Security guru Bruce Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and author of books that examine security and society. He is the chief security technology officer of BT Group and a founder and the chief technical officer of BT Counterpane. Described by The Economist as a “security guru,” Bruce has authored a series of books on security and related technologies. His first bestseller, Applied Cryptography explained how the arcane science of secret codes works, and was described by Wired as “the book the National Security Agency wanted never to be published”. His latest book, Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security. Bruce shares his views on security issues and threats right from IT security, internet security to physical security in a free-wheeling conversation with Pragati Verma. Excerpts:
Technology seems to be helping the bad guys more. In Mumbai attacks, for instance…
Well, our own infrastructure can be used against us! According to officials investigating the Mumbai attacks, terrorists used Google Earth to help find their way around. Earlier, Google Earth images of British military bases were found in the homes of Iraqi insurgents. Such incidents have led many governments to demand that Google removes or blurs images of sensitive locations. The Mumbai terrorists used open-wireless tools to communicate with each other. Now, we hear proposals of turning off mobile phone coverage in the event of a terrorist attack.
Criminals have used telephones and mobile phones since they were invented. Drug smugglers use aircraft and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before that. Mumbai terrorists used boats as well. They also wore boots. They ate lunch at restaurants, drank bottled water, and breathed the air.
If India bans Google Earth and open-wireless networks, a future terrorist will not be able to use them to plan; nor will anybody else. Terrorist attacks are rare, and it is almost always a bad trade-off to deny society the benefits of technology just because the bad guys might use it too.
You have taken on Transportation Security Administration (TSA) by taking liquids past security. Do you find airport security adequate now?
It is dumb and useless. We have been attacking the tactics and not the problem.
If there were a few targets, it would work. But since there are millions of targets, we need to upgrade investigation intelligence and emergency response. Bad guys have an objective and they will take the easiest path, whether it is through a sea or airlines or a vulnerability in your network. If you know which path they are taking today does not necessarily tell you about what they are going to do tomorrow.
The terrorists used airlines in 2001 in a particular way, and we need to make sure they never do that particular thing again. So what we get is an institution focused on defending against tactics rather than the threat. And like any institution, once it’s formed, once it’s brought into existence, it has to continue to justify its own existence. So you get an ever-increasing amount of airline security at the expense of general security.
Look at Olympics last year. A big amount was spent on security but there were no attacks at all.
Are there lessons for CIOs here? Is securing a corporate and its IT network much different?
When it comes to computer security, you have to act against crime, fraud and hackers. Companies are investing the right amount on security but their spending priorities are all wrong. The focus just seems to be on what you are implementing. They are paying too much attention to work; they should focus on making things work instead.
These tasks are best outsourced. When I come to India, I live in a hotel and not in an apartment. An apartment might be cheaper than a hotel but I can use better resources at an optimised cost in a hotel since they are shared by several people. I can get a good restaurant, good pool etc. Same is the case with outsourcing security functions. We don’t hire fulltime doctors or tax consultants, since we don’t need them all the time. Same is the case with security advisors.
Since returns here are not tangible, how do you assure return on investments (ROI) on security spend?
There is no ROI model here. That’s why you see slogans with the basic message, “We take care of security so you can focus on your business,” or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell.
The better solution is not to sell security directly, but to include it as part of a more general product or service. Your car comes with safety and security features built in; they’re not sold separately. Same is the case with your house. And it should be the same with computers and networks. Vendors need to build security into the products and services that customers actually want. CIOs should include security as an integral part of everything they budget for. Security shouldn’t be a separate policy for employees to follow but part of overall IT policy.
You do not talk of ROI before buying a table or infrastructure. It’s so basic that you can’t do without it. Computing will also become like that in few years. We have to start using computing power as utility. It would be like cleanliness in a hotel. I don’t think about how you clean my room, I just want it clean.
Actually, the problem is inherent in IT products. They are are so terrible that you have to buy eight more products to make sure that they work fine. You would refused to buy, for instance, a drug, which could turn poisonous if you didn’t buy eight more things to pop in.
Can security vendors assure a level of security defined in a service level agreement?
Yes, SLA approach might work. But vendors are scared of providing it as risks are too big. Insurance companies will have to step in because losses are huge. Some insurance companies have tried policies for IT. But it’s early days yet. When vendors start joining hands with insurance companies, they will be more comfortable giving an assurance.