Everything We Know About Security Is Wrong

So says counterterrorism contrarian Bruce Schneier. And the transportation security administration is listening.

Which, says Schneier, is why any form of air travel security based on identifying passengers will never work. It will always be just a form of "security theater."

In a recent series of email exchanges with TSA chief Hawley that Schneier posted on his blog, he scolded Hawley for engaging in "cover your ass" security measures: A guy tries to blow up an airplane with his shoes, so now everyone has to take their shoes off; some people think of smuggling liquid explosives on a plane, so now everyone has to put liquids in three-ounce containers (unless the bottle is labeled "saline solution," which counts as medication, and thus can be brought aboard in a vaguely defined "reasonable quantity").

As Cory Doctorow, the co-editor of the popular tech blog Boing Boing, puts it: "Bruce has a particular gift for puncturing ridiculous statements about security."

But though Schneier has been winning converts, his views are hardly gospel in government circles. Clark Kent Ervin, the former inspector general of the Department of Homeland Security, accuses Schneier of downplaying the terrorist threat.

"It's true that the chance of being killed by a terror attack is much smaller than being stricken by cancer," says Ervin, who heads the homeland security program at the Aspen Institute, a Washington, D.C.-based think tank. "But it's comparing apples and brass buttons." Terror attacks, he says, "have a huge psychological as well as an economic impact. It's silly talk to say that the chances of being killed in a terrorist attack are so small, and to infer from that that we needn't worry about it."

Ultimately, Ervin says, Schneier's legacy may be to lull people into a false sense of security. "His kind of thinking might be excusable in a pre-9/11 world," Ervin says. "But in the post-9/11 world, it's irresponsible and dangerous."

BRUCE SCHNEIER HAS had a fascination with security since childhood. As a boy in Brooklyn in the 1960s, he would crack secret codes written for him by his father. When he got older, he found himself studying the placement of security cameras to figure out the best strategy for shoplifting (a purely intellectual exercise—he says he never followed through on the idea).

After graduating from SUNY Rochester with a degree in physics, Schneier spent the latter half of the 1980s at the Defense Department. He won't elaborate on his time there, other than to say it involved "implementing security solutions at military installations."

A few years later, in 1993, Schneier penned his first best-selling book. The mathematics-heavy Applied Cryptography quickly became the seminal how-to guide for writing ciphers—complex algorithms that scramble data, protecting it when sent from one computer to another.

In the years that followed, computer programmers—many looking to Schneier's book for instruction—designed ever-more-impenetrable ciphers, with an eye toward keeping the data of multinational companies secure.

This posed a problem for the U.S. government, which considered such so-called "strong crypto" a risk to national security. The Clinton administration, following in the footsteps of its predecessors, sought to put a stop to it, asserting that selling the encryption programs to foreign companies amounted to a breach of the International Traffic in Arms Regulations.

A loose affiliation of mathematicians, civil libertarians, and antigovernment hard-liners fought back, giving rise to what came to be known as the "Crypto Wars." In the ensuing public debate, Schneier found himself firmly in the fray, writing opinion papers and testifying before Senate and House committees.

"He could respond to the government's experts tit for tat," says Jim Dempsey, policy director for the Center for Technology and Democracy, which advocated for strong crypto. "And nobody could say that he didn't know what he was talking about, because he literally wrote the book on cryptography."

In 1999, after an appellate court ruled that restricting encryption was illegal, the Clinton administration surrendered. Encryption technology was allowed to flourish.

But as Schneier's co-combatants celebrated a hard-won victory, he found himself unable to join them. "We won the war," he says, "but it was the wrong war."

Schneier had realized that the most important component of any security system is not its strengths but its weaknesses. Strong crypto is nearly impossible to penetrate. But the computer, the network, and even the user are far more fallible.

Take, for example, the case of Dennis Alba and Mark Forrester. In 2001, the DEA investigated the middle-aged pair—who had become friends while in prison—on suspicion of setting up and running a large-scale, sophisticated Ecstasy ring in Escondido, California. The partners used code words to communicate and shielded their computer files with stong crypto. The DEA's extensive investigation included obtaining a search warrant to break into their office and install a "keystroke logger" on a computer. That piece of software, which records what's typed on the keyboard, enabled the government to get the key that unlocked their encryption. In 2005, both men were sentenced to 30 years in federal prison. (Forrester's conviction was later overturned on a technicality.)

The lesson was clear: All the crypto in the world is powerless to protect you if the front door is so easily pried open. Taking this to heart, Schneier, with a few million dollars of venture capital in tow, set up Counterpane Internet Security. The mission of the Silicon Valley-based firm was to monitor computer networks in much the same way ADT Home Security protects houses: by having human beings work in concert with technology.

« Previous Page
Next Page »