Return to Main Menu
Bruce Schneier's Dec 2002 Discussion on Security Practices and Internet Crime
Tech entrepreneur Bruce Schneier is one of America's best-known
computer security experts. His testimony before Congress helped defeat
legal restrictions on cryptography sought by the FBI and the National
Security Agency when an appellate court ruled in 1999 that crypto
algorithms were a form of speech covered by the First Amendment.
Schneier co-founded security services company Counterpane Internet
Security where he serves as chief technologist. Schneier believes that
constant vigilance, and not application of more security technology,
is the best defense against computer break-ins.
Schneier also believes security breaches will increase as networking
systems become more complex.
Question 1: What's going to be different about the state of Internet
and network security three years from now?
I think we're finally past the era where people believe in magic
security dust,. By magic security dust, I mean that companies
think that all they need to do is buy the right set of
products and their network will be imbued with the property of
"secure." Security is a process. It's a journey.
Question 2: Will security breaches become fewer or more frequent?
They will increase. As more of our infrastructure moves online, as
more things that someone might want to access or steal move online,
there will be more security breaches. As our networking systems become
more complex, there will be more security breaches. As our computers
get more powerful and more useful, there will be more security
breaches. Everything about computer networks points to more security
breaches in the future.
Question 3: Will security firms come up with the secret weapon that turns the
tables on cyberintruders, thus banishing illegal hacks to memory?
If only it were possible...There are no secret weapons; there never
will be. People have this recurring fantasy that technology will
someday magically make them secure.
A few months ago someone asked me: 'When will we be able to prevent
computer hacking?' I thought about it and responded with another
question: 'We've been a civilization for 4,000 years; when are we
going to prevent murder?' The answer is that we're not.
There's nothing I can sell you--there's no product on the
drawing board--that will prevent murder. Cyberspace is no different.
The best thing we can do in cyberspace is exactly what we do in the
real world: do our best to manage the risks.
Question 4: In a recent Crypto-Gram, you say the federal cybersecurity plan is
nothing but a paper tiger and that the government needs to step in
with legislation. What kind of regulation is needed?
Laws can be both good and bad. If the law is "companies are liable for
their actions," that would be good. If the law is "companies are
required to use SecureProduct 2.0," that would be bad. I don't think
that "law" necessarily means "regulation." It could just as easily
mean "free market."
I would like the software industry to be just as liable for the
effects of their products as any other industry.
If Firestone makes a tire with a systemic flaw, it is liable. If
Microsoft produces an operating system with three systemic flaws per
week, it is not liable. Something is wrong there.
Question 5: In the absence of such measures, are we headed for a devastating
attack on the Internet or other computer networks in the near future?
By devastating, I mean one that wreaks havoc, such as the shutdown of
airports or businesses.
I'm not convinced that your two examples count as devastating. Weather
shuts down airports and businesses all the time, and they survive. So,
yes, there will be lots of attacks that cause all sorts of problems.
But the "devastation" will be less than the government likes to paint.
Question 6: If cyberterrorism is not a big risk, as you stated in another
Crypto-Gram, then what is really at stake?
Crime. Mostly the same kinds of crime you see in the real world:
fraud, theft and so on.
Question 7: Why should people be worried about Internet security?
Because their privacy and financial security may be compromised.
Terrorism is so rare in the United States, so why should people be
worried about home security? There are lots of other attackers.
Remember, even after Sept. 11 the odds of dying in a terrorist attack
are still so close to zero as to make them not worth worrying about.
But everyone you know knows someone who died in an automobile
Question 8: Do you think the first cyberwar between nations will be fought in this
It depends on what you mean. Already we've had wars that have a cyber
component. If you mean a war that is fought only in cyberspace, I
don't think that will happen in this century.
Question 9: What is the biggest wild card in Internet security? What is the aspect
or element that is hardest to control or predict?
Question 10: Should people be licensed to use the Internet, like people are
licensed to drive a car?
Of course not. That's idiotic. Should people be licensed to have
Question 11: Is network security too complex for small companies, or even large
ones, to handle on their own?
Yes. It always has been. Almost every firewall out there is configured
wrong, most of them so badly as to be useless to stop attackers.
Almost every network has hundreds of vulnerabilities that render it
Swiss cheese to attackers.
Companies don't have the time or the expertise. But that's the way
modern society works. People don't have the time or the expertise to
be their own doctors. Instead, they outsource. People don't have the
time or expertise to be their own criminal investigative unit, to
build their own house, or to fix their own car.
We outsource because we have a common problem and need to share in a
common solution. Network security is no different.
More Comments from Bruce Schneier on Internet Crime
From:Bruce Schneier, CTO of Counterpane Internet Security, Inc., December, 2002
I think the next big Internet security trend is going to be crime. Not
the spray-painting, cow-tipping, annoyance-causing crime we've been
seeing over the past few years. Not the viruses and Trojans and DOS
attacks for fun and bragging rights. Not even the epidemics that sweep
the Internet in hours and cause millions of dollars of damage. Real
crime. On the Internet.
Crime on the Internet is nothing new. We've all heard isolated stories
of competitors breaking into each other's networks, hackers breaking
into networks and extorting money from dazed sysadmins, and industrial
espionage, identity theft, simple monetary theft from banks and other
financial institutions, but it's the Nimdas and the root-name-server
attacks that make the headlines.
While we're worrying about those threats, the criminals are slipping
by unnoticed. They're stealing money and things they can sell for
money. They're stealing credit card numbers and identity information
and using it to commit fraud. They're engaging in industrial
espionage. The crimes never change; only the tactics are new.
I predict that people will start noticing. Companies have a strong
self-interest not to publicize any real crime against their networks.
The bad press from making an attack public is often more harmful than
the attack itself. But the times are changing. Just this year,
California passed a law--with large loopholes,
unfortunately--requiring companies to make these attacks public. I
predict more of these laws in the future.
Criminals tend to lag technology by five to ten years, but eventually
they figure it out. Just as Willie Sutton robbed banks because "that's
where the money is," modern criminals will attack computer networks.
Increasingly, value is online instead of in a vault; illicitly
changing a number in a database can be more lucrative than staging a
Real crime is hard to detect. When your network is being scanned
dozens of times a day by script kiddies, the one serious criminal can
sneak in unnoticed. At Counterpane, we monitor hundreds of networks
against attack. Our hardest job, and the thing we spend the most time
worrying about, is catching the real criminals among the hundreds of
It's the insider trying to change his salary in the
human resources computer. It's the robbers trying to manipulate
account balances on a bank computer. This is the real crime on the
net, and when we catch these guys, our customers are elated. More and
more, this is going to be where companies want their computer security
dollars to be spent.
Return to the Beginning of