Information is our only security weapon: Bruce Schneier at Linux.conf.au

Powered by SC Magazine
 

Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.

These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.

“Camera companies are pushing it, but all the actual data points the other way,” Schneier said. “RFID is another one – the industry pushing it is very much distorting facts.”

The discussion of public security -- which has always been clouded by emotional decision making -– has been railroaded by groups with vested interests such as security vendors and political groups, he said.

Public discussion which should be a security debate can be coloured by politics, he said.

"In the US, a lot of security discussions become political - my side good, your side bad. It's very hard to say 'I'm going to defer to the experts' because the political sphere is so polarised there are paid experts on all sides."

It will take a generation before US attitudes towards public security move beyond the post-September 11 climate of fear, he added.

The lesson for the computer security industry is to cater to real security issues while also considering the impact which fear and other emotions have on individual and organisational decision making.

Historically, the computing industry is littered with good products which failed to gain market traction over less secure solutions, he said, pointing to the firewall market as one example.

Schneier noted that despite the well known impact of emotional and psychological thinking on security decisions, information remains the greatest weapon that we have in creating good security solutions.

The best security solution will fail if it doesn't cater to both the reality and perceptions to do with security, Schneier warned.

"For most of my career I would insult ‘security theatre’ and ‘snake oil’ for being dumb. In fact, they're not dumb. As security designers we need to address both the feeling and the reality of security. We can't ignore one.

"It’s not enough to make someone secure, that person needs to also realise they’ve been made secure. If no-one realises it, no-one's going to buy it," Schneier said.

The goal must be to get the reality and perception matching up – so that security solutions aren’t lulling users into a false sense of security, or letting them exist in an unnecessary climate of fear.

"How do you stop the stupid stuff from outweighing the reality? The way to get people to notice that reality and feeling haven't converged is information. Information is the best weapon we have.”

In the IT industry, this information is a scarce resource, he said.

"In IT there isn’t a lot of data. Our bosses ask us for it all the time. We don't have the data because people don't report or they don't know they've been attacked.

"If there's enough information out there, you get a natural convergence between feeling and reality. In the business world, information is how the problem fixes itself," he said.

Bruce Schneier is the founder and CTO of BT Counterpane. He's the author of several books on computer security and cryptography including "Beyond Fear: Thinking Sensibly about Security in an Uncertain World". He also publishes a monthly newsletter called Crypto-Gram, and publishes a blog.




Information is our only security weapon: Bruce Schneier at Linux.conf.au
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 440

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 211

Vote