Bruce Schneier on fighting security FUD

In his keynote address to Linux.conf.au this week he said information is our only effective security weapon, but that the computer security industry must not ignore the impact of fear and other emotions on individual and organisational behaviour.

In an interview with ITNews he elaborated on the challenges for the IT industry and the creators of security solutions.

If your job is to specify and create a security solution for your organisation, how do you neutralise the emotion and FUD (fear, uncertainly and doubt) to build the solution you want?

The only way to overcome it is through information. You have to counter people's natural reactions, their default ways of thinking. You need to make people stop and think about what they're doing. Sure it is hard but people in those positions do this all the time. In businesses, it's going to be easier. If you get it right, your business is more successful and you get more profits. So there's an incentive to get it right.

You seem to think that security vendors are part of the problem of 'snake oil' and 'security theatre' - does the IT industry need to do more to bring public perceptions about security closer to reality?

I'd like it if they did. The industry is good at FUD, but it's been crying wolf too many times. I'd like it if the industry would stop, but I don't know about 'needs to'.

You said in your keynote to LCA that information is the best weapon we have. But companies get penalised for disclosing security breaches through a lowered share price and lowered consumer confidence. So how can we as users trust the information which is available to us when companies have an incentive not to disclose it?

You can't. I can't tell you how much information about security breaches goes undisclosed - often victims don't even know they've been breached. You can call Gartner and they'll give you a number, but it's meaningless. We live in a capitalist society and you can't ask companies to voluntarily do things which are against their interests for the greater good. If they did, their shareholders would sack them.

In your talk you referred to the vested interests of governments and elected officials contributing to public misinformation about security issues. Last year the Australian government released a NetAlert internet filter to the public which was cracked by a schoolboy within half an hour. And the current government has a policy of bringing in mandatory ISP filtering. Is this typical of governments catering to the fear of the internet rather than making people more secure?

Sadly it is typical. Elected officials get re-elected if they make their constituents feel safer, so it's in their interests to do so. They'll buy stuff that doesn't work - like the RFID transit card system in the Netherlands which was cracked by a student in two weeks.

So which institutions can we look to to cut through the security theatre and obtain real information?

Things like disclosure laws. You make it mandatory. That works - everyone's in the same boat, no one company is penalised, you just changed the playing field. In the US the states have been bringing in mandatory disclosure laws - California was the first. If you lose people's data, you have to disclose. So companies started spending more money on security [to avoid breaches and the resulting damages from public disclosure].

Bruce Schneier is the founder and CTO of BT Counterpane. He's the author of several books on computer security and cryptography including "Beyond Fear: Thinking Sensibly about Security in an Uncertain World". He also publishes a monthly newsletter called Crypto-Gram, and publishes a blog.

brucefightingfudlinuxconfonschneiersecurity