Bruce Schneier Q&A: The Endless Broadening of Security

For Bruce Schneier, the security discipline still evolves and expands. Now he's the one trying to expand it.

CSO: Another phenomenon from the past five years: Walls. Often, they're called fences now but they've enjoyed renewed popularity in the security world. Along the Mexican border, on the West Bank, in Shia/Sunni neighborhoods in Iraq, and elsewhere, walls are being put up as a security measure. Often they're high-tech border control systems. What do you make of this? How does this relate to the work you're doing now?

Security is often about boundaries. Walls are one of our most primitive boundaries, and we have an almost visceral reaction to them. They make us feel safe. The problem is that the security of walls is less about the walls themselves and more about the doors in them. Every boundary, whether real or virtual, has authorized ways to go through it. It's the checkpoints that allow people to go between countries, the VPNs that allow people to enter the corporate network, or the doors and windows that allow us access into our own homes. My worry about walls between nations is that they decrease interaction and, by extension, understanding and trust which is a surer path towards long term security. Sure, walls can provide security in the short term, but they're not a solution for the long term.

CSO: As you look at information security today, what do you see compared to five years ago?

Schneier: Nothing has surprised me about how criminals have evolved on the Internet. Those who were paying attention knew that criminals would find the Internet as soon as there was substantial money there, and that criminal activity would get increasingly sophisticated and organized. What's more surprising is, well, that so many people were surprised by this. We're still fielding security products to defend against the hacker threat instead of the criminal threat. We're still more focused on the specifics of tactics—again, to defend against a hacker mindset—than the generalities of threats that better characterize criminals. Criminals are not hackers. They are more tolerant of risk. They have better funding. They are more interested in the goal than the particulars of the method of reaching that goal. They are older than hackers, and more experienced. And they're international.

CSO: How could this gap between the problem and how we understand and address it still exist, five years on, with so much damage to computers and people in our wake?

Schneier: There are several reasons for this gap. One is systemic, the bad guys are always going to be at least one step ahead of the good guys—they're more nimble, have less bureaucracy, are quicker to adapt to new technologies, etc.—and in a fast-changing technological world this gap is only going to get worse. The second is tactical; we are focused more on technology than on the broader picture. Security companies sell technological point solutions, so naturally they focus attention on those solutions. News stories are about tactics, which reinforces this view. And we're all enamored with technology; otherwise, we would be doing something else for a living, and we often ignore the forest for whatever neat techie trees we're currently working with.