The famous computer security specialist, cryptographer, founder and CTO of ‘BT Managed Security Solutions’ Bruce Schneier delivers a talk at RSA Conference 2012 where he expresses his non-standard viewpoint on today’s major risks in the Internet.
Hi! Today I would like to talk about risks to the Internet infrastructure, but a specific kind. I don’t want to talk about hackers or criminals, or terrorists. I want to talk about risks to the Internet infrastructure coming from the good guys. If this was a real tech audience, I might call it ‘Layer 8’ and ‘Layer 9’ risks; talk about, basically, economics and politics.
I think the real risks in the Internet today are not from the criminals and the hackers. They are from business, and they are from government. And the more we start thinking this way, the better chance we have of keeping the Internet we want and not getting stuck with things we don’t want.
So I have three risks I want to talk about.
Threat 1: The rise of big data
I call the first one ‘The rise of big data’. And I might change that word, because a normal definition of big data is big data sets. So you see a lot of talk about how to manipulate big data. By big data I mean an industry force, like big oil or big tobacco – companies that make a living with our data; and what they are doing and want to do to the Internet.
So I’m talking about data brokers; companies like Google and Amazon who have our data; social networking sites like Facebook. These companies and many, many more are collecting our data. They are collecting it as we browse, as we send SMS messages, as we tweet. This data is more and more being saved, it’s been bought and sold, and it’s been used to make decisions about us – you know, primarily it’s advertising decisions.
But more and more we are seeing this been used for things like employment decisions or college admission decisions. Government makes the use of this data. There was a proposal several years ago – it didn’t come into force – to use of this data at airline checkpoints. You know, that’s not happening but this data is being used at fusion centers. More of this data is being collected, being saved and being used.
From a product side, everything is going out in the cloud. So data that used to be on our computers are now being put elsewhere, but under the control of some other company.
Well, you put a post on Facebook and it’s protected based on your privacy settings, so that you know who of your friends can see it and who can’t. But the company on the back end can of course see everything. And they can use everything. And they do!
So, right now we are seeing companies pushing for legislation, or more often lack of legislation that limits what they do. These companies are very big, very profitable, and they are big lobbying forces. And they are agitating for more data, more access, less controls over what they can do.
I mean, they are competing to be the company that has your data and can monetize it. So, what does this mean? In a lot of ways, this mean the loss of control! And from the security perspective, we are losing control over our security.
Data we put up on Facebook, photos on Flickr, email on Gmail – we no longer have direct control over that security. The security is whatever those companies want it to be. And that’s either good or bad.
If you are an average user, it might be a good thing. You are not doing good security anyway. Having your photos on Flickr means that if your computer crashes, you won’t lose them. Isn’t that a positive?
If you are a company, if you are focused on your own security – that can easily be a negative. We are seeing this also with special purpose devices. The things you can do on your iPhone are much more limited than on your computer. And there’s a lot of security you can’t implement. You can’t implement verifiable file deletion. You can’t implement a good firewall or a good antivirus. You just don’t have access to that low level.
And that’s more desired as these big data companies are trying to control more of our environment. The result really is going to be ‘feudal security’. And I mean ‘feudal’ with a ‘d’, not with a ‘t’, not ‘futile’ – ‘feudal’ as in a system where you pledge allegiance to some lord, or some data company, and in return – they protect you, to the limits they protect you. Good if you are a weak servant, probably pretty bad if you are an independent noble. But I think this is an enormous risk, and something we need to watch looking forward.
Threat 2: Ill-conceived regulations from law enforcement
The second risk I want to talk about is from government. And I titled it ‘Ill-conceived regulations from law enforcement’.
More and more we are seeing people from outside our community dictating what our community should do. They do that not necessarily with bad intentions, but certainly without understanding the effects of what they do. So, what’s going on here? As more stuff goes on the Internet, there is more crime on the Internet. As there’s more crime – there’s more people, there’s more clamor for something to be done. There are politicians that for good reasons want to reduce crime on the internet. Being soft on crime is never a place you want to be in politics.
So we are seeing more and more pushes for legislation. Some of this is pushed by law enforcement, trying to move some of their traditional controls to the Net; some of this is pushed by companies, manipulating government to support their business models. And the result is Internet regulations that don’t help. And I have a bunch of examples.
The first one is the notion of wholesale surveillance. More and more countries are eavesdropping on the entire Internet – throughout the United States with the NSA and AT&T. The NSA went to AT&T just after September 11 and said: “We want to eavesdrop on everybody”. And instead of AT&T saying: “Go get a warrant”, they said: “Put your stuff in that closet over there and lock the door”. Was that done because of the political situation? Certainly something that didn’t make us more secure.
The same thing happened in Iran, in Russia, Saudi Arabia – with BlackBerries. Those countries went to RIM and said: “We want to eavesdrop on your Blackberry users”. RIM said: “No, you can’t do that”. The countries said: “Well, if that’s the case – get out”. RIM figured out how? They redesigned their architecture to allow this sort of large-scale eavesdropping, which is insecure for its users.
We see that in data retention laws. More countries are passing data retention laws. And basically they force ISPs to keep user data for a period of 6 months or a year, and you know why this is there – so that the police can, if they want, eavesdrop on you backwards in time: what did that person do over the past 6 months?
As a security guy, you know that the best way to secure your data is to delete it. And once you force someone to save it, now you have to figure out how to secure it. That’s hard, and that makes us all less safe. But you know, more countries have it and I think more are coming.
The ‘Internet kill switch’ is a great example. That was debated in the U.S. last year. We don’t have one yet. But Congress was talking about mandating that there will be the ‘Internet kill switch’. And this takes many forms. I always think about it as a big red button on a bomber’s desk, like – “Stop the Internet!”
Now, if you think about it, once you’ve built in this capability, you now need to secure it, making sure that only the good guys can push the button. We are a much more resilient Internet if that button doesn’t exist. And of course depending on the proposal, the button does different things – it shuts off the Net; it isolates your country, which is certainly, probably, impossible for the U.S.; it isolates the other parts of the Internet; isolates certain services – there are different ways it’s talked about. But largely, it’s the same – we don’t want that capability. But it might be forced upon us.
The last thing is calls to kill anonymity. We saw that coming out every once in a while, Microsoft a few years ago was pushing it – the idea being a pretty basic argument: “If we just knew who everybody was, we would know who the bad guys were and we would tell them to stop it.” It sounds good to a politician to make those arguments. But we in the community know: one – that removing anonymity does not automatically make things better; and two – that you cannot remove anonymity, that it is always possible to build an anonymous system on top of an unanonymous system.
‘Onion routing‘ is a sort of an easy example. So you can’t get rid of anonymity. So this technical solution won’t solve the social problem. But that doesn’t mean we are not going to get it, or not going to get any of these.
Well, there are lots of companies out there willing to take government money to make these concepts work, or at least try. These concepts do get airing among politicians, among the police. It’s just kind of hard to say ‘No’ to the FBI when they say, as they’re saying now: “We can’t eavesdrop on Skype, that’s bad. You, government, force Skype to redesign their network”.
Skype has end-to-end encryption. It is encrypted on your computer and it is decrypted on the computer of the person you are talking to. There is nothing in the middle that allows the FBI to eavesdrop. That’s why they want it redesigned less securely. That’s my second threat.
Threat 3: The cyber war arms race
The third threat I want to talk about is “The cyber war arms race”.
And by this I don’t mean the threat of cyber war. I mean the threat of cyber war rhetoric, and the effects of cyber war rhetoric. We are right now in the early years of a cyber war arms race, and it is fundamentally destabilizing. And it will get worse.
Lots of countries are building cyber war capabilities. There is lots of cyber war rhetoric out there. Do Google searches – you can search for not just ‘cyber war’, but ‘cyber Pearl Harbors’, ‘cyber 911’, ‘cyber Katrina’, my favorite is ‘cyber Armageddon’. And you will find articles talking about how vulnerable everything is, and how important it is for the military to get involved. And the military is getting involved: U.S., China, Russia, NATO, UK – all these countries are building cyber weapons. And we’ve seen some examples.
On the defensive side, there is lots of talk of the military taking over some forms of cyber security. Right now, General Keith B. Alexander is agitating in Congress, in the Senate that the NSA needs to be in charge of cyber security for the power backbone (electrical backbone), the Internet backbone. We are seeing some offensive capabilities: Stuxnet is the first example we’ve seen of a military-grade cyber weapon. And it’s actually quite impressive.
The ways arms races work is they are fueled by the ignorance and fear. You don’t know the capabilities of the other side, so you assume the worst and you build accordingly. The other side does the same thing. And the result is that cyber weapons start ratcheting up. And like nuclear weapons, this is destabilizing. It’s possibly more destabilizing, I mean it is certainly not as devastating, but there is more of a chance that the bad thing will happen.
Seymour Hersh – he is an investigative reporter for “The New Yorker”, has done a lot of writing about cyber war policy in the U.S. mostly, some in China. And his finds is that there are things being done in terms of preparing for cyber war that are potentially dangerous.
You remember, during the ‘Cold war’ we used to fly planes over the Soviet Union in an effort to get them to turn their air defense systems on so that we could map them and figure out the capabilities. Well, we are all doing that in cyber space. We are penetrating each other’s networks, we are looking for vulnerabilities, we are, as Hersh believes, leaving logic bombs that we might wanna trigger later. And this doctrine is known as ‘Preparing the battlefield’.
Now, this is worrisome. As you do these things, these vaguely offensive actions, there is always the chance that you’re gonna trip something by mistake, there is always the chance that your logic bomb you leave will go off, that you’ll do some damage inadvertently.
But this kind of stuff is happening, and it’s happening at a lower command level, they may not be as wise. I’d like to see the President sign off in all these operations. But that doesn’t seem to be happening.
What’s going on here? It is fueled a lot by military contractors – there is a lot of money here; by government; by military. And the result is going to be, again, less security.
So those are my three risks:
- The corporate threat of big data as a lobbying force.
- The Government threat of Internet regulations being imposed on us from the outside, generally – law enforcement.
- The military threat of cyber war rhetoric and the policies that result from it.
So, what does this all mean? For us it means that a lot of our serious Internet problems are not being worked on within our community. All of those examples are interest groups from the outside, trying to impose their solutions on us.
You remember the SOPA/PIPA – battle of the last year? That was an example of the entertainment industry trying to really destroy part of the Internet in an effort to save their business model. And the reason we’ve won that is not because we blacked out Wikipedia, and everyone couldn’t do their homework and they all complained to their congressmen. It’s because we had lobbyists on our side, big data: Google was on our side in that battle. So we’ve won that.
These arguments happen not in the tech community but in the political and the economic community. And there it’s more about power and money than being right. And that’s hard for us. We are used to technical excellence, we are used to figuring out the solution – that’s not the way it works out there.
And we really have to get savvy in politics if we are going to keep the Internet.
In the coming decades, the biggest threats to the Internet are not coming from criminals. They are coming from organizations who have seen the Internet and want to shape it the ways that we might not like.
This is ‘Layer 8’, this is ‘Layer 9’ – economical layer and political layer, and we need to get smart about it. There aren’t lobbyists for common sense, there aren’t lobbyists for technical excellence. The right won’t necessarily win. And if we’re gonna win – we have to fight. And the SOPA/PIPA was a great example of what we can do.