Bruce Schneier: Time for society to decide on Internet surveillanceDate: May 20, 2014
At the 2014 RSA conference, Editorial Director Robert Richardson spoke with author and security luminary Bruce Schneier about the effects of Edward Snowden's revelations about mass surveillance.
The real debate, Schneier says, is not whether the NSA should conduct spying activities, but what kind of Internet society wants to have. Should it be an Internet that is vulnerable to all attackers, or one that's secure for all users?
"We should have a secure Internet for everybody, even though it makes spying harder, rather than an insecure Internet for everybody, even though it makes spying easier. That's the fundamental policy change," Schneier said. "It's not an arms race. It's not us versus China. It's security versus insecurity. We're not going to stop targeted surveillance -- we just don't know how. An attack on the Internet is way easier than defense, but that's not what we're trying to do. If the Snowden revelations said that the NSA was spying on North Korea and the Taliban, no one would care -- that's what we want them to do. What we want to stop is bulk collection. And there, we can."
Read the transcript below.
Hi, I'm Robert Richardson. I'm the Editorial Director atSearchSecurity.com. And with me today is Bruce Schneier, well-known in thesecurity industry, but lately also part of Co3 Systems. We've been talkinga little off camera about the Snowden revelations, and there's been a lot of discussions about what we learned about what kinds of surveillance wasgoing on in the Snowden revelations.
But one thing we haven't talked a lot about is what should we be doing about it? Specifically what should the industry, the security industry, be doing in the wake of the Snowden revelations?
Schneier: You know, it's interesting there are several different ways a company can be affected by what the NSA is doing. The first is, they could be a target, right, for whatever reason the NSA could want to spy on them.
Second, they could be a conduit. NSA wants to spy on their customers or users. Third, they could be the victim of collateral damage. And the NSA has broken some security mechanism they rely on, and they have less security than they thought they did.
And to be fair this is not just about the NSA. The Snowden documents talk about what the NSA is doing, but you have to think about this as what any well-funded national, say adversary, will do. China, Russia, France, Israel; they're all doing these same things.
So while you might not be concerned about the NSA, you might be concerned about somebody else. So you have to really think about those generally, and also I think this is what cyber criminals will be doing in three to five years. So this is a preview of what cyber-crime looks like.
So as a company you generally have to comply with the laws in the country you operate. If you're a US corporation, and you get a national security letter you have no choice, but to comply. My hope is you fight in court whether you win, or whether you loss. In France, in China you'll have different regulations, different laws, different abilities to fight. Unfortunately, there's nothing you can do there.
The same thing if you are an unwitting, the target. Now, if the NSA is going after your data surreptitiously there's more you can do. One thing we know from the documents that is Cryptography works. Cryptography frustrates the NSA at least at scale. And while you might not be able to stop a targeted attack against you, or one of your customers, you'll be able to stop bulk surveillance.
Google is doing this. They're putting in a lot more encryption to stop the bulk surveillance against their data centers, against their clients going to their websites. They can't stop the national security letters, they can't stop prism, but they can stop those other things.
All right depending on the country you're in, you'll be able to do much the same thing. So more encryption, uses more encryption as much as possible. To deal with the subversion of standards, products and protocols, unfortunately that's a political process. As a company, you have to decide who you want to trust.
We know that we don't want to buy Chinese made networking equipment because we fear they've been backdoored. Well now we know that US equipment might be similarly backdoored. But you got to buy something. So now you pick your enemy. I think, but I don't like to say it. For most companies if you've got to pick an enemy, the US is a pretty good one.
Better the US spy on you then the Russians or the Chinese. And I think that kind of calculus is what companies have to do.
So you rightly said that there's also a broader political issue here. And that raises the question of what Americans should take away from the Snowden revelations?
Schneier: The debates been characterize that should the NSA spy or not. I think that's the wrong debate. What we're really discussing here is what kind of Internet should we have? Do we want an Internet that is vulnerable to all attackers or an Internet that is secure for all users?
We can't have the NSA spying and the Chinese not. And this is very much the balance between security and surveillance. And what I want is our policy to fall on security. That we should have a secure Internet for everybody even though it makes spying harder, rather than having an insecure Internet for everybody even though it makes spying easier. That's the fundamental policy change. It's not an arms race. It's not us verses China. It's security, verses insecurity.
Can we get there?
Schneier: I think we can. We're not going to stop targeted surveillance, we just don't know how. Attack on the Internet is way easier then defense. But it's not what we're trying to do. If the Snowden revelations, said the NSA was spying on North Korea, and the Taliban nobody would care. That's what we want them to do.
What we want to stop is this bulk collection. And there we can. The NSA might have a bigger budget then everybody else combined, but they're not made of magic. They're constrained by the laws of physics, of math, of economics, and we can use those laws to our advantage. By encrypting things, by designing secure protocols, by building secure systems we could stop bulk collection by everybody and make us more secure.
Bruce thank you so much for sharing your thoughts about this complex issue. It's going to be interesting times.
Schneier: Oh yeah, thank you.