Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, is a cryptographer and founder of Counterpane Internet Security, Inc. Lawrence Rogers is a senior technologist at CERT, a national clearinghouse for information security threats at Carnegie Mellon University. CIO Insight Copy Chief Debra D'agostino chatted with both men recently about wireless security.
What's at the core of the wireless security problem?
Schneier: The whole point of all those wireless security protocols was to make wireless secure. They didn't do the job. They are not only insecure; they are robustly insecure. The insecurity is woven into the fabric of the wireless protocol, which makes it much harder to fix.
Rogers: The key is to recognize that information assets also appear during transmission, which means on a local area network or through the air in the case of wireless. The two ways to boost the security of these assets is to limit who has access to them. It's true that Wireless Equivalent Privacy software, security software that ships with wireless, does not provide sufficient security, so ancillary encryption techniques need to be used like virtual private networks, something beyond WEP. A lot of the VPN stuff provides better to much better encryption than does WEP, and you have to install and run it on top of WEP.
Is cost a big reason why wireless isn't more secure?
Schneier: Cost is definitely a factor. A reluctance to hold the technology industry accountable for security holes is also an important factor. The security conversation should start with the question, "Do I care if my company's knowledge gets stolen?" If you care, you figure out how much you're willing to pay for security. You may decide it's not worth it in some cases. It makes no sense, for example, to spend $1 million to fix a $100,000 problem.
Rogers: There's a perception that wireless is cheaper, but there are ancillary coststhose that come from making wireless securethat are not always recognized.
Are secure wireless networks a long way off?
Rogers: Consider e-mail. The fact that it's not secure hasn't stopped us from using it. I can imagine that wireless will mature in the same way. Sure, wireless is insecure, but it cuts our costs down, so we're going to do it anyway. VPNs can help now, but better security will fall in later, wherever. That's the prevailing attitude now.
Schneier: The way to fix the problem is to assume that a wireless network, despite claims to the contrary from the vendors, is wide open. It's like the Internet. So run SSH over it, or a VPN, or something. Look, when the liabilities aren't there, nobody cares. Now, if a company loses 30,000 credit card numbers, nobody's going to sue. Sure, the company will do the industry-standard fix, which means they'll build a firewall and put a VPN on their wireless network. But does your firewall work? Who knows? Does the VPN work? No matter. If you really care about security, you'd care less about doing the standard thing and far more about solving the problem. It's like nuclear missile-launch codes. They're not on the Internet. Period. They're too critical to lose to a security leak.