Wrapping up their face-off at ISD 09, Bruce Schneier and Marcus Ranum take questions from the audience on everything from strategies for protecting risky assets to what they would do as the U.S. cybersecurity coordinator. This segment covers the following topics:
- 0:16 Schneier: Prioritization makes sense
- 0:29 Ranum: Having controllable pieces
- 2:56 Schneier: Focus on solving risks
- 3:39 Schneier: User education and social savvy
- 3:14 Ranum: Consider the corporate mission
- 5:53 Ranum: Disconnection vs. coordination
About the speakers:
Marcus Ranum is Chief Security Officer for Tenable Network Security.
Bruce Schneier is Chief Security Technology Officer for BT.
Check out other topics in this series:
- Part 1: The future of information security
- Part 2: Social networking
- Part 3: Compliance and security
- Part 4: Cybersecurity coordinator
- Part 5: Security metrics
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Schneier-Ranum face-off part 6: Audience questions
Bruce Schneier: It is almost never true that you will do one or the other
thing; I think it is a good example of that. Yes, it makes sense
to prioritize security based on the riskiness and the value of
assets. Yes, it makes sense to have minimum level of security
across the board of your network, so you are going to have to do
some of each.
Marcus Ranum: If your problem is that you got, let us say, a network where
you have office automation stuff, Twittering going on, and you
got a network where you got a nuclear launch consoles, you might
say, 'This is a justification for two networks,' rather than,
'How do we protect this all evenly or how do we protect our
separate assets?' I am a huge fan of parsing your problem apart
into controllable pieces, and one of the other reasons I am a
huge fan of doing that is because it allows you to repair,
upgrade, and manage those things separately and very easily. If
you got multiple networks, it is really easy to see if you got
bandwidth problems on one or the other, and it is very easy to
factor out the bandwidth impact if something goes wrong on one
because it does not affect any of the other ones.
You can look at these things as a security issue but you can
also look at these things as a design issue, a cost issue, a
manageability issue, and that all have to be approached from the
get-go. Of course, I know that when I say this. It is completely
ridiculous because how many of you guys are going to inherit a
tabula rasa? You are going to inherit this existing bucket of
spaghetti from your predecessors, and you are going to have to
try to figure it out. I see, looking at our networks as they
grow as a process of constant revolution; you should never feel
that you got it right. You should be constantly going in there
and saying, 'What is screwed up? What do we need to blow up and
Bruce Schneier: Too much security, whether it is network security or anywhere
else, you just do not see enough time given to; what are we
trying to solve? What are the risks, and how does this counter
measure deal with the risks? You see this a lot in public
policy, the TSA is a great example of this, and I think of it as
something must be done. This is something; therefore, we must do
it. And that is the logic that you see, not does this thing we
are doing actually provide value in what we claim it does?
I like a lot of analysis, especially in design. It is valuable
because if you get things wrong, it is easier to fix because it
is still in design. The problem, of course, is design can stay
in the design phase forever; eventually, you got to cut and do
something. Again, like the other either/or question: you got to
do both. You got to design, and I think Marcus is right; you
have to consistently relook at your design because we are in
technology. The reality changes. Every year new things become
possible, things become cheaper. The decisions you made last
year do not hold true this year because things are different.
You got to keep looking at your designs, justifications and
implementations, but you also have to actually do things. After-
action reports are absolutely critical on that kind of thing
because your premise is if you are going to do something for a
reason, and you are designing something as part of that reason,
that that is where your metrics come in. If the reason is that
it is going to do get our CEO more dates on Facebook, then we
measure whether he is actually getting those.
Whenever I hear people talking about educating the user, I
always wonder if they ever met an actual user. Unfortunately, a
lot of it is a generation gap. My father will never figure this
stuff out, ever. Every time I go home, I have to clean up his
computer. It will never stop, and I cannot fix it. The younger
generation is going to do better, not because they tend to be
more technically savvy but more because they are more socially
savvy. They have a better intuitive sense of what is real and
what is fiction out there.
I think we need more technical security. A lot of these giving
users warnings. The worst one is the browser certificates.
Nobody, including me, ever does anything but click Accept or OK
when you get those warnings on your computer that the website's
certificate is out of date. Why am I seeing those warnings? What
that is, is there is a designer in the back room saying, 'Do you
know what to do? I do not know what to do. Let ask the user.'
The user does not know what to do if you do not know what to do.
Do not ask the user questions he is not going to know the answer
to because what the button says is, 'You cannot get your work
done until you click OK.' I think we are failing as an industry
by demanding a lot of education on the users. The users will get
socially savvy; they will never get technically savvy.
Marcus Ranum: You should know what you are trying to do, and if there is
something that should not happen, the user should not be able to
make it happen. If you are in an environment where you are
worried about people exporting the product plans to the
competition or posting it on a website, it should not be
possible for them to do that, and then you do not have to worry
about this. Now there are other questions like, 'How do they get
their work done? How do they get to Twitter?' and all that kind
of important stuff. That flows, again, from your sense of your
mission; 'What are you trying to accomplish?' You go backwards
from that to, 'How do you get there?'
Marcus Ranum: You would not like it, but if you put me in position, I would do
it. If I was the cyber security czar, all Federal Agencies would
be disconnected from the internet within 12 hours of my becoming
the cyber security czar. All the power grid computers would be
disconnected from the internet, and they would have to figure
out a different way of doing it. I think Bruce would be a better
cyber security czar than that I.
Bruce Schneier: I do not want the job. I do not think it is a lot of fun. What
I said earlier, I think that you need a political person. I want
to see the techies one step under the cyber security czar
because the job is way more political than I am good at.
Marcus Ranum: Joking aside, in the book that I wrote back in 2002, which did
not sell, I guess it sold about one-one millionth as well as
Bruce Schneier: I bought a copy.
Marcus Ranum: Yes, I know. I pointed out that the government absolutely needs
a chief technology officer who has just not the ability to
coordinate and recommend. The chief technology officer should be
determining that Federal Government IT strategy which includes
things like broad areas of product selection and reassessing, why
are we spending so much money on Windows if what people need is
a browser? Why are we not just using embedded operating systems
with a browser? There are all sorts of interesting questions
that could and should be asked, and they are not being asked
because there is none of that coordination. If we actually had a
national technology strategy, cyber security would be a piece of
that but again just approach it and say, 'We need cyber
security. Let us do something.' We need a national technology
strategy, and cyber security falls-out from having one. We do
not have one right now, and it shows.