Examination of Witnesses (Questions 560
WEDNESDAY 21 FEBRUARY 2007
Q560 Lord O'Neill of Clackmannan:
Obeyed, recognised. Are there sanctions?
Mr Schneier: To me, the law is obeyed, first
because most people are honest and, second, because there are
penalties for not doing so. You need both. There is education
on what is the law and how to obey it, and then there are the
penalties if you do not. You do not ensure that it is obeyed;
you just make sure that, if someone disobeys it, something happens.
Q561 Lord O'Neill of Clackmannan:
Perhaps I could ask you a question about security researchersyourself.
Have you been in a position where, by highlighting the difficulties
which some companies have created for themselves, you are flagging
up that they are not as free? Does it happen that researchers
in the kind of field that you are in, when they do this, are exposed
to criminal charges or civil charges?
Mr Schneier: It has not happened to me, but
it happens all the time. There is an enormous amount of corporate
pressure put on researchers to keep these things quiet. To me,
there is enormous value in making them public. Otherwise, people
cannot make intelligent buying decisions; the problems never get
fixed; the companies pretend they are not real. So there is a
huge amount of debate and pressure to keep these secret. In the
United States we have had researchers that have been sued; criminal
charges have been put against them; they have been persecuted.
I think that this is a huge problem. We need to recognise the
enormous value of talking about flaws, of highlighting them. Before
we as an industry started regularly exposing these flaws, companies
would never fix them. Now even if we do not, there is still the
threat. Something in the non-computer area, something that I was
personally involved inin the United States, and it is probably
the same in the UK, you can print your boarding passes at home
for air flights. Someone wrote a program on the web that allows
you to print a fake boarding pass to get through airport security.
The FBI raided his home and took away his computers. This was
a flaw that I mentioned in 2003; a United States congressman mentioned
it on the floor of Congress a couple of years later. These things
were public. This person demonstrated it on the web, and he got
hit real hard by government. What does that say about us as a
community and how we respond to hearing about these things? I
think that it reflects very badly.
He never attempted to make any money out of it?
Mr Schneier: No, of course not.
Or to do it himself?
Mr Schneier: And I did not either, and neither
did Congressman Schumer. We all said, "Look, here's a problem.
This exposes how silly this security measure is".
Q564 Lord O'Neill of Clackmannan:
There is a paradox here, is there not? For example, banks are
not required to disclose how much they lose, but if someone were
to identify a loophole in their system by which such losses are
made, they would be hammered but the banks would still remain
Mr Schneier: Right, and I think that is backwards.
If I am a consumer and I want to make an intelligent buying decision
on which bank I should use, which software I should buy, I should
have as much information as possible.
Q565 Lord O'Neill of Clackmannan:
Short of discouraging people from looking for flaws in the system,
do you think there is any way that we could adequately protect
researchers, or is it just one of the risks? They are in the jungle,
there are big animals there, and they are going to get caught?
Mr Schneier: No, I think researchers should
be solicitously protected under laws protecting free speech or
academic research. I would like to see protections for researchers.
There really is not something like that in the United States.
You would do well for the researchers in your country by ensuring
that anything they do they will not be penalised for. There are
analogues and whistleblower laws that you can look at, but I think
that it is really important to have viable research. You learn
about security by breaking things. That is the way you learn.
If you cannot break things, you cannot learn. The criminals are
always going to learn, always going to break stuff. We need to
be smarter than them. We are not going to be smarter than them
unless we can break things too. I think it is very important.
Chairman: Mr Schneier, we have asked you a lot
of questions and you have answered them in a most interesting
way. It has been extremely useful to us and we are very grateful
indeed to you. Thank you for coming to talk to us.