q&

a28

Info

security To

day

September/O

ctober 2006

Your book Beyond Fear: thinkingsensibly about security in an uncer-tain world addressed the threatlandscape in the long wake of 9/11.It's five years on from the attack onthe twin towers. Why haven't weseen any cyberterrorism?Cyberterrorism is largely a mediamyth. It is both very hard to do, andnot very effective from a terrorist'sperspectice.Terrorists want to killpeople and induce fear, not disruptyour email access for a day. That'sinconvenience, not terror.

You do hear people in, or formerpeople from, the intelligence community in the US and UK whosay the computer networks that

comprise the 'critical national in-frastructure' are more vulnerableto attack than we might suppose.What do you say to that?Our critical information infrastruc-ture is very fragile, but more to ac-cident or inadvertent attack fromworms and viruses than to deliber-ate targeted attack from terrorists.

Apropos, the recent terror plot in theUK: in 'Cryptogram' you've said 'this[the UK government's programme ofairport restrictions] isn't security, it'ssecurity theater'. Yet you also expressadmiration for the job done by theBritish security forces. Has the UKgovernment been wrong to put onthis theatre? And how has MI5's suc-cess been seen in the US?As a short term measure, what theydid makes a lot of sense.Those air-plane security measures focused onthat plot, because authorities be-lieved they had not captured every-one involved.As I said in my blog atthe time, it was reasonable to as-sume that a few lone plotters, know-ing their compatriots were in jailand fearing their own arrest, wouldtry to finish the job on their own.

So, the excessive security measuresseemed prudent. But only temporari-ly. Banning box cutters since 9/11, ortaking off our shoes since RichardReid, has not made us any safer.And along-term prohibition against liquidcarry-ons won't make us safer, either.It's not just that there are waysaround the security, it's that focusingon tactics is a losing proposition.

So, cyberterrrorism is hyped by themedia. On the media also, you saidat RSA, in February, that media cov-erage of information security, ingeneral, seemed “random”. Whatprompted you to say that, and whatdo you think the explanation is? These are complex technological is-sues, and the press simply lack thecontext to evaluate what's a storyand what isn't. For example, CNNmade a big deal of the Zotob worm[September 2005].Why? Becausethey got hit!

That's less true of the computerpress. Primarily it's the mainstreampress who are guilty. But the tradepress can get influenced by what'sreported in the mainstream.

Everyone says there's been shiftfrom hacking and malicious writingfor kicks to a for profit model. Howmuch reality is there to this? Isn't itover-hyped, just as cyberterrorism is?

Definitely not. I was one of thefirst people to point to this trend,and I still say that cybercrime is un-der-hyped.The press is picking upon identity theft, but that is just onepiece of the story.The real story isfraud, and how computers and net-works are a vehicle for fraud.

What would you say to the observa-tion that while internet crime is or-ganized, it's not organized crime inthe traditional sense?Internet crime encompasses the en-tire spectrum, from individuals tohighly organized crime syndicates.

It's politicaleconomy, stupidBrian McKenna

b.mckenna@elsevier.com

Bruce Schneier: we can all be thoughtleaders

Bruce Schneier is an American computer security expert, cryptographer,and writer. His books include Applied Cryptography (1996), Secrets andLies (2000), and Beyond Fear (2003). He publishes a free monthlynewsletter, 'Cryptogram', and blogs at http://www.schneier.com/blog/.He is the founder and chief technology officer of Counterpane InternetSecurity. This autumn he'll be speaking at ISSE 2006 in Rome, on thetopic of the economics of security. He recently spoke with BrianMcKenna for Infosecurity Today.

q&

a29

Info

security To

day

September/O

ctober 2006

You've said that we don't have anyreal data for internet crime; thatthe costs are ill understood, and soon. How can we make streetwisesense of the threat landscape if wedon't have reliable data?It's very difficult. We have very baddata on cybercrime. It's hard to col-lect the data; the victims often don'tknow they are victims; and there is alot of secrecy there in terms of com-panies being hit. And that makes itvery difficult to allocate funding totackle the problem, and so on. I don'thave a good answer for this.

In terms of the legal context of securi-ty and its economics, you said at RSAthat understanding the regulationsthat have proliferated in recent years,has become like reading the Talmud!An amusing remark but what is theforce of it? Are these regulations agood thing, or just a nuisance?They are very complicated, and a lotof auditors have gotten rich becauseof them.And, yes, it is a pain for IT se-curity managers to be in compliancewith them. But, on the whole, regula-tion is a good idea. It's made comput-er systems more secure, and it hasmade IT security professionals morestrategic, which is a good thing.

Regulation is part of injecting aneconomic rationale into security, asis making software vendors liablefor buggy software. In economicterms, it's crucial that the peoplewho can fix a problem are incen-tivized to do so.And the businesspress has actually been good here,because its coverage of Sarbanes-Oxley et al. means managers get to find out about why securitycontrols are important.

One of the big themes of BeyondFear is what we could call the ‘lawof unintended consequences’: howsecurity solutions cause other risks.There are some good examples ofthis at the head of a 2003 profile onyou in The Atlantic Monthly byCharles Mann.* Can you give a re-cent example of this.The interdiction on liquids onplanes is a good example.The ef-fort spent screening for themmeans we're spending less timescreening for the really dangerousstuff.Airplanes are less safe be-cause of that policy.

Another core tenet of your think-ing, which comes out in thatAtlantic piece, is a security dyad of'brittle/ductile'. Brittle security,when it fails, fails badly because itlacks resilience; ductile security, onthe other hand, can bounce backfrom failure. Again, have you got arecent example in mind?

In Beyond Fear, I used the terms'fragile' and 'resilient.' The recent ter-ror plot arrests in the UK are a goodexample.That was a triumph of old-fashioned intelligence and investiga-tion.Police in at least two countrieswere watching the terrorists for along time.They followed leads, figuredout who was talking to whom,andslowly pieced together both the net-work and the plot.That's resilient se-curity; it works regardless of the plot.

On the other hand, airport secu-rity screening is fragile. It's a lastline of defence, and not a verygood one at that. Sure, it'll catchthe sloppy and the stupid – andthat's a good enough reason not todo away with it entirely – but it

won't catch a well-planned plot.And if the terrorists choose another target, it's completelywasted security.

You're well known as a thoughtleader in information security. Who doyou look to for thought leadership?

I don't look to specific people; Ijust look around.We are all capableof being thought leaders. •*http://www.theatlantic.com/doc/200

209/mann

Links to Bruce Schneier on:Cyberterrorism:

http://www.schneier.com/crypto-gram-

0306.html#1

Lessons of the London arrests:

http://www.schneier.com/blog/archive

s/2006/08/terrorism_secur.html

Economics of security:ten trends that willshape the future1. Economic value of information is

increasing

2. Computer networks are becoming more and more part of the critical national infrastructure

3. Third parties control information not under our control

4. Criminalization of the net — eg, the growth of bot networks for profit

5. Ever-increading complexity of networks

6. Slower patching, faster exploits

7. Sophistication of automatic worms

8. Endpoints: more and more of them, and they are untrustworthy

9. End user as attacker

10. Regulatory pressure

������������ ������� ����