Bruce Schneier: The Evolution of a Cryptographer

Bruce Schneier, who literally wrote the book on cryptography, talks with Senior Editor Scott Berinato about his holistic view of security, both physical and technical.

Recently, a George Mason University graduate student presented his thesis to a group of CIOs. The student had mapped the entire telecommunications infrastructure of the United States, using largely publicly available information. The CIOs demanded he cede his laptop to authorities and leave the conference because his thesis was a terrorism risk.

That didn't surprise me; it's an example of a common confusion between secrecy and security. Actually securing our telecommunications infrastructure would be a resilient security countermeasure. Not bothering to secure our telecommunications infrastructure and then trying to keep the vulnerabilities secret is brittle. Once the secret is out, security is lost, and you can't get it back. You have to assume that bad guys can collate the same information that the student did; thinking otherwise is sloppy security.Why does this mind-set persistthat, if we keep secrets or outlaw certain information, somehow bad guys will give up?There is a widespread belief that secrecy equals security. It's a common misconception, and one very similar to the traditional shoot-the-messenger way of dealing with someone who brings bad news. I think it's an easy mental trap to fall into and that many people do. Secrecy does work to a point, but it's a very brittle security.What do you mean by "brittle?"I use the term to describe how many security systems fail. Brittle systems are systems that fail easily, completely and catastrophically. A house of cards is a brittle system; remove one card and the whole structure collapses. Most computer systems are brittle: When security fails, it fails completely. Resilient systems remain secure even in the face of failure. Different security systems back each other up. Major failures don't turn into major failures. Chapter 9 of Beyond Fear talks about brittleness and resilience, and I identify several ways of achieving resilience: defense in depth, compartmentalization, flexibility and so on. They're all characteristics of natural security systems but are often lacking in computer security systems.How is Congress doing on security? I've testified before Congress on several occasions, so they're getting at least some of the right speakers.

The process of security is orthogonal to the process of our democratic government. In the United States, lawmaking is a process of consensus. The reason you get so much FUD, self-serving aggrandizing, and partisan posturing is because that's the way the process works. Everyone provides his own inputoften in the form of moneyand some kind of consensus is reached. Security doesn't work that way. In fact, the worst security systems are those developed by consensus. Real security means making hard choices that hurt certain companies and industries. Real security means doing what's right, not what's politically safe. The recent National Strategy to Secure Cyberspace is a case in point. Because the document offends no one, it accomplishes nothing.