September 01, 2003
For a while, it seemed as if Bruce Schneier himself was encrypted. No one could decipher his whereabouts for an interview with CSO. This was unusual because Schneier, founder and CTO of Counterpane Internet Security, is usually aggressively available to the press. Plus, he has a new book to promoteBeyond Fear: Thinking Sensibly About Security in an Uncertain Worlda decidedly iconoclastic and non-IT view of security. But the book also challenges physical security practitioners to learn a thing or two from the infosecurity ranks: to think in terms of systems.
Beyond Fear represents Schneier's most ambitious departure yet from infosecurity, an arc he's been traversing for some time now. When Senior Editor Scott Berinato finally found him, at a folk festival in Winnipeg, Canada, he was eager to talk about his evolution from mathematician to security generalist, and about the cultural disconnect between physical and information security and what he means by "brittle security."CSO: You've certainly evolved from your cryptography days.Bruce Schneier: Security is a system, and the more I worked with security the more I realized that a systems perspective is the most appropriate one. When my primary work was in cryptography, I would design mathematically secure systems that would be defeated by clever attacks against the computers they ran on. Then, when I started doing more work in computer security, I would see well-designed security software and hardware being defeated by insecure networks. And then secure networks being defeated by human error. And so on. Security is a chain, and it's only as secure as the weakest link. Improving the cryptography is often a futile exercise of strengthening the strongest link. Looking for the weakest link inevitably leads one to an ever-expanding systems perspective.
Similarly, noncomputer security can best be understood and evaluated using the same techniques we've developed for computer systems. The whole impetus driving Beyond Fear was my realization that conventional security was mostly a hodgepodge of tricks and techniques, and that there was little systems thinking. And, as a computer-security expert, I could bring some of that kind of thinking into the debate. You'll ruffle some feathers with that. The cultural merger of physical and IT security will be hard. Some will take exception to your idea that they're not thinking in terms of systems.There's a huge cultural disconnect between the physical security guys and the computer security guys precisely because the former don't think in terms of systems. I see it all the time when I look at security systems. The physical guys spend a lot of time worrying about national ID cards, while I wonder what identification has to do with the threats they are supposed to be countering. The physical guys make sure identification is checked twice at airports, but I notice that the people doing the ID verification can't tell the real documents from forgeries. The physical guys think that confiscating a penknife from a grandmother is a success, but I see a system that failed. Our security is so riddled with holes because the physical guys don't think in terms of systems.Your evolution can be seen as a microcosm of what we've seenthat info and physical security are two tactics shared by the security discipline. Do you meet resistance from physical security guys when you speak more broadly about security, and conversely what do IT security folks, cryptographers and the like think about your broadening view?The traditional physical security profession is centuries old and very resistant to change. I find that most practitioners aren't able to think about their traditional problems in new ways. We saw this clearly in January 2003, when Matt Blaze published a paper on how to break a physical door-locking system. Professional locksmiths were outraged; "secret knowledge" should never be in the hands of the masses. But from my perspective, secret knowledge is always in the hands of the bad guys, and unless the good guys possess the same knowledge, the problem will never get fixed.