Interview with Mr. Bruce Schneier — Security and Terrorism Expert
Scheduled to take place from 26-28 April 2015 at the Dubai World Trade Centre (DWTC), GISEC – the region’s leading I.T. security platform – will address key issues surrounding cybersecurity management, identity management and disaster recovery. The event will address susceptible industry sectors such as financial services, governments, oil & gas, I.T. and pharmaceuticals as well as for individuals. GISEC’s exhibition segment will also showcase over 150 exhibitors, attracting over 5,000 trade visitors and security professionals from 50 countries including Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs). We were able to have the below interview with one of the conference keynotes , Bruce Schneier
Can you please introduce yourself to securityKaizen magazine readers (BIO, Experience)?
I’m Bruce Schneier. I work in the intersection of security, technology, and people. I do a lot of things, but the two important things right now is that I am the CTO of Resilient Systems, Inc., which sells incident management software. Basically, it’s a collaborative platform that allows incident response teams to coordinate their activities. Also, I just published a new book on surveillance and what to do about it. It is Liars and Outliers: The Hidden Battles to Collect Your Data and Control Your World. I’m also speaking at Gulf Information Security Expo & Conference (GISEC)happening at the Dubai World Trade Centre (DWTC) from26-28 April 2015.
How do you define security?
I could write a book on that question alone. Stepping aside the philosophical discussions, good security is a combination of protection, detection, and response. We need all three, because none of them can do it all individually. We know this in the real world, but we are finally learning it in the IT world. The 1990s was the decade of protection. The 2000s was the decade of detection. And this is the decade of response. The goal, of course, is resilience. Good security is resilient.
What is cryptography? How can you see the importance of cryptography in securing the infrastructure of countries?
Cryptography is a mathematical technology that is useful in some security applications. It’s important, but
it’s just a piece of technology. Good security involves many technologies, and also people and process. So while it’s important, its value can easily be overstated.
Do you think that Cryptography can solve all the security issues?
Of course not. That’s like asking if door locks can solve all security issues. Cryptography is part of the solution of those security issues that need cryptography. For example, cryptography can protect against some types of surveillance absolutely. They can protect the contents of emails and messages as they go across the Internet. But they cannot protect the surveillance data that your cell phone constantly generates so that the cell network knows where you are.
What are the major problems we’re facing on the Internet today?
I worry about many Internet problems. I worry about crime. I worry about government surveillance in both my own and other countries. I worry about corporate surveillance, which is rampant on the Internet. Mostly I worry about data: how it is generated, who has access to it, what they can do with it, how they store it, and how they dispose of it. Many of the problems on the Internet can be traced to all this data. This is the focus of the two things I have been working on. Data and Goliath looks at the world of surveillance. I examine both corporate and government surveillance: who does it, how they do it, and what they do with our data. Then I discuss the problems of surveillance and why privacy is an important value. And finally, I give both technical and political solutions to deal with both corporate and government surveillance, both domestic and foreign. My company, Resilient Systems, helps companies defend their data against attack by giving them tools to improve their incident response. Incident response is a vitally important and long neglected.
Do you think that security agencies can crack the Internet privacy tools like TOR for example?
What we’ve learned from the Snowden NSA documents is that cryptography tools like PGP, Tor, ORT, and so on are security from the NSA, at least in bulk. They cannot break the cryptography in these tools. The NSA — and other governments as well — has many tools to get around cryptography, but they do not scale as well as intercepting and analysing unencrypted traffic.
Do you see Edward Snowden’s leaks about NSA and the whole PRISM thing?
The Snowden documents have given us an extraordinary and unprecedented window into the NSA’s activities. I think it’s important to understand that while the US has a larger intelligence budget than the rest of the world combined, they’re not made of magic. The NSA tools and techniques disclosed by Snowden are the same ones being used by China, Russia, and other countries. And technology democratizes. Today’s top-secret NSA programs are tomorrow’s PhD theses and the next day’s hacker tools. So while it may seem that the NSA is more advanced than everyone else, what we’re really seeing is a preview of what the hackers are going to do next year.
How do you see the future of cyberattacks especially in the Middle East region?
The future of cyberattacks is going to look like the present, only more so. There will be criminal attacks around the world as long as personal data provides the ability to commit fraud, and intellectual property is worth stealing. Governments will continue to attack each other and their own citizens as long as there is value there. And hactivisists will continue to attack organizations for political purposes. I don’t see any of this changing, and I don’t see a lot of regional differences. As the Middle East catches up to the rest of the world in Internet infrastructure, they’ll see more and more of these sophisticated cyberattacks.
How can you see the Future of Security industry in The Middle East?
As attacks get more sophisticated, defence must similarly get more sophisticated. There’s a bright future for the security industry in the Middle East, because with the exceptions of the banking and oil sectors the region has generally not had enough IT security. This is going to change. Resilient Systems opened a European office early this year, and we’re already seeing significant demand in the Middle East. I suspect that other Internet security companies are experiencing the same thing.