Examination of Witnesses (Questions 540
WEDNESDAY 21 FEBRUARY 2007
Q540 Earl of Erroll:
Alan Cox pointed out to us that what would probably happen is
that then people will lock down their software and prevent third-party
software interacting with this. Of course, that means that you
do not get so much innovation; you also cease to open up the software
and you get these big hegemonies, like Microsoft.
Mr Schneier: My guess is that the companies
protest a little bit too much; that in fact innovation is so profitable
and so valuable that you will see it. I think that companies do
not want to think about liability; so they are going to produce
all these "doom" scenarios. My guess is that, when push
comes to shovejust like in automobilesthere are
after-market products. I think that it will reduce innovation
somewhat, but I am not convinced that the new version of whatever
software, with the 2,000 new features you will never use, is always
a good thing.
Q541 Earl of Erroll:
That is looking at the products from the big companies. What about
open-source software? Who will be liable for that?
Mr Schneier: In the United States we have something
called a Good Samaritan law. It basically means that if you see
someone on the street, dying, and you attempt to save them, they
cannot sue you. That is called the Good Samaritan law. I think
there is a model there: that if I produce software for free and
put it out there, there is some kind of Good Samaritan law going
on, and if you use it there is no liability. If I choose to sell
it to you, that is different. Then you can imagine companies,
like Red Hat or other companies, taking free software, aggregating
it, selling itwith support and with liability. I think
that free software is not affected if you do this right. Then
you also have a market for companies who take free software and
verify it, or somehow build an insurance scheme around itwhich
you sort of have today, with companies like Red Hat dealing with
free operating systems like Linux.
Q542 Earl of Erroll:
What about shareware?
Mr Schneier: I think shareware is the same way.
Q543 Earl of Erroll:
Because you have paid something voluntarily for it.
Mr Schneier: Right.
Q544 Earl of Erroll:
At the moment you paid, you would have a contract?
Mr Schneier: No, I think because it is voluntary;
it is a contribution. It is much more like a charity.
Q545 Earl of Erroll:
So that would be Good Samaritan law?
Mr Schneier: Yes. The devil is in the details
here. You would need someone who is an attorney to work this out,
but I think that general philosophy would work here.
Q546 Earl of Erroll:
What worries me about it is this. I used to write software. If
you take the first program I wrote, which was a rational formulation
for feeding a dairy cow, I wrote it in my spare time in order
to learn how to write a program, and it was the first commercial
bit of software I wrote, sold by a particular company. That may
well have had 1,001 flaws in itnow, when you bolt it onto
something like the Internet. In those days we did not have the
Internet. It was not written to be Internet-worthy, because it
was doing a specific job. You will kill innovation like that,
where people have a specific skill in a specific area and are
not having to look at the global security, about pushing stacks
and causing buffer overflows.
Mr Schneier: I do not think you will, but I
think you will spark an industry in sandboxingwhich is
a concept we use of taking a program and putting it in a safe
area where it cannot affect everything else. So if you are the
modern-day you, writing this piece of software and knowing that
you cannot guarantee it is secure but you want to sell it anyway,
maybe there is an after-market product where you take your software,
put it in, wrap it around, and that provides the security. To
me, as soon as you set up these economic incentives, capitalism
just solves the problems. Innovation is going to work. There will
be hundreds of security products, of security add-ins, of security
toolkits. The software toolkit you will use to write that product
will do the security automatically. All these things will exist.
They do not exist today or they are not commercially viable today,
because the market is not there for them. As soon as we say to
the software vendors, "You take responsibility for your code",
then the after-market, instead of trying to sell my mother a firewall,
an anti-virus and all those end-user things, will go to software
companies and sell them a bevy of products. I would rather
see that, because the software companies are going to be smart
about buying them.
Q547 Lord Paul:
Are security breach notification laws helpful?
Mr Schneier: I do not know if you have one in
the UK. In the US they are very spotty. California passed the
first one. I think something like 27 states have followed suit.
There is a federal law percolating through the works. It has not
been passed yet. It has done a lot of good, but you could also
argue that it has outlived its usefulness. Here is the basic idea
behind security breach notification law. Companies like ChoicePoint
have my personal data. I have no business relationship with them.
If, when they lose my data, I suffer, I cannot do anything to
them. By forcing them to tell me, we are doing a couple of things.
We are notifying me, and we are making them look bad in the media.
This is not a joke; I am really serious here. They were making
them look bad. It is a public shaming. When the California law
was passed, the first big disclosure was ChoicePoint. After that,
CardSystems40 million names stolen. These had huge play
in the press. The companies looked very bad. They improved their
security. By publicly shaming the companies we sent them to do
better, to have better security. That worked really well. The
problem is this. In some ways, the media are complacent in making
this work. After 20, 30, 50, 100 breaches, the media stop writing
about them. In the US we may have three or four security breaches
a week, which never get any press. Occasionally one does. If it
is a government agency it is more likely to get press. If it is
tens of millions of names, it is more likely to get press. There
is an attenuation effect. They were valuable but they have become
less valuable. At the same time, if you speak to someone in California,
he is getting all of these notices in the mail that his innovation
has been stolen, and nothing is happening. So he now believes
that there is not a problem; he stops reading them. The law was
very valuable and it did a lot of good things. The first question
you asked me was "How bad is the problem?". It gave
us hard data on losses, but it really has outlived its usefulness
in the United States. I think that it should still be done, because
forcing companies to go public with the information is very valuableto
researchers, to policymakersbut as to the primary value,
the public shaming, it is no longer news when someone's information
is stolen. It happens too often.
Q548 Lord Paul:
The banks argued to us that reporting the loss of private data
would increase anxiety and that customers were being bombarded
with warnings. They felt that the companies should decide for
themselves about the likely level of harm and about whether it
was necessary to inform their customers.
Mr Schneier: Of course they will say that. By
definition, you do not want them to decide, because they are the
ones who will decide, "Oh, we shouldn't spend the money and
risk losing our customers". This is exactly the area where
self-regulation will not work. Remember, it is in the companies'
best interest not to publicise it. Before the law, we never heard
anything, ever. We know what it looks like when companies decide
for themselves: we never hear anything. Then they pretend there
is no problem. It is only through the laws that we now know it
is a problem and how pervasive it is. I do agree that, with lots
and lots of notices, it is really a boy-who-cried-wolf problem.
After the fifteenth notice, you just stop reading them; but I
think that there is still value here. One of the things I want
to see in the United States is this. We can do something called
a "credit freeze" where, if we have our identity stolen
and we are at risk, we can write to the credit bureaux and say,
"Freeze my debt information"; that, if someone requests
it, I am notified; that if someone overcharges on my credit card,
I am notified. I think that if Company X has a million credit
card numbers and they are all stolen, they should pay for that
service for the people whose names are stolen for a year or so.
That seems like a perfectly reasonable thing to ask.
Q549 Earl of Erroll:
Is also its primary use in notifying the authorities of the scale
of the problem? Maybe it is not necessary to mail every single
person who has just had their date of birth removed and their
address, because that has gone about 20 times already; but it
is very useful to the authorities to know who may be operating
in which companies, stealing data. So it might be useful to have
such a law for that purpose.
Mr Schneier: It does have value there. I think
that there is enormous value there. What industries are better
or worse; what sorts of regulatory environments are better or
worse. In the United States we have our little state petrie dishes:
we have slightly different environments, and you can learn what
works and what does not.
Are there authorities monitoring loss of data? If a bank accidentally
has a loss of a few thousand names, they might say, "Nobody
is going to know". Is there somebody looking?
Mr Schneier: Not really. The law will say that
in these states you have to report. I do not think that there
is a lot of verification of whether they do or not. I believe
that most companies are honest about this, simply because the
employees know that it is the law and it is the right thing to
do; but there is not a lot of verification. There is not a lot
of follow-up on what happened to those names. To me, that kind
of data would be very useful: to follow a particular loss; how
it happened. This is the fundamental problem. If I had been here
two years ago and if you had asked me, "How should users
protect themselves from identity theft?" one of the things
I would have said would have been, "Shred your trash".
That information today is obsolete. Nobody steals personal details,
one at a time, from the trash any more; they steal them by the
thousands, by the millions, out of these databases. So if you
as a fraudster want ten or 100, you cannot get ten; you have to
get a million. They do not come in smaller blocks. This is one
of the problems. Most of the information stolen is never used,
because you only need a little of it. There is only so much fraud
you can do; your throughput is only so great. But there are economies
of scale, and we are getting better.
Q551 Lord Mitchell:
You have touched on some of these issues, but it is particularly
to do with regulation. Do you think that it is likely to improve
personal Internet security, or should we be able to change incentives
and leave the industry to self-regulate?
Mr Schneier: I think that changing incentives
is regulation. I do not like to see regulation that says, "You
have to have this brand of firewall, these settings, and do this".
I do not like regulation that focuses on the how; I like regulation
that focuses on the what. To me, the value of regulation is to
set the playing field. A regulation might be, "ISPs are responsible
for end users' viruses, zombies, botnets"whatever.
I am sort of making this up. That kind of regulation now forces
the ISPs to invest in the technology to do it. It is some of each.
That is regulation that sets the playing field. Regulation might
say, "Software vendors are liable for flaws in their products
that cause losses". That is a regulation that sets the playing
field. Less so, the regulation that says, "Here is how you
fix it". Environmentalism is a good analogy here. I like
to see regulation that says, "The maximum level of this pollutant
is `x'. How do you achieve it? You could shut down your factory.
You can buy scrubbers. How you deal with it, we don't care"rather
than regulation that says, "You must use this type of scrubber
in your smokestack". To me, regulation that sets the playing
field is very valuable. Another thing government can doand
we are starting to see it in the United Statesis use its
buying power. The United States Government buys an enormous number
of computers, operating systems and application software. It can
start making security demands on these products. The benefit of
the software industry is that the first copy is expensive, all
the rest of them are free. If the Government says to an operating
systems vendor, "You must have this type of security",
the operating systems vendor does itand we all benefit,
because now it is embedded in all of its offerings. Right now
in the United States there is a procurement going on for an encrypted
laptop. One of the problems we have is that government officials
lose their laptops and government secrets all the time. I am sure
you have the same problem. So the Government, under the auspices
of NEST, is holding an open competition for encrypted laptops.
Software vendors will be submitting their products. I am not sure
how it is going to work. This is phenomenal. This will force all
of the vendors to produce a product; to have some very good government
standards; the winner will get an enormous PR boost; all the losers
will fix their productsthey lost, but they will do better
next timeand we all, even people in the UK, will benefit
because those products will now be for sale. That is a huge way
in which government can help. Instead of governments buying firewalls,
routers or application programs, they could put in a demand requiring
a secure software developmentand we all benefit.
The great advantage is that the cost of the item that holds the
software is basically zero. You do not have inventory problems,
do you, because the plastic disks are worth nothing? If you want
to upgrade your software because you have been forced to upgrade
it, that can be done at very little cost, can it not?
Mr Schneier: It is not even plastic disks. These
days, I buy software online. The cost is zero. Upgrading can be
hard. We live in a world where we have lots of security patches,
and we find that the take rate of patches can be lowand
that is unfortunate. We are doing better. Patching is a very hard
problem. If you think about the way the patch works, it has to
be incredibly quick. You want to get that patch out as quickly
as possible. At the same time you have to test it in every possible
configuration, and you cannot do both. Those are incompatible
requirements. CompaniesMicrosoft is an examplewent
to a system where they released their patches once a month. It
is called "Patch Tuesday". They batch their patches,
test them well, and release them once a month. On the one hand,
that increases the length of time that a system is unpatched,
and that is bad; on the other hand, the patches are much more
reliable; users are much more likely to turn on automatic patching
and, overall, we get better security. The cost to push those upgrades
down is not zero; it is there, but we are getting better as an
industry in doing that reliably, effectively and efficiently.
If a regime of liabilities comes in, software vendors will get
even better at that, because they will have to. We are doing better
than we were, but there is still a cost to upgrading software
in the field. There is stuff that you cannot upgrade. Cisco routersthere
is no upgrade path for some of that. The way you upgrade is to
buy a new one. When there is a vulnerability found in them, you
are stuck; there is nothing you can do. That is not true for a
lot of software; it is true for some of the appliances.
Q553 Lord Mitchell:
In the attempt to have this level playing field which you talk
about, is there some way that regulation can keep pace with technological
change? It always strikes me that all the regulators and the legislators
are light years behind what is happening in the real world.
Mr Schneier: I think the trick there is you
legislate results, not methodology. So, yes, the legislation will
never keep pace with technology, but the legislation should say
that fraud is illegal, however it is done. Identity theft is illegal.
You have to take responsibility for bad things that you cause,
whatever the technology. So it is not technology that covers streaming
music or particular things, but legislation that is technologically
invariantthat is the best. You are right: we are not going
to know the criminal tactics, the ways the Internet will be used,
where the threats come from, the particular technological configurations,
but crime never changes. We talk about identity theft like it
is a new crime, but it is not. It is fraud due to impersonation.
There is English common law on these problems. What is new is
the regime where it is playing out; the economies of scale; some
things are easier, some things are harder; but the crimes are
essentially the same. One of the problems we have is denial-of-service
extortion. This is a new area of organised crime. We are seeing
more of it in companies we monitor. Organised crime will have
a bunch of zombie computers. These are computers, controlled that
they can use to send track out. They will extort money. They will
attack you, drop your servers, and then demand you pay up or they
will do it again. This is extortion. It is not a new crime; it
is an old crime. I want the laws to be written so that they are
invariant to technology. If we do that, I think we will be okay.
We have a problem in the US with eavesdropping. All of our laws
are written about telephone eavesdropping. They are all "telephone,
telephone, telephone". Now people chat on email, on SMS,
on voice-over IP. Guess what? The laws did not apply. If the laws
are written to apply to conversation by whatever means, then it
does not matter what you invent in the future: the laws apply.
The laws have to be written well and, if they are written well,
I do not think there is a problem.
Q554 Lord Young of Graffham:
Our machines get upgraded. It seems to me that every time I switch
it on, twice a week, it has been upgraded overnight. But if I
do not change my password or, worse, do not put a password in
the day I get itI just cannot be botheredwhose responsibility
is it then? It is my responsibility, is it not?
Mr Schneier: I do not think so. If your computer
is sitting in your house and the door is locked, the key in your
front door is your password. Do you mean a special computer password?
Q555 Lord Young of Graffham:
Mr Schneier: I have a computer at home that
has no password, because I consider it is in the secure perimeter
of my home. It is different from a laptop computer, which is right
now in my hotel room. There is a very different set of security
assumptions going on there. Even if there is a password, that
does not mean you are safe. Lots of things can be done anyway.
Passwords are much easier to break these days. I did an essay
on this about a month ago. There are companies that sell software
that break passwords. They sell to law enforcement; they sell
to companies. Employees that leave or get fired or, in worse cases,
diethey need to recover their passwords. So there is methodology
for password recovery. Passwords do not mean "safe".
They are a barrier to entry: in some cases not a very good one.
So be careful. Do not look at the technology as that you did this
magic spell and therefore you are safe. Everything is a barrier,
and they all seem to be surmountable with enough effort.
Q556 Lord Young of Graffham:
Thank you. You have saved me a certain amount of effort in the
Mr Schneier: You know the joke about not having
to outrun the bear, but just having to outrun the people you are
with? In a lot of ways, security for the home is like that. If
I am more secure than the people next door, the criminals will
go there. If my company is more secure than that company over
there, the criminals will go over there. As an individual or as
a company, my goal is not to reduce crime; my goal is to move
it over there, without that happening to me. From your perspective,
that is not good enough. You want to reduce crime, because if
you just move it from one town to the next that will make no difference.
It really depends on the perspective.
Q557 Lord O'Neill of Clackmannan:
Do you think the Internet is well policed?
Mr Schneier: The Internet is better policed
than it ever was. The Internet is by nature hard to police. The
international nature makes it extremely difficult. Most of our
crime laws are based on proximity. I walk up to you, hit you over
the head with a rock and take your wallet. That is how we envision
crime. That is how our laws work. Internet crime very often breaks
international boundaries, goes into countries that have not very
effective police, and it makes it hard to police. It can be very
hard to prosecute these cases; they are very technical. It can
be hard to prove someone was guilty. You can prove that the attack
came from my computer, but how do you prove that I was the human
being in front of the keyboard, directing the attack? Maybe my
computer was owned by a computer in another country and the attack
just came through my computer. It is very hard to prove. All that
being said, we are much better than we were years ago. The law
enforcement agencies in the United States, in Europe and in Asia
have gotten much more savvy about Internet crime and how to deal
with it. Our investigation tools are better; there is a lot more
international sharing of information. So we are getting much better
at it. This is the other half. We spend the entire time talking
about one side of computer security: what can we do to prevent
the bad things? The other sidehow do we make the people
who do the bad things not want to do it any more?I think
is equally important. Policing the Internet, putting criminals
in jail, will go a long way to making the Internet safer. Just
as we say we can never make the Internet perfectly safe or software
perfectly secure, we are not safe against murder when walking
through the streets of London; but because we live in a lawful
society, because there are police, because people know if they
commit murder they are likely to be caught and put in jail, that
reduces the crime rate such that I am not wearing a bullet-proof
vest and I feel safe not wearing it. I think there is a huge amount
more that law enforcement can do, nationally and internationally,
but we have made enormous strides. In some ways I am really proudI
know much more about the FBI than any place elseof the
work they have been doing in making themselves smarter on computer
Q558 Lord O'Neill of Clackmannan:
Would it be right to say that at one time it was almost beyond
the law but it is now within the law?
Mr Schneier: There are times when you could
say that it was kind of like the Wild West, which is the American
metaphor of local purchase law. That if you, as a community, as
a business, could hire your own law, you could be safe; but out
in the world it was just a complete mess. It is not that bad any
more. I think that it is much better than that. There are still
aspects of that, but it is better. Actually, the PayPal people
will also talk about this. There is a dollar threshold in the
United States before the FBI will get involved. Criminals know
this, and so they are more likely to do small amounts of fraud
to a lot of people than large amounts of fraud to a few people,
because they can stay below the FBI's radar. Clearly something
has to be done about aggregates, therefore. There are a lot of
ways in which law enforcement can do better, but I think that
we have done an enormous amount. If you look back ten years ago,
the FBI was completely clueless.
Q559 Lord O'Neill of Clackmannan:
I am not asking you to pass comment on the law of the UK, but
is there any way of ensuring that the law can be obeyed online?
Mr Schneier: Can be ... ?