Identity theft, ID cards and the threat posed by employees were all hot topics at the Infosecurity show in London last week, so we grabbed some time with cryptography expert Bruce Schneier to get his take on the current security landscape.
Schneier, chief technology officer of Counterpane Internet Security, believes the threats we face today can't be dealt with through technology alone. With the UK government already facing fierce criticism for pushing through the introduction of ID cards, we asked Schneier why he believes they will make identity theft worse, and why security needs more emphasis on "people solutions".
Q: What is the main security issue today?
A: Cybercrime. It's increasingly organised crime, and is becoming more professional. This will continue. As long as there's money to be made, professional [criminals] will continue to enter the space.
Can technology deal with this threat?
It's no longer about the technology -- it's about the user interface, updates and configuration. You'll increasingly find that security issues will be about using the technology.
But surely technology can be a tool in helping mitigate threats? What about automatic updates?
Automatic updates just don't work well. And if the user screws up, you can't expect the product to respond.
ID theft is an economic problem, phishing is a people problem -- these are not technological problems.
The UK government claims identity theft will be cut by the upcoming UK ID card scheme. Will it actually mitigate the threat?
ID cards will make identity theft worse. I'm not sure what they are supposed to solve. Having a single ID is much more dangerous [than multiple IDs]. The risks are severe, as it makes ID much more valuable. Identity theft is fraud due to impersonation, and a centralised ID card is that much more valuable to criminals.
Identity can be hijacked, and cards can be faked. All of the 9/11 terrorists had fake IDs, yet they still got on the planes. If the British national ID card can't be faked, it will be the first on the planet. A national ID card is so costly and gives so little in return -- it's just a bad deal.
There's too much focus on ID in security. A door lock works. One of the best security measures to come out of 9/11 was reinforcing the cockpit door, and teaching passengers to fight back.
What is your opinion about the IT implementation of ID cards in the UK?
Well, everyone knows that no IT implementation can happen without problems, but people problems will always be there too.
We handle people problems all the time -- people solutions to people problems -- but we don't have people solutions on the Net.
What kind of people solutions?
People solutions like arresting people who commit fraud. We just don't have the experience on the Net.