Monday, March 18, 2013

A Gloomy Epiphany?

What's up with Bruce Schneier's alarmist/defeatist tone in his most recent Wired OpEd? 

Bruce Schneier - who thinks about security in creative ways, and differently - wrote a short opinion piece for Wired last week. 

Our Security Models Will Never Work - No Matter What We Do

But for it being written in his usual straightforward style this doesn't sound quite like him. 

The question for us is: can society still maintain security as technology becomes more advanced?
I don’t think it can.
Because the damage attackers can cause becomes greater as technology becomes more powerful. Guns become more harmful, explosions become bigger, malware becomes more pernicious…

Perhaps the editors meddled with the text and ruined a subtle yet incisive argument.  

...the problem isn’t that these security measures won’t work — even as they shred our freedoms and liberties — it’s that no security is perfect.

Maybe they just caught Bruce on a bad day? 

Because sooner or later, the technology will exist for a hobbyist to explode a nuclear weapon, print a lethal virus from a bio-printer, or turn our electronic infrastructure into a vehicle for large-scale murder. 

Okay, a really bad day.

...our fears grip us so strongly that, thinking about the short term, we willingly embrace a police state in a desperate attempt to keep us safe; then, someone goes off and destroys us anyway?

Bruce offers some hope - but only briefly - in the form of resilience...

Still, it’s hard to see how resilience buys us anything but additional time. Technology will continue to advance, and right now we don’t know how to adapt any defenses — including resilience — fast enough.

It's not like he's never been through paradigm shifts before.  Bruce wasn't even this morose when he realized that cryptography was not going to be the answer to every security problem.  Why the sudden sea change?  Has Bruce's work on his latest book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, led him to a place of despair?  

Providing effective security has always been hard work.  The bad guys always get the first shot and the good guys have always played catch up. Security has always been a dynamic undertaking, never a static accomplishment. If we apply defense in depth, overlapping many complimentary solutions, we can detect, delay, and defeat most attackers/defectors. If our defenses are resilient, simple, and ductile they'll fail with grace and warning. We tend to the wounded, spread our losses, prepare a new set of defensive layers, and make a counter-attack if necessary.

Like Bruce points out, there are many more good guys than there are bad guys. Security professionals from all disciplines must be of stout heart and good cheer. We only lose if we give up.

All that said, this is Bruce Schneier we're talking about.  I so hope I'm not the one who's got it wrong.

PS: I emailed Bruce who replies with assurances that he is not dejected about our profession.  He said "we need to rethink our approach to security if we are ever to deal with the inevitability of technological change."

Much better... 


  1. I have been reading Bruce's writing for 15 years and this doesn't sound like a shift to me. This is totally in line with what he has been saying all along.

  2. I agree with Brian: What he's telling us is not really different from what he has written in the last years: Don't focus too much on prevention (how do you prevent a terrorist attack in every large group of people instead of just in airplanes?) but work on general emergency plans.

    What /is/ different is the /tone/ he's promoting resilience in. I guess previous articles have failed to reach the expected audiences and he is trying to raise awareness to the topic?

  3. One tactic is to plan to offset increased levels of destructive power by reducing the motivations for attack. An optimistic, enlightenment-inspired view of society might that we could improve along more axes than just technology. I'm thinking of things like:

    * Mental health treatment: Some proportion of violent or distressing incidents would be prevented if our diagnosis and treatment of mental health issues were better.
    * Social justice: Some proportion of domestic unrest, riots, robberies etc, would be eliminated if we created a society in which everyone felt they were given a fair chance at advancement, without those at the top, in unassailable positions, helping themselves from the till.
    * International relations: Some proportion of terrorism and international aggression could be avoided if countries had foreign policy which didn't abuse positions of military or economic strength to trample over the rights and desires of other nations.

    And so on and so forth. I'm sure you can think of other examples.