Schneier on security's 'people problems'

Schneier on security's 'people problems'

Summary: Q&A: Bruce Schneier, security expert and founder of Counterpane Internet Security, believes we need 'people solutions' to cybercrime rather than just relying on technology

SHARE:
TOPICS: Security
2

Identity theft, ID cards and the threat posed by employees were all hot topics at the Infosecurity show in London last week, so we grabbed some time with cryptography expert Bruce Schneier to get his take on the current security landscape.

Schneier, chief technology officer of Counterpane Internet Security, believes the threats we face today can't be dealt with through technology alone. With the UK government already facing fierce criticism for pushing through the introduction of ID cards, we asked Schneier why he believes they will make identity theft worse, and why security needs more emphasis on "people solutions".

Q: What is the main security issue today?
A: Cybercrime. It's increasingly organised crime, and is becoming more professional. This will continue. As long as there's money to be made, professional [criminals] will continue to enter the space.

Can technology deal with this threat?
It's no longer about the technology -- it's about the user interface, updates and configuration. You'll increasingly find that security issues will be about using the technology.

But surely technology can be a tool in helping mitigate threats? What about automatic updates?
Automatic updates just don't work well. And if the user screws up, you can't expect the product to respond.

So are you saying that technology can't help?
ID theft is an economic problem, phishing is a people problem -- these are not technological problems.

The UK government claims identity theft will be cut by the upcoming UK ID card scheme. Will it actually mitigate the threat?
ID cards will make identity theft worse. I'm not sure what they are supposed to solve. Having a single ID is much more dangerous [than multiple IDs]. The risks are severe, as it makes ID much more valuable. Identity theft is fraud due to impersonation, and a centralised ID card is that much more valuable to criminals.

Identity can be hijacked, and cards can be faked. All of the 9/11 terrorists had fake IDs, yet they still got on the planes. If the British national ID card can't be faked, it will be the first on the planet. A national ID card is so costly and gives so little in return -- it's just a bad deal.

There's too much focus on ID in security. A door lock works. One of the best security measures to come out of 9/11 was reinforcing the cockpit door, and teaching passengers to fight back.

What is your opinion about the IT implementation of ID cards in the UK?
Well, everyone knows that no IT implementation can happen without problems, but people problems will always be there too.

We handle people problems all the time -- people solutions to people problems -- but we don't have people solutions on the Net.

What kind of people solutions?
People solutions like arresting people who commit fraud. We just don't have the experience on the Net.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • To some extent - though there's a strong undercurrent of law enforcement to the story - this confirms a study we've done for the past four years, which states that human error, not technology problems, is the main culprit in of cyber security lapses.

    This is the release from our last iteration of the study:

    http://comptia.org/about/pressroom/get_pr.aspx?prid=903
    anonymous
  • IT departments have to do a better job in the corporate area. The home user is a different animal. I work with a young man that bought his first computer and it was down within 30 days, unusable due to a virus, spyware and malware. Automatic updates, firewall, and anti-virus software didn't do the job. He was clueless as to how to prevent this. Maybe if his computer had not come pre-installed with windows OS, he would have stood a better chance. Home users don't have a choice when buying a new computer, whereas corporations who choose to buy windows should be aware of the risks involved and take appropriate action.
    anonymous