Bruce Schneier: "If the principles of the use of technology in elections will not change the cracking results of the vote — only a matter of time."
Bruce Schneier is undoubtedly one of the leading security professionals of our time, a true scholar in his field. He participated in the creation of a number of cryptographic algorithms: Blowfish, Twofish and Threefish; wrote several books, the latest of which, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (the"Data and Goliath: the hidden struggle for your data and take control of your life"), was released in 2016; actively published in thematic publications and in his personal blog schneier.com; worked as a research fellow at Harvard University, member of the Board Electronic Frontier Foundation and chief technology officer IBM Resilient.
A well-known cryptographer and author of books on information security divided opinion on a number of pressing security issues of the digital economy.
What conclusions should be drawn on the basis of the history of Stuxnet?
Stuxnet was one of the first examples of cyber weapons, used to attack whole country: the United States and Israel attacked Iran. Then followed other examples: Iran vs. Saudi Arabia, Iran vs USA North Korea vs USA, etc. All it was is the attack designed to inflict damage and not a spy operation like hacking Chinese systems of management of personnel service of the United States or U.S. involvement in the network of Brazilian oil company Petrobras. The following conclusions: firstly, the critical infrastructure of the countries vulnerable to attack, and secondly, some countries are less protected because of the importance of the role that the Internet plays in their lives and the economy, and thirdly, changes in a short time should not wait. On the Internet to attack is easier than to defend.
What you need to focus on when designing cyberphysical systems of the future?
In the United States for many years neglected the protection of the Internet, believing that they have an advantage. The country was trying to make online spying and covert observation is the norm, struggling with protection protocols and Internet telephony. Even now the FBI are trying to force online companies to reduce the security of their equipment. The lesson was to be learned from Stuxnet and similar attacks, is that really the US has no benefits, rather the opposite. Maybe the country's most powerful weapon, but the weakest defense. However in the online world, you will prioritize the defense, and not offensive, even if it means to sacrifice the possibilities of spying and committing attacks.
Neglect of security principles was the cause of several large-scale data theft: Equifax, Yahoo (twice), MySpace, Heartland Payment Systems, Sony PlayStation Network, CardSystems Solutions and T. J. Maxx have compromised a total of about a billion accounts. It got to the point that leaks of less than 100 million records is not considered worthy of mention in the press. Is there any reason to talk about the fact that companies today are beginning to better protect personal information?
Evidence to suggest it is not and never will be as long as industry participants have the option to invest or not to invest in security at its discretion. The present situation is a direct consequence of market mechanisms that companies skimp on safety because it is profitable for them. Customers don't require security, since the whole system opaque and difficult to relate the damage from identity theft with a specific fact hacking. In the case of companies like Equifax people whose data was lost, wasn't even their customers. Managers will prefer to save 10% on the budget of the security and risk of becoming a victim of hacking since wall Street encourages such savings. If we want security has become more reliable, the only solution is state intervention and the introduction of minimum standards of protection.
Today your smart mattress according to the smart thermostat, smart toaster and smart coffee maker that they have time to prepare for your awakening, then the smart home turns off the alarm, and remotely starts the car engine. Google has a app that when you pass by the Windows, makes smart devices the seller to find out your record for the formation of personal suggestions. This whole "mind" is clearly unnecessary and increases the number of vectors of digital attacks in the address of the person. Is there, in your opinion, the real benefit of smart devices for the consumer?
Our parents said the same about email, and our children will also be treated to innovations, which will replace the systems of Internet of things. All these innovations are useful, and in most cases, this use is possible, which could not foresee the people of the previous generation. Yes, insecurity is growing, but it began when people began to connect computers to the Internet, install access points Wi-Fi in their networks and move data to the cloud. Technology will continue to evolve, it must be taken, but this requires new developments to pave the way to strengthen security and not to block its restrictions.
What is your long-term forecast as to in whose hands ultimately will control the identification level of the Internet of things?
This is an important question. So-called capitalism of secret surveillance (financial gain from data obtained accordingly) — the main business model of online companies and supporting business model in many other industries. We are under constant implicit supervision from our computers, smartphones and many other devices. The Internet of things is an Internet of sensors, so the data volumes of secret surveillance will grow exponentially. They mainly do used without our knowledge and consent and not in our interests. But here's the thing: surveillance data for us is not so valuable. The more going, the less expensive every single item of information. Here is an example: a lot of companies would like to gain information about my desire to buy a new car, but in the end I will buy only one car. In my opinion, the capitalism of secret surveillance eventually comes to failure, considering that today our data are less. The question is, what will happen to it. Indeed, we are losing every last shred of privacy, while the Internet of things permeates every corner of our lives, and there is a "digital divide" between those who agree to constant surveillance and those who will resist it. Again, without government intervention, which is expected to outlaw the business based on invasion of privacy, we have no choice but to watch and wait what will happen next.
Some of the safety issues of the Internet of things are the most important?
The standard security model is based on three pillars: confidentiality, integrity and availability. Still the threat was mainly directed against privacy, but the Internet of things is not just the sensors and the network, can directly affect the physical world. When it becomes an everyday reality, threats to integrity and availability are of greater importance. The danger of denial of service grows with increasing dependence on automated systems. The danger of cracking increases along with the role of automation in the protection of life and property. The Internet of things changes everything. There is a fundamental difference between the failure of a personal computer that caused the loss of a piece of a spreadsheet, and malfunction of a pacemaker, meaning the loss of life, even if we are talking about the same processor, operating system, the same vulnerability and the same attacking program. Now I'm working on a new book with the provisional title Click Here to Kill Everybody: the Perils of Life on a Hyper-Connected Planet ("Click here to destroy all people: the dangers of life on the planet, riddled with networking"), which is due out in the fall of 2018.
What do you think about the act on information security of the Internet of things, proposed by the American Congress in 2017? Who will benefit from it, who loses?
To clarify, is introduced by four senators, the bill that has no chance of becoming law. Not because the idea is bad, but because now Congress is too divided to take any reasonable law that can cause irritation to well-funded lobbying groups. The bill itself is incredibly discreet. It does not oblige the company to take any action, but rather the minimum security standards for IOT devices procured by the U.S. government. These standards are reasonable and not too difficult to perform. In addition, the bill ensures that bona fide research in the field of security could not be regarded as a crime, which is extremely important for securing the Internet of things. Since the act has no chance of adoption will benefit from it industry that will continue to create and sell unsafe decisions. And the losers will be all of us, because you are still left without protection.
If the principles of the use of technology in elections will not change the cracking results of the vote — only a matter of time. How can you influence the opinions of society to start to demand more intelligent control systems to ensure the elections?
I don't think that they can achieve. Hacking the electoral system — a risk that does not bother anyone as long as it is only theoretical. That is, before the election. And after the election half of the electorate satisfied with the result and don't particularly want to investigate. The voting system is the whole infrastructure, and for her to spend money no desire.
Do you see an opportunity to remain in the paper ballots, given that they are less susceptible to interference?
Using only pen and paper are so last century. Today, there are voting machine based on optical detection, which still require to put a mark in the right places, but using them is much easier. This is the most reliable and accurate voting system available, and they are used widely. In such a system, several benefits. First, the voters can clearly mark their choice on a paper ballot, not on the machine performing the role of mediator. Second, the ballots can be quickly scanned and automatically counted. Thirdly, there is the registration of votes on paper in the event of recalculation. I think such systems it is necessary to introduce everywhere.
What can you say about the prospects of voting on the Internet?
In my opinion, this method, unfortunately, has a great future, too many people want to have the convenience to vote from home. In many jurisdictions now to that are actively. Today significantly increased the practice of sending ballots by mail — in this way, even entire elections were held, despite the security risks. Similarly, I think that within ten years there will be and the transition to online voting. I don't think it's a good prospect because it opens up opportunities for much more extensive hacking of the election.
Tags: information war , information Society