The idea of social responsibility in IT is coming to mean more than simply donating used computers. It incorporates safeguarding privacy and data. Can security be increased by leveraging people's good nature?
Schneier: I think there is a possibility there, especially in terms of data privacy, but it requires a bunch of things. It requires good whistle-blower protection laws, because you could have somebody who wants to do right by saying, "Hey, my company is misbehaving." And it's going to need transparency, so that companies know what's going on with their data. I think it could work, and I think it's a great thing, but it requires some cultural changes in business that companies are going to resist.
What about brute force, tech-driven hacking--the kind of thing you see in movies--who wins that arms race?
Schneier: It's a question of tactics, and, on any given week, one might be better than the other. Deciding who, at the time of writing, is ahead isn't really relevant.
The bad guys have an objective, and they will take the easiest path. If the easiest path is tricking a secretary, then they'll do that. If the easiest path is a new vulnerability in Windows Vista that hasn't been patched yet, they'll do that. Figuring out which one they're going to do today tells you nothing about what they're going to do tomorrow. Like the TSA, we need to spend more effort on the general threat than focusing on what tactic is in vogue this week.
Who or what is the main threat?
Schneier: Mostly it's crime. Hacking changed from a hobbyist pursuit to a criminal pursuit. Criminals have gone international, they've gone up-market and they've gotten much more professional.
Crime takes several flavors. The common one is what we call identity theft, which is basically fraud through impersonation. But we also see them attacking and owning computers, and sending spam for commercial purposes or for denial of service extortion.
We're seeing more and more of that. It's still primarily targeted against fringe industries, such as online gambling and online porn, and fringe markets, like companies in the Caribbean, but it's growing rapidly. The question to ask is, If you're a large criminal organization with control over 100,000 computers, how could you make money with them? You end up with the things that criminals are now doing.
How does a company deal with all this? What's the structure in terms of working with a CIO or CSO?
Schneier: The details of the structure matter less than the fact that senior management cares, and that there is communication among these various people. I don't care whether the CIO or the CSO is running IT security, as long as the two of them talk. I don't care if the CSO is under the finance people or under the IT people, as long as he can talk to the right people when something happens.
It's important to understand that IT security is part of overall security, and that is part of governance, and that is part of making the company profitable. So people have to make hard tradeoffs. You have to decide whether more security is good or bad: It may be good for security, but it could be bad for business. The decisions have to be made at a high enough level that you can make them intelligently, and that's far more important than determining exactly where things are connected.
Have we seen the death of privacy?
Schneier: I think the death of privacy is overrated. Technically, the threats to privacy are enormous, but just because someone invented the camera doesn't mean that everyone gets naked pictures of themselves, and just because someone invented a recording device doesn't meant everything gets recorded.
Whenever you have technical advances that perturb our rights, the way you fix that is through laws. Don't look to technology.
In general, laws are trailing technology. You might have laws that protect your privacy for videotape rentals, but don't apply to downloaded movies on the Internet. Other laws might protect the privacy of your mail as it goes through the post office, but don't protect your e-mail as it goes through ISPs. We're living in a world where a lot of laws are written to be technically specific, and they are becoming obsolete because the technology changes so fast. Better laws are technologically invariant.
A lot of younger people seem to be less concerned with privacy than their elders. Is that healthy?
Schneier: The Internet is responsible for the greatest generation gap since rock and roll. There's an enormous difference in the way the older and younger generations use the Internet, and that's healthy. We can look in horror at some things the younger generation is doing, but you're looking at the future.
It's not that young people don't care about privacy, they just have a different socialization. They want to have control over their data: What upsets them is if something happens to their data--say, their photos--that they don't want. We as the older generation are morally obligated to build systems that will allow the younger generation to communicate, to contribute and be part of society without forcing them into particular boxes that we think is required of them.
This is kind of depressing for CIOs: Their technology won't keep up, they need to be sued, and their people can't be changed. What's the good news?
Schneier: The good news is that society works. None of the problems I've talked about are new: They've been problems for thousands of years. Most people are honest and honorable, most of the time. If that weren't true, civilization would collapse.
Most bad news is around the edges. Companies aren't going out of business every day. The lesson is that you may be worrying too much. Yes, it's your job to worry, but go outside and have some social perspective.
Lots of things are life and death, and there are bad guys. But even with respect to terrorism, a little healthy skepticism is a good thing. People who are scared all the time have been defeated.