Survival Guide: Bruce Schneier, encryption expert

Bruce Schneier, encryption expert and publisher of Crypto-Gram

Counterpane

Bruce Schneier contends that the strongest security systems benefit from redundancy and variety. And as the Homeland Security Department consolidates a number of different agencies, Schneier warns that entrusting a centralized authority with securing the nation may make the country less, rather than more, secure.

Few in the field of information technology security have more expertise and industry respect than Schneier. Not only is he the author of "Applied Cryptography," one of the seminal textbooks on encryption, but his Twofish encryption algorithm was a finalist for the National Institute of Standards and Technology's new Federal Advanced Encryption Standard. He is also founder and chief technical officer of managed security service provider Counterpane Internet Security Inc., Cupertino, Calif., and publishes his own Crypto-Gram newsletter (http://www.counterpane.com/crypto-gram.html). Schneier spoke with Staff Writer Joab Jackson to discuss how best to secure the nation's IT and physical infrastructures.

WT: Why is the Homeland Security Department's plan to centralize our nation's security a move in the wrong direction?

Schneier: Centralizing security responsibilities has the downside of making our security more brittle by instituting a commonality of approach and a uniformity of thinking. Unless the new department distributes security responsibility even as it centralizes coordination, it won't improve our nation's security.


WT: What do you mean by "brittle?"

Schneier: Brittleness refers to the way a system fails. Microsoft Windows is a brittle system. A small insecurity breaks the entire system, and often the entire network. The credit-card system is resilient. It can tolerate all sorts of insecurities and still work profitably.

WT: What should Homeland Security Secretary Tom Ridge keep in mind when standing up the department?

Schneier: Security decisions need to be made as close to the problem as possible. Protecting potential terrorist targets should be done by people who understand the targets. This mode of operation has more opportunities for abuse, so competent oversight is vital. But it is also more robust and is the best way to make security work.

Also, security analysis needs to happen as far away from the sources as possible. Intelligence involves finding relevant information amongst enormous reams of irrelevant data, and then organizing all those disparate pieces of information into coherent predictions. It can't be the sole purview of anyone, not the FBI, CIA, National Security Agency or the Homeland Security Department. The whole picture is larger than any single agency, and each only has access to a small slice of it.

WT: The government is moving toward enterprise architecture to streamline systems and eliminate redundancy. Wouldn't a distributed approach be more cost-effective?

Schneier: Yes. Security is an expense. Less security is cheaper than more security. This is why we need to evaluate the trade-offs before making any security decision.

WT: Won't a distributed form of security result in more variance in the quality of security?

Schneier: Of course. All large bureaucracies will result in boondoggles. That's part of the price you have to pay.

WT: Overall, what do you think about the state of the art in IT security?

Schneier: It doesn't matter how good or bad the tools are. The problems in IT security are not about technology, they're about using technology.

We have all the tools necessary to secure the Internet. We just can't convince software developers to embed them in their products, and we can't convince users to install, configure and properly use them.

WT: Do you use a distributed approach with your own clients at Counterpane? If so, how?

Schneier: Counterpane's monitoring system has been built for redundancy from the ground up. We have multiple monitoring centers, multiple people, multiple networks, multiple systems. But more importantly, monitoring provides resilient security within a network. Vulnerabilities are inevitable, and no matter how hard you try, your network is going to be riddled with security holes.

But if you have enough pressure plates, electric eyes and motion sensors in your home, you're going to catch the burglar, regardless of how he breaks in. If you're monitoring your network at enough points, you're going to catch the intruder, regardless of which vulnerability he uses to break in.

WT: Is it valid to compare physical security with IT-related security? Aren't there fundamental differences?

Schneier: Definitely. There's the notion of a class break: A burglar can break into a home, while a hacker can develop a tool that can break into millions of computers. There's automation: A burglar has to break into each home individually, while a hacker can write a tool that breaks into millions of computers automatically. There's action at a distance: A burglar needs to drive to your house in order to break in, while a hacker can do it from half way around the planet. And there's technique propagation: A burglar needs to learn how to break into houses, while a hacker can use automatic tools written by someone else.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts