Bruce Schneier: The Evolution of a Cryptographer

Bruce Schneier, who literally wrote the book on cryptography, talks with Senior Editor Scott Berinato about his holistic view of security, both physical and technical.

IT professionals, on the other hand, are much more eager to learn how their methodologies and ways of thinking might apply to real-world security. I have long used physical metaphors to explain computer security techniques; it's no surprise that computer security methodologies can apply to physical security problems.A physical security guy would argue that computer security folks are always trying to solve problems with technology even when it's not appropriate. Should we acknowledge some fallibility in leading with the IT security foot in some cases versus the physical security foot?Computer security folks are always trying to solve problems with technology, which explains why so many computer solutions fail so miserably. I advocate thinking about security in terms of systems; I certainly don't advocate wantonly applying technology. Most of the time, the security problems are inherently people problems, and technologies don't help much. Photo ID checks are a great example: Technologists want to add this and that technology to make IDs harder to forge, but I worry about people bribing issuing officials and getting real IDs with fake names. (At least two of the 9/11 terrorists did that.) Making IDs harder to forge doesn't solve the people problem.The iconoclasm in your book starts with its subtitle, Thinking Sensibly About Security in an Uncertain World. The implicit jab here is that there's plenty of nonsensical thinking that needs correcting. What are some of the most extreme cases you've seen or heard? Stupid security stories are a dime a dozen. There's a website that chronicles them (www.stupidsecurity.com)and an annual award for the most egregious offenders (see "Award-Winning Stupidity," Briefing, August 2003). My greatest fear surrounding all these stupid security measures is that people actually believe they do some good.

Many people believe that increasing demands for identification increases security. Many believe that confiscating pocketknives from airplane travelers decreases the risk of hijacking. Security is both a feeling and a reality, and the more the two diverge, the more trouble we're all in.What has two years of cyberterrorism hype yielded?There is definitely a lot of nonsense being written about cyberterrorism these days. You can cry wolf only so many times before people start ignoring you; after two years, people have become numb to the real threats. Even as the risks of cyberterrorism are overstated and overhyped, the risks of cybercrime are downplayed and minimized. My company performs managed security monitoring for hundreds of companies worldwide, and we see common crime every day. But it's the terrorism risks that grab the headlines, and then nothing happens. There's an issue of deflected responsibility going on here. If the problem is cyberterrorism, then the government has to do something about it. If the problem is cybercrime, the network owners have to fix the problem. If you run a major network, it's certainly attractive to shift the responsibility elsewhere.