Monday, March 18, 2013

A Gloomy Epiphany?

What's up with Bruce Schneier's alarmist/defeatist tone in his most recent Wired OpEd? 

Bruce Schneier - who thinks about security in creative ways, and differently - wrote a short opinion piece for Wired last week. 

Our Security Models Will Never Work - No Matter What We Do

But for it being written in his usual straightforward style this doesn't sound quite like him. 

The question for us is: can society still maintain security as technology becomes more advanced?
I don’t think it can.
Because the damage attackers can cause becomes greater as technology becomes more powerful. Guns become more harmful, explosions become bigger, malware becomes more pernicious…

Perhaps the editors meddled with the text and ruined a subtle yet incisive argument.  

...the problem isn’t that these security measures won’t work — even as they shred our freedoms and liberties — it’s that no security is perfect.

Maybe they just caught Bruce on a bad day? 

Because sooner or later, the technology will exist for a hobbyist to explode a nuclear weapon, print a lethal virus from a bio-printer, or turn our electronic infrastructure into a vehicle for large-scale murder. 

Okay, a really bad day.

...our fears grip us so strongly that, thinking about the short term, we willingly embrace a police state in a desperate attempt to keep us safe; then, someone goes off and destroys us anyway?

Bruce offers some hope - but only briefly - in the form of resilience...

Still, it’s hard to see how resilience buys us anything but additional time. Technology will continue to advance, and right now we don’t know how to adapt any defenses — including resilience — fast enough.

It's not like he's never been through paradigm shifts before.  Bruce wasn't even this morose when he realized that cryptography was not going to be the answer to every security problem.  Why the sudden sea change?  Has Bruce's work on his latest book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, led him to a place of despair?  

Providing effective security has always been hard work.  The bad guys always get the first shot and the good guys have always played catch up. Security has always been a dynamic undertaking, never a static accomplishment. If we apply defense in depth, overlapping many complimentary solutions, we can detect, delay, and defeat most attackers/defectors. If our defenses are resilient, simple, and ductile they'll fail with grace and warning. We tend to the wounded, spread our losses, prepare a new set of defensive layers, and make a counter-attack if necessary.

Like Bruce points out, there are many more good guys than there are bad guys. Security professionals from all disciplines must be of stout heart and good cheer. We only lose if we give up.

All that said, this is Bruce Schneier we're talking about.  I so hope I'm not the one who's got it wrong.

PS: I emailed Bruce who replies with assurances that he is not dejected about our profession.  He said "we need to rethink our approach to security if we are ever to deal with the inevitability of technological change."

Much better...