Bruce Schneier is a renowned security expert whose accolades we covered in detail in a previous post. In part one of this interview, we posed the question, What do you do if your law firm is the next Ashley Madison? Here we discuss how the increasing interconnected of data is posing new challenges for security, whether focusing on breach prevention is a futile pursuit, and why his concept of resilience is essential to survival.
Logikcull: There’s a lot of talk in the legal community about what impact the Internet of Things will have on discovery. The types and amount of interconnected data that may be responsive to inquiries is growing quickly, and questions surround how to preserve, collect, search and produce that information. What impact will the Internet of Things, and the increasing interconnectedness of data in general, have on data security?
Bruce Schneier: Like everything else, there are plusses and minuses to the Internet of Things. The Internet of Things is essentially an internet of sensors, each of which is producing data. For discovery purposes, that data might be valuable to know — things like the thermostat setting in a building over a year. Maybe that demonstrates something. Or what was in your refrigerator, or movements of people throughout a space. That kind of broad surveillance data could be very, very valuable.
The risks come into play when you consider these are all computers. All the risks you associate with computers will now be in all these devices — and even worse, all these devices can affect the world! They’re cars. They’re medical devices. They can actually hurt people in a way your cell phone really can’t.
So the Internet of Things really changes how we think about data and computers. It moves computers into every aspect of our lives, with the plusses and minuses that brings. It gives computers eyes and ears on the one hand, and hands and mouths from the other. The Internet of Things senses things from the real world and it can do things in the real world, and that’s a way to think about the changes. They’re going to be profound in ways we don’t understand.
“The Internet of Things moves computers into every aspect of our lives. It will bring about profound changes in ways we don’t understand.”
Logikcull: We read so much about hacks on major brands these days. But it seems to us like this may only be the tip of the iceberg. It might be that much of what has been exploited we don’t know about and may never know about.
Schneier: There are two things going on. One is that the news only reports a very small percentage of what happens, and what gets reported is sometimes random. So yes, the attacks that are reported in the news are only a subset of those that are publicly known. I learn about a lot of attacks that never percolate up to national news.
The other thing is what you said. There are so many attacks where the victims don’t even know that they’ve been attacked. I mean, the North Koreans broke into Sony, stole everything and published it. If they left out that last step, Sony would have no idea the North Koreans broke in and stole everything. Right? And there are going to be a lot of those sorts of attacks where the victims are completely unaware.
Logikcull: So how does that change assumptions about the way we go about our work?
Schneier: Well it’s interesting, because it does change our work. I think we have to assume our networks are penetrated — all of us. We have to assume our credit card numbers are compromised — all of us. And we have to build resilience into our systems.
Here’s what I think is missing. Our systems tend to be fragile. We aren’t resilient. We can’t recover. We can’t adapt. We can’t mitigate. We don’t think in those ways. We think in terms of prevention instead of response and recovery. So I think that’s how our thinking needs to change. Now I spent a lot of time doing incident response, answering “what do you do after the attack?” And that is something that a lot of people don’t think about.
“We aren’t resilient. We can’t recover. We can’t adapt. We can’t mitigate. We don’t think in those ways. We think in terms of prevention instead of response and recovery.”
You asked me, what does a company do after it’s been a victim of organizational doxing (where an attacker dumps a victim’s data indiscriminately over the internet)? That’s not a computer problem. That’s a PR problem! That’s a legal problem! That’s an executive problem! That rapidly goes out of tech into everything else.
Logikcull: So what does your concept of resilience mean in terms of prevention?
Schneier: It means that there’s more to security than just prevention! Resilience means let’s assume the bad thing has happened and figure out how to survive anyway. Let’s figure out how to recover, how to adapt, how to do business even though. It means we focus less on prevention and more on detection and response — and a lot on response.
Logikcull: When you’re consulting clients during a breach response, what do you find are the things they aren’t thinking about but should be?
Schneier: It’s less “not thinking” and more “not thinking in a crisis.” The thing about response is the bad thing is happening to you now. You’re under siege. You’re under crisis. You’re in a very bad spot. You need to think about everything in that moment. It’s really easy in the calmness to think, “I should have done this, this and this.” Having response plans, knowing who to talk to, with whom to coordinate, all of this is very important.
“The thing about response is the bad thing is happening to you now. You’re under siege. You’re under crisis… You need to think about everything in that moment.”
When you look at responses — think of the Target attack — it’s very clear that the company didn’t know what was going on in a way that they could respond effectively. Same with Sony. They were very much in panic mode. So it’s less about the things that you don’t think about, and more about needing to start scenario planning beforehand, so that when something happens you have the presence of mind to think of everything.
Like, “Whose job is it to call the police?” “I don’t know. Is it yours? Is it mine? Did someone keep a record?” And when you’re sued later — all these companies are the victims of lawsuits — you have to be able to demonstrate that you did the right thing. Having a response plan helps.
Logikcull: The Verizon data breach report that is published every year includes a statistic that shows the average cybercriminal is typically inside the victim’s network for several months before the breach is event detected. Are you seeing any improvements in terms of breach detection?
Schneier: It is getting better. There are lots more products that will detect suspicious activity in the network earlier. The question is, are those products pervasive enough that they can be used by small businesses? They tend to just be the purview of large companies now.
There’s an arms race here. The attackers are improving, too. So we get better, but then things get more complicated. But yes, there are better prevention tools, better detection tools, and better response tools. We are getting better in all areas. It doesn’t mean security is necessarily improving, but the technical capabilities are certainly better. But, again, remember the attackers are also adapting.
“There is an arms race here. We are getting better in all areas. But the attackers are improving, too.”
Logikcull: With a lot of attacks, the attackers have gotten to the company through vendors who are providing a service to the company and have a connection to its data. How should companies be acting, in terms of policy, toward their outside service providers?
Schneier: So this is hard. This is truly hard, but there’s not a lot you can do. For example, a company might outsource its email to Google. Lots of small companies do. Which means you’re trusting Google with your security. You can’t see Google’s security policy. You can’t audit them. You just have to blindly trust them. Now, in the case of Google, that’s probably a good thing. They’re going to do a better job with security then you are. You don’t have the expertise.
But you are just really taking that on faith. Maybe if you’re a big enough company, you can have language in your contracts, but often you can’t. What should we be doing? We should be agitating for a world where we can get some liability protection. I’m not sure we have very much. But this is tough. We are forced to trust service providers whose security tends to be opaque to us.
“We have no visibility into the systems we trust.”
Logikcull: What about a vendor, though? You’re using Joe’s Copy Shop to provide materials for you and they’ve got their own email system. You can’t go and vet their systems, and their router, and their firewall. Nobody has the resources to do that. So, I’m wondering if there’s something policy-wise that can be done.
Schneier: There are lots of ways to do this via policy. There are ways to institute liability protection and regulations. But you’re right: very few organizations have the resources to do the actual audits. And we’re in a precarious situation because of that. Long-term that will be fixed. This is just temporary. But right now we are in this very dicey situation where we have no visibility into these systems we trust.