Examination of Witnesses (Questions 525
WEDNESDAY 21 FEBRUARY 2007
Mr Schneier, thank you for coming to see us. We very much appreciate
the opportunity to talk to you. Perhaps you could first introduce
Mr Schneier: I am Bruce Schneier. I am basically
a security technologist. I write; I speak; I do a lot of thinking
in security and how security fits into society. My background
is from cryptography, to computer security, to more general security.
I had a company in the United States, Counterpane Internet Security,
which last October was purchased by BT. So now I am a BT employee.
It is important for you to realise two things. One, I am here
not as a BT employee but as a security expert; so what I am saying
is me and not the company position. Two, I am an American and
so my perspective is very much the American laws and the American
experience; so I might get some of the UK perspective off. Those
are my two caveats.
Thank you for that. We fully appreciate that although Counterpane,
the company you founded, has been acquired by BT and you are now
an employee of BT, we are talking to you today in your personal
capacity, not in any way as a representative of BT.
Mr Schneier: Excellent.
Let us get into the questions then and let me ask the first question.
Is it possible to put a figure, however approximate, on the cost
to the global economy of the insecurity experienced by those using
the Internet? What are the main categories of cost and where are
Mr Schneier: It is a hard question and everyone
tries to answer this, because everyone wants to know what are
the costs of insecurities. It is hard because a lot of the costs
are fuzzy; a lot of them are not well known. We do not have the
kind of data you might have on bank robberies or conventional
street crime. When you look at the costs, there are the direct
financial costs. Right now the big crime is identity theft and
there are significant costs. In the US, it is now being said that
the amount of profit is greater than the drug trade. That number
is being bandied about. It is very hard to know if that is true,
because real numbers are hard to get. How much of it is Internet-borne
versus "just happens to use the Internet"? Certainly
it is in the billions, and direct money is being stolen. When
banks are broken into through cyber means they often do not publicise
the losses, and so we do not have access to any of that data.
A lot of companies keep this secret. There are direct costs also
in proprietary information. There is lots of anecdotal evidence
that it is not really good to release a lot of data as to how
much that costs. The other class is loss of productivity, loss
of time. You will see this in the media: "Big Worm Hits",
and it is tens of billions of pounds in damage. That is calculated
by how many hours did it take for people to get rid of it, times
how much they are paid, and that is how much it costs. Of course,
these people are paid on salary and they are working overtime;
so are those costs real or not? It all depends how you count.
A loss of productivity: if your email is down for a day, there
is a loss there; but how much do you make up? Amazon knows literally
to the penny how much money they lose if their website goes down.
They know their throughput. But, much to everyone's surprise,
when their website goes down for an hour they tend to make that
money back over the next day or so. The customers do not leave
and go elsewhere; most of them just say, "Oh, the website's
down. I'll try again later". So do you really count those
costs? That is hard. There are therefore those indirect costs.
There is another class of costs, which I call the "fuzzy
costs"the reputation costs. There are some very public
breaches that cost companies their good name. A good example was
in the United States a couple of years ago. There was a breach
of ChoicePoint, a data broker, and 165,000 personal names and
information were stolen. That company took a very serious hit
in their stock price, and you could make a very good argument
that was directly an effect of the attack. How much is the brand
of a bank worth? So there are the costs there. There are also
insurance costs that companies are paying. You could look at the
entire cost of the security industry. In effect, all the security
products you buy are making up for the bad products you have to
protect, and that is a multibillion-pound industry. So you look
at it that way. It is real hard to get a handle on the numbers,
but that is a flavour of where they might be.
Do you have a feel for the problem that there is to the individual?
We are mainly interested in personal Internet security. Personal
identity theft is very troubling for people. I assume that must
consume a great deal of time. Would you have any idea about the
number of people who never get it resolved?
Mr Schneier: No, we do not know. There are identity
theft numbers that are out there. One of the problems is that
the definition of identity theft has been changing, so it is hard
to get a handle on. The US Government publishes numbers. I do
not know what they are, but I know they are published. What exactly
do they mean by identity theft? If I steal your credit card out
of your wallet and go use it, that is identity theft but it is
not what we are talking about here. We are talking about someone
impersonating you to a bank, getting credit, getting loans. We
have had examples of somebody going away on vacation; they come
home and their house has been sold, because someone impersonated
them in the real estate market and sold their house. They are
very hard things to unravel. Numbers are tough. I think that the
US really has a very bad way of dealing with credit reports, credit
ratings, and how regulated the industry is. It can take years
for someone to restore their good name. In many cases, the money
lost is eaten by the banks and the credit card companies, and
that is relatively straightforward. It is the time to restore
your good name and the stress. It takes people years; they cannot
get loans; in some cases their car gets repossessed, even though
it is not them; there are arrest warrants out for them. That is
what takes a huge amount of time. Putting a dollar figure on that
is very difficult, but that is the real cost to the individual.
When people are scared, that is what they are scared about. In
the US, if you lost your credit card it is a $50 maximum charge
to you as an individual; but if your credit rating gets trashed,
the effects are enormous; they permeate all through your life.
You have trouble getting a job; you cannot get a loan; when you
try to rent an apartment, you are not able to. It really affects
Q529 Lord Young of Graffham:
What do you understand by "personal Internet security"
and who should take responsibility for it?
Mr Schneier: I think that there is a lot of
responsibility to go around. The way I often look at it is who
can take responsibility? It is all well and good to say, "You,
the user, have to take responsibility". I think the people
who say that have never really met the average user. I always
use my mother as an example. She is not stupid; she is very intelligent,
but this is not her area of expertise. If I tell her, "You
have to be responsible for your Internet security", she will
not be able to. It is too technical, in ways she cannot deal with.
So I think that there is a role for the individual, but I like
the notion of credit cards. You, as an individual, are responsible
for the first $50 and the rest we force the credit card companies
to take. This is interesting. Even if you as an individual take
your card and fling it out of the window or hand it to somebody
and say, "Here, use it", you are only liable for $50,
even though you did all the things wrong. The reason that was
doneI think it is actually very brilliantis because
the credit card companies are able to solve the problem. Once
that law is passed, the credit card companies invest in technology.
You can go through that. We used to have books of bad numbers;
now there is online real-time verification of fraudulent cards.
Cards are delivered in the mail separately from the pin that activates
it. You have to call and manually activate a card. There are expert
systems that look through the database of transactions, looking
for fraudulent patterns. I travel the world. I have used my card
in four countries in one day. I was in Winnipeg, Canada, last
year and my card was stolen. I used it in a restaurant and somebody
copied the number and made a forged card. In two transactions,
Visa cancelled my cardand I am amazed. So I think there
are some things that we make the user do. Then we have to look
towards who else can do it. I think that the ISPs for home users
very much should be responsible. Not that it is their fault, but
that they are in an excellent position to mitigate some of the
risk. There is no reason why they should not offer my mother anti-spam,
anti-virus, clean-pipe, automatic update. All the things I get
from my helpdesk and my IT department by virtue of being a BT
employee they should offer to my mother. I do not think they will
unless the US Government says, "You have to". I think
that there is a place where the responsibility should be there.
Going back, I think that the financial institutions need to bear
a lot of responsibility. Here is the problem in the US. Someone
gets my personal information, goes to a credit card company with
my detailsand in the US credit cards are very easy to obtain,
so it is a much more pernicious problem than in the EUand
get a credit card in my name. So damage has happened to me and
I do not even know about it. I was not involved in the transaction
at all. The credit card company should be responsible for that
and should be forced to make me whole. They should be the ones
to go through the stress of restoring my good name, not me. That
makes sense. I would like to see some responsibility on the software
vendors, the operating system vendors, the hardware vendors. We
are paying the price of insecure software. There isand
I make this upa vulnerability in an application program
or operating system. Someone uses that to hack into my mother's
computer; put a Trojan on the computer; it sniffs her password,
and now steals money out of her account. You cannot say that the
software vendor is 100% liable for this, but I think it is equally
true that they are not zero per cent liable. There is a piece
that they can do. When you start looking round, there are a lot
of places where you could take responsibility. All the companies
really want to push it off; they do not want it. But if you give
it to them, like the credit card industry, then capitalism takes
over. Once they have the responsibility, they are now going to
figure out how to solve it cheaper, better, faster, smarterand
we will get good solutions.
Q530 Lord Young of Graffham:
If we are talking about personal Internet security, we are talking
about the average "silver surfer" using it at home.
It seems to me that there are three areas. First, I am responsible
for the hardware I buy. Occasionally there are hardware faults
that give leaks in firewalls. Secondly, I am responsible for the
software I use. Thirdly, it is how I use itso if I leave
my password insecure. There are those three areas, therefore.
How do I distinguish between my responsibility and the responsibility
of the hardware vendor and the software vendor? Those are the
two main areas.
Mr Schneier: I think it is hard and I think
this is where the tort system really works. I am not an attorney
but recentlybecause I am looking at the legal aspectsI
read a book on torts. There are incredibly complicated case histories
of partial liability and who gets what. It looks like the system,
although it is not easy, sorts that stuff out: how much of it
is the user's responsibility; how much of it was the hardware,
the software, the website, the ISP in the middle, the DNS server
here or some other user over there. You can have examples of DNS
attacks, where the company was not even responsible; that some
other attacker attacked a named server held by a public organisation,
redirecting traffic from the bank to this now phoney bank website.
I am entering my bank details; I am fooled. It would be hard to
say that I am responsible. There are some visual cues that I might
or might not be noticing. These are very hard cases, but I think
that we need to start poking at it. We need to start peeling it
away. It is probably many years, in different litigations, before
we sort it out.
What you are saying basically is that, while the responsibility
is distributed, you think a formula can be made up to distribute
that almost quantitatively. So if you have a certain problem,
then it is either the ISP provider, or it may be you, or it may
be your software manufacturer, or it may be your hardware manufacturer.
Mr Schneier: And it could be a combination of
things, like you see in some other areas of tort. Automobile liabilityis
it the fault of the driver, the automobile manufacturer, the part
manufacturer, or the road conditions? There are standards of care
that are brought to bear; there are safe driving practices that
we expect from people; there are safe road conditions. Investigations
are made, the parties come into a room and demonstrate, "I
did this and therefore I'm not liable" or "I did this"
or "You didn't do that". So it is less that there is
a formula; more, there will be a recipe for figuring who did what.
It is likely to be relatively standardised. I think that a lot
of these frauds are very replicable; that they are not one-offs;
that when you see an attack that works, it happens again and again.
Attackers change tactics depending on the defences, but the primary
fraud is the same. Opening a credit card in my name is a very
standard thing that is done.
Q532 Lord Young of Graffham:
Could I come on to e-banking? A personal experiencemy daughter
had an account with one of the big banks broken into, money taken,
and the account was closed. The bank obviously paid up in those
circumstances, but is e-banking safe? We are becoming more and
more reliant on the use of e-banking.
Mr Schneier: "Safe" is a relative
term. To me as a user, if I am not liable, then it is safe. The
bank, as a business, decideshowever many basis points their
fraud is. If you look at credit cards or cheques, fraud is not
zero but it is a cost of doing business. You are going to have
the CISO of PayPal here. Ask him how many basis points fraud is,
and I will bet you that it is under one per cent. It is something
that they are trying to get down, but they are a profitable business
even though that fraud is there. So the question for the user
to ask is, "Am I liable?". If the bank said to me, "We
are going to give you a password and if money comes out of the
account using that password you have to pay it, regardless of
whether you did it or not. You are liable for all withdrawals",
I will say, "I don't want that password", because I
do not know what the bank's security practices are. I cannot control
them. The bank can do something. A file gets broken into, a password
is stolen, my money is taken and now I am at fault. If the bank
says, "Here is a pin and only withdrawals you make will you
be charged for, and any you dispute we will give you the benefit
of the doubt", then suddenly I am okay with it, because it
is not my risk. The real question is who bears the risk. ATM cards
are another example. If there are fraudulent ATM withdrawals from
my account, I call my bank and they reverse them. They will probably
pull the tapes, look at the video recordings, see who actually
did it; but I have the benefit of the doubt there. So I am perfectly
happy with my bank card. If it was the other way, I would be less
Q533 Lord Young of Graffham:
Do you think things are improving or becoming more difficult?
Mr Schneier: Things are becoming more complicated.
I think the jury is out on whether they are getting better or
worse. By any metric, the numbers are getting worse. Fraud is
increasing; loss is increasing; damage is increasing.
Q534 Lord Young of Graffham:
But volume is increasing too.
Mr Schneier: Yes, volume is increasing too.
Definitely the criminals have found the Internet as a very good
place to steal. One of the reasons is because it is so easily
international. We actually see jurisdiction shopping. Organised
crime will find countries with poor computer crime laws, easily
bribed police, no extradition treaties, and they will launch their
crimes from there. We see a lotat Counterpane we are monitoringfrom
sub-Saharan Africa, from Eastern Europe, from South America, from
South-East Asia. So I think it is a growth area in crime. We are
seeing much more personal identity information being stolen, but
a lot of that is because you steal them in bigger batches now.
It is not that there is not a lot of evidence that there is more
crime there; I think there is. I think that companies are getting
a better handle on fraud. Again, you will have PayPal here and
they are great people to ask about stuff like that. PayPal is
a monster target out there, because their business is transferring
money over the Internet. What better target for an Internet criminal?
I will bet that their fraud has been going down, because they
are getting better at policing what they are doing. Sometimes
you will see measures that banks institute that do not reduce
fraud but they move fraud around from one bank to another and
then, when all banks are up to this level, a new tactic is developed.
So things are definitely getting more complicated. I would say
that on a personal level they are getting better, because companies
are very scared of all users losing faith, saying, "Oh, it's
not safe to buy on the Internet". If that happens, it will
be a huge loss.
Q535 Earl of Erroll:
Can I quickly ask a question on banking first? One of the problems
in the UK with banking is if the bank felt that the person had
given away their PIN number, because they had written it down
and someone had seen it, they denied all liability and they were
refusing to release details whether it was possible at all. The
default position was that the banking system must be secure because
the banks would not release information on it. Did you have that
trouble in the States?
Mr Schneier: In the States, it appeared from
the beginning that they followed the credit card model: that the
bank had to prove that you had committed fraud. I think that is
a much better model, because the user has no ability to prove
that he did not give away his PIN.
Q536 Earl of Erroll:
That was the problem here.
Mr Schneier: In the US the bank cards very quickly
followed the credit card model, and I think that was very brilliant.
In fact, in a lot of ways in the USand I do not know if
it is true hereboth models go through the same systems.
If I go to a store and I pay with my bank card or my credit card,
it is the same swipe machine. It is the exact same system.
Q537 Earl of Erroll:
It is the same here, yes. On a completely separate issue, you
have long been an advocate of holding software companies liable
for flaws in their products. Why would this be a good thing?
Mr Schneier: This gets back to putting the responsibility
for the problem on them to go back and fix the problem. I will
give a very broad explanation. We are paying, as individuals,
as corporations, for bad security of products. We are paying it
in after-market firewalls, anti-virus, buying Counterpane services,
and everything else. It is a huge industry. It is costing us a
lot to have insecure software. If we put the liability onto the
vendors, it would be expensive but they would either invest in
better-quality software development or longer development cycles;
they might have to buy insurance; they would certainly charge
more for their products. So there would be a cost to that also.
But in this second way, in this other cost, the software is improving.
Right now, we have a situation where the software is poor quality;
we buy these after-market products; the software does not get
any better. I want to see the liability moving onto the vendors,
to give them a bigger impetus to fix their products. Most of the
costs are an externality. The software vendor has an insecure
product: the cost is borne by us users. There are several ways
you can move the liability back. You can do it through regulation;
you can do it through liability that forces the software vendors
to spend more money on security, produce more reliable products,
and we all benefit. In general, that is why I think that is a
Q538 Earl of Erroll:
Just to clarify, by "vendor" you do not mean a third-party
intermediary; you mean the original manufacturer of the software?
Mr Schneier: No, I mean the manufacturer. In
US lawand this happened in the 1920s with automobilesyou
would buy an automobile from an independent car dealer and you
had a problem with it. You could only sue the car dealer; you
could not sue the vendor. That is the notion of privity. That
was changed in the 1920s with the very famous case of McPherson
vs. Buick, which set the precedent that you as the individual
could sue the auto manufacturer and not the dealer. The idea was
that the auto manufacturer could fix the problem. Similarly, you
need the same thing with software. It is the person who designed,
wrote, built the software, the hardware.
Q539 Earl of Erroll:
I am not sure we have the same legal system here. I know that
for a lot of stuff you sue the person, and to us the vendor is
the retailer of the thing, not the original producer or manufacturer.
That is a slight sidetrack, because one of the things that has
come out from previous witnesses is that it is virtually impossible
to produce software without some flaws in it. You then also get
a mix of software on an end-user's system which will be interrelating
in unpredictable ways. How do you decide where the liability lies?
Surely it will just make the whole thing impossibly expensive
or impossible for people to produce new software?
Mr Schneier: I do not think that
"difficult" is a reason not to try. Certainly those
are issues. I think that we are expecting flaw-free software.
I can tell you as a security expert that we in the industry have
no idea how to design flaw-free software. We cannot do it. We
can do a much better job. If you look at the software development
processes in aircraft manufacture, avionics, or in the space shuttle,
they are completely different from mass-market software. It probably
is not appropriate for mass-market software, but there are things
we can do. Even that software is never flaw-free. There have been
rockets that have blown up. An Ariane 5 rocket is an example that
comes to mind. We can do better, however. This is one of my problems.
There are lots of secure development tools out there that are
not being used; because, when push comes to shove, there is budget,
you have to get your product out quickly, and security takes a
back seat to features, to getting it out there. So more pressure
on the vendors to do a better jobnot a perfect jobbecause
there will be some standard of due care; some standard that you