Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 540 - 559)

WEDNESDAY 21 FEBRUARY 2007

MR BRUCE SCHNEIER

  Q540  Earl of Erroll: Alan Cox pointed out to us that what would probably happen is that then people will lock down their software and prevent third-party software interacting with this. Of course, that means that you do not get so much innovation; you also cease to open up the software and you get these big hegemonies, like Microsoft.

  Mr Schneier: My guess is that the companies protest a little bit too much; that in fact innovation is so profitable and so valuable that you will see it. I think that companies do not want to think about liability; so they are going to produce all these "doom" scenarios. My guess is that, when push comes to shove—just like in automobiles—there are after-market products. I think that it will reduce innovation somewhat, but I am not convinced that the new version of whatever software, with the 2,000 new features you will never use, is always a good thing.

  Q541  Earl of Erroll: That is looking at the products from the big companies. What about open-source software? Who will be liable for that?

  Mr Schneier: In the United States we have something called a Good Samaritan law. It basically means that if you see someone on the street, dying, and you attempt to save them, they cannot sue you. That is called the Good Samaritan law. I think there is a model there: that if I produce software for free and put it out there, there is some kind of Good Samaritan law going on, and if you use it there is no liability. If I choose to sell it to you, that is different. Then you can imagine companies, like Red Hat or other companies, taking free software, aggregating it, selling it—with support and with liability. I think that free software is not affected if you do this right. Then you also have a market for companies who take free software and verify it, or somehow build an insurance scheme around it—which you sort of have today, with companies like Red Hat dealing with free operating systems like Linux.

  Q542  Earl of Erroll: What about shareware?

  Mr Schneier: I think shareware is the same way.

  Q543  Earl of Erroll: Because you have paid something voluntarily for it.

  Mr Schneier: Right.

  Q544  Earl of Erroll: At the moment you paid, you would have a contract?

  Mr Schneier: No, I think because it is voluntary; it is a contribution. It is much more like a charity.

  Q545  Earl of Erroll: So that would be Good Samaritan law?

  Mr Schneier: Yes. The devil is in the details here. You would need someone who is an attorney to work this out, but I think that general philosophy would work here.

  Q546  Earl of Erroll: What worries me about it is this. I used to write software. If you take the first program I wrote, which was a rational formulation for feeding a dairy cow, I wrote it in my spare time in order to learn how to write a program, and it was the first commercial bit of software I wrote, sold by a particular company. That may well have had 1,001 flaws in it—now, when you bolt it onto something like the Internet. In those days we did not have the Internet. It was not written to be Internet-worthy, because it was doing a specific job. You will kill innovation like that, where people have a specific skill in a specific area and are not having to look at the global security, about pushing stacks and causing buffer overflows.

  Mr Schneier: I do not think you will, but I think you will spark an industry in sandboxing—which is a concept we use of taking a program and putting it in a safe area where it cannot affect everything else. So if you are the modern-day you, writing this piece of software and knowing that you cannot guarantee it is secure but you want to sell it anyway, maybe there is an after-market product where you take your software, put it in, wrap it around, and that provides the security. To me, as soon as you set up these economic incentives, capitalism just solves the problems. Innovation is going to work. There will be hundreds of security products, of security add-ins, of security toolkits. The software toolkit you will use to write that product will do the security automatically. All these things will exist. They do not exist today or they are not commercially viable today, because the market is not there for them. As soon as we say to the software vendors, "You take responsibility for your code", then the after-market, instead of trying to sell my mother a firewall, an anti-virus and all those end-user things, will go to software companies and sell them a bevy of products. I would rather see that, because the software companies are going to be smart about buying them.

  Q547  Lord Paul: Are security breach notification laws helpful?

  Mr Schneier: I do not know if you have one in the UK. In the US they are very spotty. California passed the first one. I think something like 27 states have followed suit. There is a federal law percolating through the works. It has not been passed yet. It has done a lot of good, but you could also argue that it has outlived its usefulness. Here is the basic idea behind security breach notification law. Companies like ChoicePoint have my personal data. I have no business relationship with them. If, when they lose my data, I suffer, I cannot do anything to them. By forcing them to tell me, we are doing a couple of things. We are notifying me, and we are making them look bad in the media. This is not a joke; I am really serious here. They were making them look bad. It is a public shaming. When the California law was passed, the first big disclosure was ChoicePoint. After that, CardSystems—40 million names stolen. These had huge play in the press. The companies looked very bad. They improved their security. By publicly shaming the companies we sent them to do better, to have better security. That worked really well. The problem is this. In some ways, the media are complacent in making this work. After 20, 30, 50, 100 breaches, the media stop writing about them. In the US we may have three or four security breaches a week, which never get any press. Occasionally one does. If it is a government agency it is more likely to get press. If it is tens of millions of names, it is more likely to get press. There is an attenuation effect. They were valuable but they have become less valuable. At the same time, if you speak to someone in California, he is getting all of these notices in the mail that his innovation has been stolen, and nothing is happening. So he now believes that there is not a problem; he stops reading them. The law was very valuable and it did a lot of good things. The first question you asked me was "How bad is the problem?". It gave us hard data on losses, but it really has outlived its usefulness in the United States. I think that it should still be done, because forcing companies to go public with the information is very valuable—to researchers, to policymakers—but as to the primary value, the public shaming, it is no longer news when someone's information is stolen. It happens too often.

  Q548  Lord Paul: The banks argued to us that reporting the loss of private data would increase anxiety and that customers were being bombarded with warnings. They felt that the companies should decide for themselves about the likely level of harm and about whether it was necessary to inform their customers.

  Mr Schneier: Of course they will say that. By definition, you do not want them to decide, because they are the ones who will decide, "Oh, we shouldn't spend the money and risk losing our customers". This is exactly the area where self-regulation will not work. Remember, it is in the companies' best interest not to publicise it. Before the law, we never heard anything, ever. We know what it looks like when companies decide for themselves: we never hear anything. Then they pretend there is no problem. It is only through the laws that we now know it is a problem and how pervasive it is. I do agree that, with lots and lots of notices, it is really a boy-who-cried-wolf problem. After the fifteenth notice, you just stop reading them; but I think that there is still value here. One of the things I want to see in the United States is this. We can do something called a "credit freeze" where, if we have our identity stolen and we are at risk, we can write to the credit bureaux and say, "Freeze my debt information"; that, if someone requests it, I am notified; that if someone overcharges on my credit card, I am notified. I think that if Company X has a million credit card numbers and they are all stolen, they should pay for that service for the people whose names are stolen for a year or so. That seems like a perfectly reasonable thing to ask.

  Q549  Earl of Erroll: Is also its primary use in notifying the authorities of the scale of the problem? Maybe it is not necessary to mail every single person who has just had their date of birth removed and their address, because that has gone about 20 times already; but it is very useful to the authorities to know who may be operating in which companies, stealing data. So it might be useful to have such a law for that purpose.

  Mr Schneier: It does have value there. I think that there is enormous value there. What industries are better or worse; what sorts of regulatory environments are better or worse. In the United States we have our little state petrie dishes: we have slightly different environments, and you can learn what works and what does not.

  Q550  Chairman: Are there authorities monitoring loss of data? If a bank accidentally has a loss of a few thousand names, they might say, "Nobody is going to know". Is there somebody looking?

  Mr Schneier: Not really. The law will say that in these states you have to report. I do not think that there is a lot of verification of whether they do or not. I believe that most companies are honest about this, simply because the employees know that it is the law and it is the right thing to do; but there is not a lot of verification. There is not a lot of follow-up on what happened to those names. To me, that kind of data would be very useful: to follow a particular loss; how it happened. This is the fundamental problem. If I had been here two years ago and if you had asked me, "How should users protect themselves from identity theft?" one of the things I would have said would have been, "Shred your trash". That information today is obsolete. Nobody steals personal details, one at a time, from the trash any more; they steal them by the thousands, by the millions, out of these databases. So if you as a fraudster want ten or 100, you cannot get ten; you have to get a million. They do not come in smaller blocks. This is one of the problems. Most of the information stolen is never used, because you only need a little of it. There is only so much fraud you can do; your throughput is only so great. But there are economies of scale, and we are getting better.

  Q551  Lord Mitchell: You have touched on some of these issues, but it is particularly to do with regulation. Do you think that it is likely to improve personal Internet security, or should we be able to change incentives and leave the industry to self-regulate?

  Mr Schneier: I think that changing incentives is regulation. I do not like to see regulation that says, "You have to have this brand of firewall, these settings, and do this". I do not like regulation that focuses on the how; I like regulation that focuses on the what. To me, the value of regulation is to set the playing field. A regulation might be, "ISPs are responsible for end users' viruses, zombies, botnets"—whatever. I am sort of making this up. That kind of regulation now forces the ISPs to invest in the technology to do it. It is some of each. That is regulation that sets the playing field. Regulation might say, "Software vendors are liable for flaws in their products that cause losses". That is a regulation that sets the playing field. Less so, the regulation that says, "Here is how you fix it". Environmentalism is a good analogy here. I like to see regulation that says, "The maximum level of this pollutant is `x'. How do you achieve it? You could shut down your factory. You can buy scrubbers. How you deal with it, we don't care"—rather than regulation that says, "You must use this type of scrubber in your smokestack". To me, regulation that sets the playing field is very valuable. Another thing government can do—and we are starting to see it in the United States—is use its buying power. The United States Government buys an enormous number of computers, operating systems and application software. It can start making security demands on these products. The benefit of the software industry is that the first copy is expensive, all the rest of them are free. If the Government says to an operating systems vendor, "You must have this type of security", the operating systems vendor does it—and we all benefit, because now it is embedded in all of its offerings. Right now in the United States there is a procurement going on for an encrypted laptop. One of the problems we have is that government officials lose their laptops and government secrets all the time. I am sure you have the same problem. So the Government, under the auspices of NEST, is holding an open competition for encrypted laptops. Software vendors will be submitting their products. I am not sure how it is going to work. This is phenomenal. This will force all of the vendors to produce a product; to have some very good government standards; the winner will get an enormous PR boost; all the losers will fix their products—they lost, but they will do better next time—and we all, even people in the UK, will benefit because those products will now be for sale. That is a huge way in which government can help. Instead of governments buying firewalls, routers or application programs, they could put in a demand requiring a secure software development—and we all benefit.

  Q552  Chairman: The great advantage is that the cost of the item that holds the software is basically zero. You do not have inventory problems, do you, because the plastic disks are worth nothing? If you want to upgrade your software because you have been forced to upgrade it, that can be done at very little cost, can it not?

  Mr Schneier: It is not even plastic disks. These days, I buy software online. The cost is zero. Upgrading can be hard. We live in a world where we have lots of security patches, and we find that the take rate of patches can be low—and that is unfortunate. We are doing better. Patching is a very hard problem. If you think about the way the patch works, it has to be incredibly quick. You want to get that patch out as quickly as possible. At the same time you have to test it in every possible configuration, and you cannot do both. Those are incompatible requirements. Companies—Microsoft is an example—went to a system where they released their patches once a month. It is called "Patch Tuesday". They batch their patches, test them well, and release them once a month. On the one hand, that increases the length of time that a system is unpatched, and that is bad; on the other hand, the patches are much more reliable; users are much more likely to turn on automatic patching and, overall, we get better security. The cost to push those upgrades down is not zero; it is there, but we are getting better as an industry in doing that reliably, effectively and efficiently. If a regime of liabilities comes in, software vendors will get even better at that, because they will have to. We are doing better than we were, but there is still a cost to upgrading software in the field. There is stuff that you cannot upgrade. Cisco routers—there is no upgrade path for some of that. The way you upgrade is to buy a new one. When there is a vulnerability found in them, you are stuck; there is nothing you can do. That is not true for a lot of software; it is true for some of the appliances.

  Q553  Lord Mitchell: In the attempt to have this level playing field which you talk about, is there some way that regulation can keep pace with technological change? It always strikes me that all the regulators and the legislators are light years behind what is happening in the real world.

  Mr Schneier: I think the trick there is you legislate results, not methodology. So, yes, the legislation will never keep pace with technology, but the legislation should say that fraud is illegal, however it is done. Identity theft is illegal. You have to take responsibility for bad things that you cause, whatever the technology. So it is not technology that covers streaming music or particular things, but legislation that is technologically invariant—that is the best. You are right: we are not going to know the criminal tactics, the ways the Internet will be used, where the threats come from, the particular technological configurations, but crime never changes. We talk about identity theft like it is a new crime, but it is not. It is fraud due to impersonation. There is English common law on these problems. What is new is the regime where it is playing out; the economies of scale; some things are easier, some things are harder; but the crimes are essentially the same. One of the problems we have is denial-of-service extortion. This is a new area of organised crime. We are seeing more of it in companies we monitor. Organised crime will have a bunch of zombie computers. These are computers, controlled that they can use to send track out. They will extort money. They will attack you, drop your servers, and then demand you pay up or they will do it again. This is extortion. It is not a new crime; it is an old crime. I want the laws to be written so that they are invariant to technology. If we do that, I think we will be okay. We have a problem in the US with eavesdropping. All of our laws are written about telephone eavesdropping. They are all "telephone, telephone, telephone". Now people chat on email, on SMS, on voice-over IP. Guess what? The laws did not apply. If the laws are written to apply to conversation by whatever means, then it does not matter what you invent in the future: the laws apply. The laws have to be written well and, if they are written well, I do not think there is a problem.

  Q554  Lord Young of Graffham: Our machines get upgraded. It seems to me that every time I switch it on, twice a week, it has been upgraded overnight. But if I do not change my password or, worse, do not put a password in the day I get it—I just cannot be bothered—whose responsibility is it then? It is my responsibility, is it not?

  Mr Schneier: I do not think so. If your computer is sitting in your house and the door is locked, the key in your front door is your password. Do you mean a special computer password?

  Q555  Lord Young of Graffham: Yes.

  Mr Schneier: I have a computer at home that has no password, because I consider it is in the secure perimeter of my home. It is different from a laptop computer, which is right now in my hotel room. There is a very different set of security assumptions going on there. Even if there is a password, that does not mean you are safe. Lots of things can be done anyway. Passwords are much easier to break these days. I did an essay on this about a month ago. There are companies that sell software that break passwords. They sell to law enforcement; they sell to companies. Employees that leave or get fired or, in worse cases, die—they need to recover their passwords. So there is methodology for password recovery. Passwords do not mean "safe". They are a barrier to entry: in some cases not a very good one. So be careful. Do not look at the technology as that you did this magic spell and therefore you are safe. Everything is a barrier, and they all seem to be surmountable with enough effort.

  Q556  Lord Young of Graffham: Thank you. You have saved me a certain amount of effort in the future!

  Mr Schneier: You know the joke about not having to outrun the bear, but just having to outrun the people you are with? In a lot of ways, security for the home is like that. If I am more secure than the people next door, the criminals will go there. If my company is more secure than that company over there, the criminals will go over there. As an individual or as a company, my goal is not to reduce crime; my goal is to move it over there, without that happening to me. From your perspective, that is not good enough. You want to reduce crime, because if you just move it from one town to the next that will make no difference. It really depends on the perspective.

  Q557  Lord O'Neill of Clackmannan: Do you think the Internet is well policed?

  Mr Schneier: The Internet is better policed than it ever was. The Internet is by nature hard to police. The international nature makes it extremely difficult. Most of our crime laws are based on proximity. I walk up to you, hit you over the head with a rock and take your wallet. That is how we envision crime. That is how our laws work. Internet crime very often breaks international boundaries, goes into countries that have not very effective police, and it makes it hard to police. It can be very hard to prosecute these cases; they are very technical. It can be hard to prove someone was guilty. You can prove that the attack came from my computer, but how do you prove that I was the human being in front of the keyboard, directing the attack? Maybe my computer was owned by a computer in another country and the attack just came through my computer. It is very hard to prove. All that being said, we are much better than we were years ago. The law enforcement agencies in the United States, in Europe and in Asia have gotten much more savvy about Internet crime and how to deal with it. Our investigation tools are better; there is a lot more international sharing of information. So we are getting much better at it. This is the other half. We spend the entire time talking about one side of computer security: what can we do to prevent the bad things? The other side—how do we make the people who do the bad things not want to do it any more?—I think is equally important. Policing the Internet, putting criminals in jail, will go a long way to making the Internet safer. Just as we say we can never make the Internet perfectly safe or software perfectly secure, we are not safe against murder when walking through the streets of London; but because we live in a lawful society, because there are police, because people know if they commit murder they are likely to be caught and put in jail, that reduces the crime rate such that I am not wearing a bullet-proof vest and I feel safe not wearing it. I think there is a huge amount more that law enforcement can do, nationally and internationally, but we have made enormous strides. In some ways I am really proud—I know much more about the FBI than any place else—of the work they have been doing in making themselves smarter on computer crime.

  Q558  Lord O'Neill of Clackmannan: Would it be right to say that at one time it was almost beyond the law but it is now within the law?

  Mr Schneier: There are times when you could say that it was kind of like the Wild West, which is the American metaphor of local purchase law. That if you, as a community, as a business, could hire your own law, you could be safe; but out in the world it was just a complete mess. It is not that bad any more. I think that it is much better than that. There are still aspects of that, but it is better. Actually, the PayPal people will also talk about this. There is a dollar threshold in the United States before the FBI will get involved. Criminals know this, and so they are more likely to do small amounts of fraud to a lot of people than large amounts of fraud to a few people, because they can stay below the FBI's radar. Clearly something has to be done about aggregates, therefore. There are a lot of ways in which law enforcement can do better, but I think that we have done an enormous amount. If you look back ten years ago, the FBI was completely clueless.

  Q559  Lord O'Neill of Clackmannan: I am not asking you to pass comment on the law of the UK, but is there any way of ensuring that the law can be obeyed online?

  Mr Schneier: Can be ... ?


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007