November 23, 2005
Q&A: Security guru Bruce Schneier gives his take on cyberterrorism,
biometrics, ID cards and the erosion of our freedoms
As one of the world's foremost authorities on security issues, Bruce
Schneier has been a voice of reason in an industry where hyperbole is
Schneier, who has written several books on security and is the founder
of Counterpane Internet Security, has previously criticised those who
claim that cyberterrorism is a serious threat.
So, with the SANS Institute warning that hackers are changing their
tactics and NISCC claiming that foreign governments pose a serious
threat to the UK's critical infrastructure, we caught up with Schneier
to get his take on the security landscape today.
Q: What do you think about the claim that foreign governments are a
serious threat to the critical national infrastructure of a country,
through government-led hacking?
A: In general, these threats are overstated. Is there a danger to the
critical national infrastructure from spying? Well, a lot of reports
you read tend to be very muddled as to the details.
Do you think the threat from cyberterrorism is still over-hyped?
Yes. The US government gives a lot of money to fight terrorism, so
cyberterrorism is hyped. I hear people talk about the risks to
critical infrastructure from cyberterrorism, but the risks come
primarily from criminals.
But at the moment, criminals aren't as 'sexy' as terrorists. We should
not ignore criminals and I think we're under-spending on crime. If you
look at ID theft and extortion - it still goes on. Criminals are after
Hacking does seem to be more financially motivated now. Is there a
'malicious marketplace', as SANS claims?
There is definitely a marketplace for vulnerabilities, exploits and
old computers. It's a bad development but there are definitely
conduits between hackers and criminals.
Roger Cummings [director of NISCC] said on Tuesday there is a danger
that the links between criminals and hackers, and hackers and
terrorists, will become stronger...
Well if we were making a movie then that's what we'd do. I think that
the terrorist threat is over-hyped and the criminal threat is
What do you think about governments using the threat of terrorism to
collect information on citizens, and the implications of that on
It's very scary. This is a very complex issue - one I've written books
about. My view is that we're faced with multiple threats. The worry is
that while we are trying to defend ourselves against one threat
[terrorism], we are actually making ourselves less secure. People are
scared, and because they're scared they're handing over powers to the
government and giving up their liberties. The threat of terrorism in
the UK has led to national e-card debates and biometric passport
What are your views on biometrics in this context?
They're good for what they're good for, and bad for what they're bad
for. They have their uses and they have places where they're not
useful. The all-important issue is that we think we're in danger and
think that by using biometrics we'll suddenly be safe. We should use
them where they're valid.
How about ID cards?
In general, ID cards are a complete waste of money - a former MI5
director said that. It's all very well for me to say that, but it's
nice to know Stella Rimington feels that way too.
The ID card debate in the UK is all about population control - it's
about controlling immigration, not terrorism. It is unfortunate the UK
isn't having that debate properly.
So what will be the outcome?
There will be a massive erosion of freedoms in our culture. We are
losing sight of the future. I know that's not good news - it's not
fun, but it's true. We'll be less secure as a result, because we'll be
in more danger from terrorists. There'll be an increase in the risk
from terrorists we are creating - and we'll be giving the police state
We waste money on electioneering that could be spent on actual
security - investing in intelligence and better emergency response.
How can anyone feel safe in a world created by George Bush?
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.