Q&A: Bruce Schneier on joining IBM, IoT woes, and Apple v the FBI
It's going to get worse before it gets better
RSA 2016 Security guru Bruce Schneier is a regular at shows like RSA and his talks are usually standing-room-only affairs.
Schneier has written some of the definitive texts for modern cryptography teaching and his current book, Data and Goliath, examines the perils and solutions to government and corporate surveillance of internet users. The Register sat down with him to talk over the news of the day, and to get an idea of where the security industry is going.
Q: First things first – you're the CTO of Resilient Systems, which IBM is in the process of buying. Are you planning to stay on?
That's the plan; I'm 100 per cent planning on joining IBM. As far as I know the entire team is coming over as well.
Q: IBM has had a spotty record with acquisitions. How confident are you that the firm will carry on developing the incident response systems Resilient has developed?
We did a lot of research on this when the offer came up of an outside acquisition. Gone are the days when IBM bought ISS and destroyed it. IBM Security is its own little company and it has bought a lot of good stuff and carried on developing it, so we were happy to go ahead.
Q: Yesterday you gave a rather scary talk on the likelihood of a coming breakdown in the interconnected world. You talked about a lot of problems – what do you think the solutions are?
I didn't mean to be doom laden, but that's the way these things start – you always start with the problems. But I'm just on the start of this process – it's likely that yesterday's talk will form the basis of my next book and when I've thought that through, about a third of the volume will look at solutions.
But I really do believe this is a big problem that needs to be addressed. I hope a catastrophic failure won't come about, but the fact of the matter is we humans are much more reactive than proactive.
Q: But a few years ago you were so dismissive of cyber terrorism, pointing out that if email goes down we'd be pissed off, but not terrorized. What has changed?
Because the [number] of devices involved is much greater. Connected systems are everywhere and so the effects are magnified on a global scale.
Mobile malware isn't as big an issue because they are just little computers. But you can now attack home routers, thermostats and fridges and use them to amplify attacks. It's the low cost, low engineered things that are the real risks ahead.
Q: What about the Apple verses FBI case? It's a hot topic at the moment.
The FBI will carry on trying to get their way even if they fail in the San Bernardino case – it has always been a giant game of whack-a-mole and that has been true since the beginning of computing.
We fought these battles in the 1990s cryptowars and won, but it's not going to stop. In part it's generational, you have to educate the next generation about the issue. Frankly, the FBI got scared and sloppy – they got too reliant on grabbing everything.
It's clear that the San Bernardino case was preselected as a legal precedent case. If the password failure issue was intentionally done I have no way of knowing.
What's interesting is that this time the FBI has broken with everyone else in government. The NSA supports strong crypto and Rogers gave a great talk here this week. The NSA is on a big PR push at the moment to bolster its public image.
Society has to decide which is more important: temporary security or surveillance. The former is not more important than the latter.
Q: There has been a lot of talk at the show about the lack of qualified security staff. What's the holdup; we've been complaining about this for years now?
Decades even. It's not a supply problem I don't think, more of a demand issue. Demand for security staff is through the roof and there aren't enough people to fill the roles.
Look around you. This year there are 40,000 frickin' people here for goodness sake. Cybersecurity courses aren't hard to come by, but demand is huge.
Q: Finally, are you optimistic for the future of IT security?
In the short term no. But in the long term we'll work it out. ®
Sponsored: DevOps and continuous delivery