Bruce Schneier has a few things to say on security.
His opinions on the encryption debate, patching as a failure, IoT risk, and many other cybersecurity related topics are quite definite.
We interviewed Schneier at SecureWorld Boston before he headed to the (ISC)2 booth to sign copies of his latest bestselling book, "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World."
Schneier also delivered the lunch keynote address at SecureWorld Boston, which is the region's largest cybersecurity conference.
Watch our complete video interview with Bruce Schneier on the state of cybersecurity in 2019 to hear his passion for this topic:
In case you'd rather read than watch, here is our interview with Bruce Schneier on his views on cybersecurity.
[SecureWorld] In your latest book, you coined the term "internet plus." What do you mean by that, and why is it so insecure?
[Bruce Schneier] So internet plus is a name I invented for Internet of Things, plus the data, plus the connections, plus everything. I don’t know, it's a mediocre term, but there really isn't a term for everything, and what I'm writing about in the book is the totality of everything. And why is it so insecure is a book in itself. The short answer is the market doesn't reward good security, so we get lousy security. And the government doesn't regulate good security. So there's absolutely no incentives anywhere to have good security. So we don't.
[SW] You also touched on the fact that complexity is the enemy of security, and we've got that as well, right?
[Schneier] Yes, you know, getting into the noise, there are a gazillion technical reasons. Certainly complexity is one of the difficult things, but honestly if there was profit in making it secure there would be.
[SW]: What about patching as a failed security paradigm? What are your thoughts on that?
[Schneier] You know patching is kind of reaching the end of its useful life. It works, really, because the things we're patching are expensive and maintained by tech companies. They’re laptops, they are computers, they are phones. And that whole patching ecosystem is predicated on there being engineers at Apple and Microsoft and Google who can write these patches and push them down.
You start moving to low-cost embedded systems like DVRs and home routers and appliances, and there are no engineers to write patches. There's no mechanism to get the patches to the systems. So that, that's going to fail pretty badly.
[SW] You mentioned "class breaks" in your book. This is one of the reasons that problems with security getting broken can be so severe.
[Schneier] I mean, class breaks are something we're used to in computers, right, that a vulnerability appears and suddenly every iPhone is insecure. All Windows are insecure, and then we have to get a patch. The real world isn't ready for that.
Maybe think about physical devices like cars. Cars fail, you know, in this irregular stochastic pattern. They break once in a while, and there are repair shops to deal with the steady stream of cars that need fixing. They don't break all at once. And the mechanism of "all at once" is going to be difficult for the real world to contend with because they don't have that capability. Everybody's refrigerator needs fixing—today. We can't do that.
[SW] I was at a press briefing with the head of the FBI and NSA Cyber. They were talking about 5G, and they're very concerned about the security of it. Do you find security concerns about that?
[Schneier] 5G is a big deal and security is a problem. I kind of laugh at the NSA and the FBI being concerned about it because they're the ones who are pushing to make sure it's insecure.
They have this weird definition of security which means security from everyone except them, which we as technologists can't actually build. And they are pushing for insecure protocols at the same time they're complaining about lack of security.
So yes, we need security. We need trust and that actually means the FBI and NSA are not going to be able to eavesdrop on those systems. And they have to either accept that or be happy with the insecurity. They can't get both.
[SW] You hit on that and called now the "Golden Age of surveillance." Yet, the FBI and NSA are claiming they are about to be shutout by encryption. Where do you fall on this debate?
[Schneier] That encryption is vital for national security. That as long as our phones and computers are used and carried by our legislators, our CEOs, our nuclear power plant operators, that putting backdoors in them is not just stupid, it's dangerous. And yes, I get it that the FBI will have to do a little more work to solve crimes, but the security benefit is more than worth it.
[SW] We’ve talked about a lot of the problems. I want to hit what you covered at the end of your book about some of the solutions. Where do we need shifts, and how?
[Schneier] Really what we need is government to step in. We are now living in the world that the market gives us in terms of security. This is it. This is what the market will reward. If we don't like it, we need to do what government always does, which is perturb the market, right, to change the playing field. And we'll do things like that all the time.
We have child labor laws. We have minimum wage laws. These are all perturbings of the market, and we need to do that here in cybersecurity, just like we do in airline safety and everything else, and say "here are some minimal standards." Here are some regulations, here are some mechanisms for liability.
We know how this works in every other aspect of society. We need to do it here. And as long as we don't, we're going to be stuck where we are now, which is with all this insecurity.
[SW] And then are you optimistic about cybersecurity?
[Schneier] So I tend to be short-term pessimistic, long-term optimistic. I actually don't think this will be the end of society. We’ll figure this out. I think we have some rocky years ahead.
[SW] You're at a number of conferences where people come together to talk about this problem and share ideas. Why are you part of that ecosystem? What is the benefit do you think?
[Schneier] I mean, we're human beings, that is what we do. That is how we solve problems, right? I mean, you know, we're not alligators. We don't live solitary lives. We live communal lives and we develop language to do this, so for us as a species to get anything done, we need to collaborate with each other.
[Speaking of collaborating, join your peers at a regional SecureWorld conference in 2019: conference calendar.]
Here is one last thought from Bruce Schneier. He believes greater government regulation of the internet and cybersecurity is in our future, because life depends on it.
"The internet is about to start killing people, and government regulates things that kill people,” he told the audience during his keynote.
He certainly has a point.