Book review: Schneier on Security

‘Tin-foil-hat syndrome’ is a career hazard in the IT security industry. Bookstore shelves are crammed with paranoid tracts written by those convinced that everyone with a computer is out to seize and abuse data.

But despite a lifetime of experience in IT security, and a pedigree in cryptography, Bruce Schneier is not one of those people. Notwithstanding the cover’s scowling author, Schneier on Security is a surprisingly refreshing take on an industry that too often treads on the edge of trading on fear.

Surprising, because while Schneier has previously worked at the United States Department of Defense, AT&T Bell Labs and now BT as the company’s chief of security technology after selling his own security services firm Counterpane to the telco, he nonetheless attacks his subject with a dry, cynical humour, grounded in realism and with a dose of insider references available only to those with the background of a security veteran.

The book takes the form of a collection of articles and essays written by Schneier over the last four years for a variety of technology titles, including Wired. They cover a broad range of meaty topics, from cybercrime to US airport security (of which Schneier is particularly critical), but all are highly charged and political.

Schneier knows his stuff, and he’s not afraid to attack the establishment – particularly when considering what he thinks is ineffective, expensive and invasive counter-terrorism policies such as national ID cards or ‘no fly’ lists. His opinion is that it is “bad civic hygiene to build an infrastructure that can be used to facilitate a police state”.

“Much of our country’s counter-terrorism security spending is not designed to protect us from terrorists, but instead to protect our public officials from criticism when another attack occurs. This is ‘Cover Your Ass’ security, and unfortunately it’s very common,” he writes.

He comes across as a reformed industry expert, one who has struck upon the revelation that IT security is a people problem rather than a technology one to be solved with clever mathematics. Moreover, he denounces the industry itself as an “accident”, labelling it “an artefact of how the computer industry developed.”

“As IT fades into the background and becomes just another utility, users will just expect it to work – and the details of how it works won’t matter,” he writes, predicting that the industry will gradually dissolve with the rise of service-based computing models.

“Outsourcing is the ultimate consolidator,” says Schneier. “If I buy my network services from a large IT infrastructure company, I don’t care if it secures things by installing the hot new intrusion prevention systems, if it uses magic security dust given to it by elven kings.”

He predicts the incumbent security companies will gradually be bought out and folded into non-security service providers or software development houses.

“In 2006, IBM bought ISS [Internet Security Systems]. The same year, BT bought my company Counterpane. These aren’t large security companies buying small security companies; these are non-security companies buying large and small security companies. If I were Symantec and McAfee, I would be preparing myself for a buyer,” he says.

Schneier on Security is not a technical tome, as Schneier’s articles are often intended for a more general audience and thus deal with their subjects more broadly. He mixes common sense with controversy, in one example suggesting there is no point in securing home wireless networks.

“I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house,” he writes. “Yes, if someone did commit a crime using my network, the police might visit, but what better defence is there than the fact I have an open wireless network?”

He also proposes that financial institutions take on more of the burden for identity theft, acknowledging that while they “already pay most of the direct costs of identity theft, the costs in time, stress and hassle are borne entirely by the victims. Security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem.”

Many of the articles in Schneier on Security are quiet dated, and tend to be US-centric. But his refreshing common-sense approach to a threat-obsessed industry makes Schneier on Security indispensable for anyone in the security industry and a thought-provoking read for anyone else.

Schneier on Security by Bruce Schneier. Published by Wiley Publishing. ISBN: 0470395354. Price: $29.99

Further reading

Superhacker Gary McKinnon on corporate security’s weak spots
As he faces imminent extradition to the US for hacking into top-secret US military systems, Gary McKinnon tells Information Age how his experiences highlight the security shortcomings of corporate IT

Spearing the elite
High-profile individuals, across both the political and corporate arenas, are increasingly having their personal data targeted in ‘spearphishing’ attacks

Wiring the White House
Former White House CIO Carlos Solari: All the President’s IT

Find more stories in the Security & Continuity Briefing Room

Related Topics