Security Versus Security: A Conversation with Bruce Schneier

Security Versus Security: A Conversation with Bruce Schneier

. 7 min read

A public interest technologist, Bruce Schneier is the author of the internationally renowned blog "Schneier on Security" and a fellow at the Berkman Klein Center for Internet & Society.

Your profile says you're a public-interest technologist. What exactly does that mean?

So a public-interest technologist is a general term for somebody who integrates technology and public policy. Public-interest technologists integrate the two disciplines by working on the policy of technology, working on technology with a public purpose, working on tech for a public-interest organization, or otherwise doing something that straddles both technology and the public interest.

The term was coined by the Ford Foundation. It's an umbrella term that tries to encompass a lot of different people doing a lot of different things. And it's something I think is increasingly important in our technological age. All of the major public policy issues of this decade and probably this century have a strong technological component. And we'll never get the policy right if we get the tech wrong. We need people who straddle those two areas.

To get to the next question, what are the most daunting cyber threats facing the United States?

Cyber threats come in many forms, and it's really hard to organize them in order of dauntingness. It really depends on your perspective and what you're focused on. We're worried about national security cyber threats, both espionage and attack. We're worried about criminal threats, from extortion and ransomware to data theft and misuse and everything in-between. And really, what we're seeing are a series of very vulnerable technologies that can be attacked by a variety of actors for a variety of purposes.

It's less useful to look at the particular threats and better to look at the ecosystem because a lot of security technologies and policies mitigate a wide variety of threats. I think that's a better way of looking at the landscape. News articles like to talk about the worst threat or the nightmare scenario. I think those really obscure the actual issues because they just push fear buttons, rather than letting people focus on clear policy.

What have been some recent cyber attacks that we should know about, but maybe don't necessarily know about?

I can’t think of any off the top of my head. But it is true that what makes the news is often kind of random. In the news this week is an attack against a water treatment facility in Florida, where somebody hacked in and increased the supply of lye in the water to poisonous levels. This could have been fatal if someone hadn’t noticed the change and reversed it. This made the news, but only because the sheriff there held a press conference. Otherwise, we wouldn't have known about it.

These sorts of vulnerabilities, these very prosaic ones in boring systems, often don't make the news. We know about the SolarWinds or Starburst attack, a major attack by Russia against the United States and other countries, not because the US government discovered it, but because a private company called FireEye discovered it and told the US government. Again, it's kind of an accident that we know about it.

The most important attacks tend to be the ones that none of us know about, either because they haven’t been discovered or because the victim is keeping quiet. Banks pretty much never talk about their attacks because they know it erodes trust in their institutions, so they keep it quiet. We don't know about things the United States does in other countries. For example, we only know about Stuxnet, the US and Israeli attack against Iranian nuclear weapons facilities, because it escaped by accident after a couple of years. We might never have known about that. It's really disquieting to see the attacks that we do know about and the luck that led up to us knowing about them and realize there are probably an equal number of them on the other side of the luck that we don't know about.

Could you talk a little bit more about the SolarWinds attack?

SolarWinds is interesting because it's what's called a supply-chain attack. If you are a government or criminal, and you want to go after a certain network, company, or government organization, and it is too well defended, one way in is through something it uses. So what the Russians did was attack SolarWinds’ Orion, a network management product that hundreds of thousands of networks around the world use. They also attacked Microsoft Office 365, a cloud service that probably millions of organizations worldwide use. By going after those third parties, they were able to breach the networks they were interested in. They also attacked Malwarebytes, and they attacked FireEye in an attempt to use those as a stepping stone into actual networks.

Now, this is important because our networks today are so complicated that we have dozens or hundreds of suppliers. We're seeing examples of source code libraries being compromised, or apps in the Google Play Store or the Apple Store being compromised as a way to get at individuals. This is an increasingly powerful attack vector, which leverages how complicated our network supply chains are, and how little we actually know about them.

Changing the topic a little bit, I noticed in the syllabus for one of your classes at the Kennedy School, you had a class on cyber arms manufacturers, and I know absolutely nothing about that. I'm sure many of our readers don't either.

I want to recommend a new book by Nicole Perlroth, a reporter for the New York Times. It’s a fantastic book, titled This Is How They Tell Me the World Ends. She writes specifically about these cyberweapons arms manufacturers, these private companies that are selling cyberweapons and surveillance tools to governments around the world. In many cases, these governments are ones that we all would rather not have these capabilities: Saudi Arabia, Sudan, Kazakhstan, Mexico, and so on. This turns out to be a major business in the United States and Europe, just like weapons sales were during the Cold War. These countries lack the expertise to hack but are buying it from private companies. I think this is very destabilizing, and Perlroth makes the argument for how dangerous this is for everybody.

Getting to your bread and butter, what are some of your policy recommendations for the United States to get a better handle on cybersecurity threats?

There's a lot of policy recommendations; my books tend to be filled with them. In David and Goliath, my book about surveillance, the last third is policy recommendations. Click Here to Kill Everybody, a book about the Internet of Things and safety, is also filled with policy recommendations.

While the devil’s in the details, in general, I want the United States to adopt a defense dominant strategy. We are a major aggressor in cyberspace, and we tend to like systems to be vulnerable in order to facilitate that aggression. That's no longer sustainable. It's no longer secure. These systems are critical to our infrastructure, and keeping them secure is more important than leaving them vulnerable. It's not security versus privacy. It's security versus security. A strong defense will necessarily benefit everyone, even though it also limits offense.

There are a lot of things we can talk about regarding how to do that. We can talk about liabilities, or standards and regulations. I would really like the federal government to have strong procurement standards that companies can leverage to secure their own systems. We need international agreements and treaties. There's a lot of things we need to do. Really, we need to decide that we're willing to accept limitations on offense, because defense is so critical.

For private companies who are worried about international cyberattacks, what are their best moves?

For private companies concerned about international nation-state cyberattacks, unfortunately some of it is above their pay grade. There's not a lot a company can do if the government of Russia wants into their system. The things they can do are the things they are going to do to protect themselves against criminal cyberattacks, not nation-state actors.

There's a lot of technologies we'd like companies to implement. The question really is, does it make sense from a business perspective? In a lot of cases, it doesn’t. SolarWinds is an interesting example. It is a private equity-funded company. It’s owned by Thoma Bravo, which is a private equity firm owned by a Brazilian billionaire. That private equity firm's business model is to squeeze expenses out of companies to increase profits. That includes cybersecurity expenses. SolarWinds deliberately underspent on security, because it made business sense for the owners to push risk onto their customers in the name of short-term profits. It failed in this case, but in a lot of cases that approach is successful.

The point is not to give businesses a laundry list of tech but instead to recognize that the business model is broken. The market economy incents underspending on security, just as the market economy incents ignoring pollution. The way to fix it is not to tell companies how to do better, but to build financial incentives so that they want to do better—and then they'll figure it out for themselves. That's how we can leverage the market to improve security.

What should private citizens do, not necessarily just against nation-state actors, but generally against the threat of criminal cyberattacks?

There's a lot of advice you can give individuals (use encryption, have good backups, be careful about personal information), but to a large extent, their security is out of their hands. The security of their email depends on the security of Google or Apple or Microsoft, not what they can do for themselves. We’re all putting our data in the cloud, which means we are at the mercy of these cloud providers for our security. If someone hacks into an online store and steals a bunch of credit card data, there’s nothing you personally could have done to prevent that.

And while there are things we can do around the edges, in a lot of cases there’s not much we can do. The kind of advice that prevents those attacks (don't have a credit card, don't have an email account, don't use Facebook) is largely impractical for people living a normal human life in the 2020s.

So what I want individuals to do is to make this important. This needs to be a political issue. It needs to be perceived as important. It wasn't in 2020, or in any previous national election. This was not something that ever came up in a presidential debate. This wasn't something the press covered the candidates’ opinions about. When it's not an issue, lobbyists win. Whoever brings the biggest check to the elected officials wins. And we can't afford that anymore, so I want individuals to make this important politically.