Newsmaker: Terrorism threat to Net overblown

As one of the world's foremost authorities on security issues, Bruce Schneier has been a voice of reason in an industry where hyperbole is often rife.

Schneier, who has written several books on security and is the founder of Counterpane Internet Security, has previously criticized those who claim that cyberterrorism is a serious threat.

So, with the SANS Institute warning that hackers are changing their tactics and the NISCC, the British government body responsible for cyberprotection, claiming that foreign governments pose a serious threat to the U.K.'s critical infrastructure, we caught up with Schneier to get his take on the security landscape today.

Q: What do you think about the claim that foreign governments are a serious threat to the critical national infrastructure of a country, through government-led hacking?
Schneier: In general, these threats are overstated. Is there a danger to the critical national infrastructure from spying? Well, a lot of reports you read tend to be very muddled as to the details.

Do you think the threat from cyberterrorism is still overhyped?
Yes. The U.S. government gives a lot of money to fight terrorism, so cyberterrorism is hyped. I hear people talk about the risks to critical infrastructure from cyberterrorism, but the risks come primarily from criminals.

At the moment, criminals aren't as "sexy" as terrorists.

But at the moment, criminals aren't as "sexy" as terrorists. We should not ignore criminals, and I think we're underspending on crime. If you look at ID theft and extortion, it still goes on. Criminals are after money.

Hacking does seem to be more financially motivated now. Is there a "malicious marketplace," as SANS claims?
There is definitely a marketplace for vulnerabilities, exploits and old computers. It's a bad development, but there are definitely conduits between hackers and criminals.

Roger Cummings (director of the NISCC) said on Tuesday there is a danger that the links between criminals and hackers, and hackers and terrorists, will become stronger...Well, if we were making a movie, then that's what we'd do. I think that the terrorist threat is overhyped, and the criminal threat is underhyped.

What do you think about governments using the threat of terrorism to collect information on citizens and the implications of that on police powers?
It's very scary. This is a very complex issue--one I've written books about. My view is that we're faced with multiple threats. The worry is that while we are trying to defend ourselves against one threat (terrorism), we are actually making ourselves less secure. People are scared, and because they're scared they're handing over powers to the government and giving up their liberties. The threat of terrorism in the U.K. has led to national e-card debates and biometric passport discussions.

What are your views on biometrics in this context?
They're good for what they're good for, and bad for what they're bad for. They have their uses, and they have places where they're not useful. The all-important issue is that we think we're in danger and think that by using biometrics, we'll suddenly be safe. We should use them where they're valid.

How about ID cards?
In general, ID cards are a complete waste of money--a former MI5 (British internal security agency) director said that. It's all very well for me to say that, but it's nice to know Stella Rimington feels that way too.

The ID card debate in the U.K. is all about population control--it's about controlling immigration, not terrorism. It is unfortunate that the U.K. isn't having that debate properly.

So what will be the outcome?
There will be a massive erosion of freedoms in our culture. We are losing sight of the future. I know that's not good news--it's not fun, but it's true. We'll be less secure as a result, because we'll be in more danger from terrorists. There'll be an increase in the risk from terrorists we are creating, and we'll be giving the police state powers.

We waste money on electioneering that could be spent on actual security--investing in intelligence and better emergency response.

How can anyone feel safe in a world created by George Bush?

Tom Espiner of ZDNet UK reported from London

More Newsmakers

[Inetsec]

Easy does it Bruce...

Although I'd agree that cyber terrorism is somewhat over hyped I'd be extremely careful not to put your considerable weight behind turning all the attention to ID theft and cyber crime (opinion wise - physically you are somewhat skinny).

You have quite a few ears out there listening to what you have to say and I think you and I both know that as far as ID theft is concerned, ID theft is mainly related to dumpster diving and mailbox pillaging. There is not anything cyber related - other than maybe purchases made under an assumed identity. That is not a cyber related issue; it's an education / physical security issue.

The "old computer" issue and the rest of the interview also has me in somewhat in a snit. I agree to a point that old computers and the future degradation of rights is an issue, but come on Bruce. Were you in a bad mood the day of the interview?

Most of the "latest / greatest" ID compromises were accomplished via "recently deployed" systems (NT4 and above  and yes there were other OSs involved) that were just not kept up to date with current patches or had bad custom programs written by the violated company installed on them. That IS NOT an issue for Government spending. That is an issue for the violated companies to address.

One thing that I would hope that you and I could agree on is that "better, faster, cheaper" never works. Pick two, but trying to do all three spells disaster.

[ORinSF]

Bush swipe really necessary?

If the author feels that George Bush is relevant to the discussion, by all means he should address it. Instead we get a little drive-by at the end of the article.

It's easy for one to assume that everyone agrees with their politics and that such digs are harmless. But to a diverse audience, it comes off as glib and undermines what came before it.

[Inetsec]

Bush Swipe...

The article was "originally" posted with those last few lines left out. I am assuming that the editors reviewed the "wow" factor and decided to put them in during a revision.

That brings up a couple of issues:

1. If the "wow" factor was an issue to C|net, I'm completely dismayed
2. There was no reference as to who said the "Bush swipe." was it the interviewer, the editor, Bruce, or Roger?

C|net please clarify

[jcpole]

He has done this before...

I don't understand why Bruce feels that he is competent to
discuss this particular issue. He is a cryptographer. He made
similar comments a few months ago, and he was roundly
criticized for being out of his element.

The threat of cyberterrorism is very real, and it is unfortunate
that people like Bruce want to bury their heads in the sand.

When Bruce talks about cryptography, I listen. When he talks
about security issues and cyberterrorism, I don't waste my time.
I'm not even sure how he got started talking on this particular
topic - perhaps he was offered enough money that he felt it was
okay to make a fool of himself talking about a topic that he is
not qualified to address.

As far as the Bush comment, C|Net has always had a bias in this
area. They are usually more subtle about it, but it shows itself in
snide remarks like this one. Every time I see drivel like this, I
lose a little more respect for C|Net as a "journalistic"
organization. Even if Bruce said it (which would not surprise me
at all, by the way), there is no way that C|Net should have
printed it.

Jamie

[Macsaresafer]

Journalism

It's interesting that a pro-Bush organization like Fox "News" is
considered "Fair and Balanced," but any journalist that dares to
criticize our vaunted leader is immediately branded as biased.

[jzar]

Why censor?

Why should C|Net censor its interview subject's remarks? Just because you happen to be a fan of George Bush doesn't mean everyone else should be too. In fact, you hold the minority opinion. The majority of the USA (and the vast majority of the world) disapproves of George Bush and considers him dishonest.

[onexge]

define the threat

The classic definition of terrorism requires flamboyant acts of violence that physically harm the public in general, and the ruling class in particular, forcing the state to pursue a policy of repression which increases sympathy to the revolutionary cause, leading to a spiral of increasingly violent terrorist acts and repressive response. Provide an example of a cyberterrorist act and explain how it will further the cyberterrorists' aims.

[Donperry]

What's with the Bush Bashing?

Please leave your personal political views out of your articles. We're
not interested in them. Up until the point you mentioned Bush, I
thought your article was fairly intelligent. Terrorism has been
around long before Bush was ELECTED President. He just happens
to be the first U.S. President with guts enough to stand up to it.
Liberals like you just never seem to get it.

[Macsaresafer]

I'm interested

Bush is the ONLY U.S. President to allow a major terrorist act on
American soil. In fact, up until 9/11, he had spent near half of
his time in office on vacation.

Don't assume I'm a Liberal either. It isn't necessary to be a
Liberal in order to think that Bush is an idiot who is destroying
this country. He got into office promising smaller Government,
dignity in the White House and fiscal responsibility. What we got
was larger Government, massive deficits, blatant corruption, at
least one act of Treason, and an outright attack on Science. That
last one will hurt us the most, as our economy will suffer well
into the future because of it.

[jzar]

Hit the nail on the head

Bruce hits the nail on the head by identifying the real reason we keep hearing about "cyberterrorism": money. "Cyberterrorism research" is just another trough for the pigs to feed at. With the government throwing billions of dollars at the problem, it serves certain companies' and researchers' interest to exaggerate the threats posed by terrorism to the Internet. At the same time, real threats like those posed by natural disasters (remember Katrina?) get ignored.