In this RSA Conference 2011 interview, Michael Mimoso, Editorial Director of the Security Media Group at TechTarget interviews Bruce Schneier, Chief Security Technology Officer of BT Group discusses cyberweapons and cyberespionage and also looks at the safety of critical infrastructure.
See more Bruce Schneier videos:
Read the full transcript from this video below:
Bruce Schneier on cyberweapons and cyberespionage
Hi, I'm Mike Mimoso and I've got Bruce Schneier with me today. Hi Bruce, how are you? Thanks for joining us.
Bruce Schneier: Thanks for having me.
Mike Mimoso: In the last 12 to 18 months there's been a lot of talk about the development and the use of offensive weapons in cyberspace and the militarization of cyberspace. Do you think this is a viable strategy?
More resources on cyberweapons
Get details about how cyberweapons work
Learn about a report that says government satellites are being attacked
Read about Stuxnet and cyberwarfare
Bruce Schneier: Well, of course, we know that cyber weapons do damage. We've seen hackers do it for decades; we've seen criminals do it for decades. And now, we see national intelligence do some of it. So, it's perfectly reasonable for a military to look at cyberspace as a new theater of war to build offensive weapons. I don't think that's a worry. My fear is that they might get used accidentally, that as you build these things, they're inherently unstabilizing.
I believe we're at the brink of a cyber war arms race. And if you think about the nuclear arms race what fueled it was lack of knowledge. We didn't know what they were doing, so we assumed the worst and responded accordingly. They didn't know what we were doing, so they assumed the worst and responded accordingly. And that just built up where if there was trust, there was conversation, and there were attempts at that. You had lots of treaties, lots of ways that we tried to ratchet that down, because we all had more than we needed. But we needed them because we didn't know what they had.
I think a similar thing could happen very easily in cyberspace. We don't know what the Chinese are doing. The Chinese don't know what we are doing. And you add in Russia and the NATO countries. You have a lot of countries building this capability which makes perfect sense, but assuming the worst on their potential enemies.
Seymour Hirsch has written about this in the New Yorker that a lot of these decisions about what to build and what to deploy in peace time are happening at too low a level in the command structure. So, there's a doctrine called preparing the battlefield, which means you can do some things that are vaguely offensive but not really because you're preparing the battlefield.
The extreme might be to lay a minefield in the enemy's country. That's clearly not allowed. But there's strong belief that both the U.S. and the Chinese are penetrating each other's networks and leaving logic bombs that they can, in the future, detonate remotely, if they might need to. So, if we start doing this, what if one goes off by accident? What if one goes off by accident and someone else thinks it was done on purpose? What if some low level colonel authorizes some reasonably aggressive surveillance mission. So, the goal is eavesdropping but it is active penetration. The other side finds out and responds accordingly.
These things can escalate quickly and unless we have them approved at the presidential level or a level close to the presidential level, I think we incur a greater risk of this kind of thing getting out of hand. So, I would like to see more conversation in public about what's allowed, what's not allowed, what cyber war means, what can be done during cyber peace, and then more conversation between countries as to what's allowed and what's not allowed.
I've been pushing for cyberspace treaties. Richard Clark talks about it in his book on cyber war. And I think there's a lot of value in those treaties, even if we can look at them and say, "How can you ever enforce a cyber security treaty? We can't even find chemical weapons plants in other countries. How are we going to find a cyber weapon plant?" But I think there's value in their negotiation even if the treaties are largely unenforceable.
I think there's value in a hotline between the cyber commands in various countries because one of the problems is when you think about the democratization of these tactics that we're going to see a lot more non-state actors with state level cyber war capabilities. I mean, Stuxnet was a pretty impressive job. Probably only a military could do that. Fast forward ten years and you can imagine a criminal organization pulling that off. So, the more the nations can talk to each other about these political motivated attacks the more we can all figure out which are non-state actors. And concentrate our resources on those.
Mike Mimoso: Right. I want to talk about critical infrastructure. Why do you think that these systems have fallen down so hard in terms of security?
Bruce Schneier: I think the moral is they haven't really fallen down that hard. All these things have happened and the lights are on and everything's working. A lot of these systems are legacy systems. They, for years, relied on obscurity to defend them. Not a lot of thought in building security in. And we're now getting to the point where attacks on them are becoming cheap enough and easy enough that they're being done; cell phone systems, the same way.
So, it's going to take some years to beef up that infrastructure. I think it will happen. I mean, it has to happen. But if you think back 15, 20 years ago in operating systems, we had the exact same conversation. Why is it that they're falling down so hard? Even though, in fact, most of them were working most of the time, the newspapers and lots of different worms and viruses. And it's because people didn't think of it. In the rush to build the Internet and the rush to build Windows, no one worried about security. And it took a bunch of years, and we're doing a lot better. Infrastructure's going to be harder.
There are a lot more imbedded systems. I mean, there's stuff out there that's been out there for 15 years that isn't upgrade-able, that you can't throw in new software. You've got to physically go there and pry out E-Proms and stick new ones in. And that's probably going to cause more problems than it will fix.
So, likely the solutions will be not to fix these imbedded systems, not to fix the SCADA systems but to move them onto a more secure network. So, we know this stuff is very vulnerable. We're going to put it on a secure intranet. That's likely what we're going to see because there's too much invested in these legacy imbedded systems.
Mike Mimoso: And it's probably the only way they can catch up.
Bruce Schneier: I don't see no other way they can catch up.
Mike Mimoso: Great. Bruce, thanks for joining us today.
Bruce Schneier: Thank you.
Mike Mimoso: For more information, go to SearchSecurity.com.