schneier said that we have to select the ways we chose to disclose information and not let everyone have access to everything.
Schneier warned that people should not think that security and privacy in opposition – you can have information security without impairing privacy.