Bruce Schneier: No "magic security dust" December 2, 2002

Bruce Schneier's Dec 2002 Discussion on Security Practices and Internet Crime

Tech entrepreneur Bruce Schneier is one of America's best-known computer security experts. His testimony before Congress helped defeat legal restrictions on cryptography sought by the FBI and the National Security Agency when an appellate court ruled in 1999 that crypto algorithms were a form of speech covered by the First Amendment.

Schneier co-founded security services company Counterpane Internet Security where he serves as chief technologist. Schneier believes that constant vigilance, and not application of more security technology, is the best defense against computer break-ins.

Schneier also believes security breaches will increase as networking systems become more complex.

Question 1: What's going to be different about the state of Internet and network security three years from now?

I think we're finally past the era where people believe in magic security dust,. By magic security dust, I mean that companies think that all they need to do is buy the right set of products and their network will be imbued with the property of "secure." Security is a process. It's a journey.

Question 2: Will security breaches become fewer or more frequent?

They will increase. As more of our infrastructure moves online, as more things that someone might want to access or steal move online, there will be more security breaches. As our networking systems become more complex, there will be more security breaches. As our computers get more powerful and more useful, there will be more security breaches. Everything about computer networks points to more security breaches in the future.

Question 3: Will security firms come up with the secret weapon that turns the tables on cyberintruders, thus banishing illegal hacks to memory?

If only it were possible...There are no secret weapons; there never will be. People have this recurring fantasy that technology will someday magically make them secure.

A few months ago someone asked me: 'When will we be able to prevent computer hacking?' I thought about it and responded with another question: 'We've been a civilization for 4,000 years; when are we going to prevent murder?' The answer is that we're not.

There's nothing I can sell you--there's no product on the drawing board--that will prevent murder. Cyberspace is no different. The best thing we can do in cyberspace is exactly what we do in the real world: do our best to manage the risks.

Question 4: In a recent Crypto-Gram, you say the federal cybersecurity plan is nothing but a paper tiger and that the government needs to step in with legislation. What kind of regulation is needed?

Laws can be both good and bad. If the law is "companies are liable for their actions," that would be good. If the law is "companies are required to use SecureProduct 2.0," that would be bad. I don't think that "law" necessarily means "regulation." It could just as easily mean "free market."

I would like the software industry to be just as liable for the effects of their products as any other industry.

If Firestone makes a tire with a systemic flaw, it is liable. If Microsoft produces an operating system with three systemic flaws per week, it is not liable. Something is wrong there.

Question 5: In the absence of such measures, are we headed for a devastating attack on the Internet or other computer networks in the near future? By devastating, I mean one that wreaks havoc, such as the shutdown of airports or businesses.

I'm not convinced that your two examples count as devastating. Weather shuts down airports and businesses all the time, and they survive. So, yes, there will be lots of attacks that cause all sorts of problems. But the "devastation" will be less than the government likes to paint.

Question 6: If cyberterrorism is not a big risk, as you stated in another Crypto-Gram, then what is really at stake?

Crime. Mostly the same kinds of crime you see in the real world: fraud, theft and so on.

Question 7: Why should people be worried about Internet security?

Because their privacy and financial security may be compromised. Terrorism is so rare in the United States, so why should people be worried about home security? There are lots of other attackers. Remember, even after Sept. 11 the odds of dying in a terrorist attack are still so close to zero as to make them not worth worrying about. But everyone you know knows someone who died in an automobile accident.

Question 8: Do you think the first cyberwar between nations will be fought in this decade?

It depends on what you mean. Already we've had wars that have a cyber component. If you mean a war that is fought only in cyberspace, I don't think that will happen in this century.

Question 9: What is the biggest wild card in Internet security? What is the aspect or element that is hardest to control or predict?

People.

Question 10: Should people be licensed to use the Internet, like people are licensed to drive a car?

Of course not. That's idiotic. Should people be licensed to have children?

Question 11: Is network security too complex for small companies, or even large ones, to handle on their own?

Yes. It always has been. Almost every firewall out there is configured wrong, most of them so badly as to be useless to stop attackers. Almost every network has hundreds of vulnerabilities that render it Swiss cheese to attackers.

Companies don't have the time or the expertise. But that's the way modern society works. People don't have the time or the expertise to be their own doctors. Instead, they outsource. People don't have the time or expertise to be their own criminal investigative unit, to build their own house, or to fix their own car.

We outsource because we have a common problem and need to share in a common solution. Network security is no different.

More Comments from Bruce Schneier on Internet Crime

From:Bruce Schneier, CTO of Counterpane Internet Security, Inc., December, 2002

I think the next big Internet security trend is going to be crime. Not the spray-painting, cow-tipping, annoyance-causing crime we've been seeing over the past few years. Not the viruses and Trojans and DOS attacks for fun and bragging rights. Not even the epidemics that sweep the Internet in hours and cause millions of dollars of damage. Real crime. On the Internet.

Crime on the Internet is nothing new. We've all heard isolated stories of competitors breaking into each other's networks, hackers breaking into networks and extorting money from dazed sysadmins, and industrial espionage, identity theft, simple monetary theft from banks and other financial institutions, but it's the Nimdas and the root-name-server attacks that make the headlines.

While we're worrying about those threats, the criminals are slipping by unnoticed. They're stealing money and things they can sell for money. They're stealing credit card numbers and identity information and using it to commit fraud. They're engaging in industrial espionage. The crimes never change; only the tactics are new.

I predict that people will start noticing. Companies have a strong self-interest not to publicize any real crime against their networks. The bad press from making an attack public is often more harmful than the attack itself. But the times are changing. Just this year, California passed a law--with large loopholes, unfortunately--requiring companies to make these attacks public. I predict more of these laws in the future.

Criminals tend to lag technology by five to ten years, but eventually they figure it out. Just as Willie Sutton robbed banks because "that's where the money is," modern criminals will attack computer networks. Increasingly, value is online instead of in a vault; illicitly changing a number in a database can be more lucrative than staging a robbery.

Real crime is hard to detect. When your network is being scanned dozens of times a day by script kiddies, the one serious criminal can sneak in unnoticed. At Counterpane, we monitor hundreds of networks against attack. Our hardest job, and the thing we spend the most time worrying about, is catching the real criminals among the hundreds of annoying hackers.

It's the insider trying to change his salary in the human resources computer. It's the robbers trying to manipulate account balances on a bank computer. This is the real crime on the net, and when we catch these guys, our customers are elated. More and more, this is going to be where companies want their computer security dollars to be spent.

Return to the Beginning of this Document