Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 560 - 565)

WEDNESDAY 21 FEBRUARY 2007

MR BRUCE SCHNEIER

  Q560  Lord O'Neill of Clackmannan: Obeyed, recognised. Are there sanctions?

  Mr Schneier: To me, the law is obeyed, first because most people are honest and, second, because there are penalties for not doing so. You need both. There is education on what is the law and how to obey it, and then there are the penalties if you do not. You do not ensure that it is obeyed; you just make sure that, if someone disobeys it, something happens.

  Q561  Lord O'Neill of Clackmannan: Perhaps I could ask you a question about security researchers—yourself. Have you been in a position where, by highlighting the difficulties which some companies have created for themselves, you are flagging up that they are not as free? Does it happen that researchers in the kind of field that you are in, when they do this, are exposed to criminal charges or civil charges?

  Mr Schneier: It has not happened to me, but it happens all the time. There is an enormous amount of corporate pressure put on researchers to keep these things quiet. To me, there is enormous value in making them public. Otherwise, people cannot make intelligent buying decisions; the problems never get fixed; the companies pretend they are not real. So there is a huge amount of debate and pressure to keep these secret. In the United States we have had researchers that have been sued; criminal charges have been put against them; they have been persecuted. I think that this is a huge problem. We need to recognise the enormous value of talking about flaws, of highlighting them. Before we as an industry started regularly exposing these flaws, companies would never fix them. Now even if we do not, there is still the threat. Something in the non-computer area, something that I was personally involved in—in the United States, and it is probably the same in the UK, you can print your boarding passes at home for air flights. Someone wrote a program on the web that allows you to print a fake boarding pass to get through airport security. The FBI raided his home and took away his computers. This was a flaw that I mentioned in 2003; a United States congressman mentioned it on the floor of Congress a couple of years later. These things were public. This person demonstrated it on the web, and he got hit real hard by government. What does that say about us as a community and how we respond to hearing about these things? I think that it reflects very badly.

  Q562  Chairman: He never attempted to make any money out of it?

  Mr Schneier: No, of course not.

  Q563  Chairman: Or to do it himself?

  Mr Schneier: And I did not either, and neither did Congressman Schumer. We all said, "Look, here's a problem. This exposes how silly this security measure is".

  Q564  Lord O'Neill of Clackmannan: There is a paradox here, is there not? For example, banks are not required to disclose how much they lose, but if someone were to identify a loophole in their system by which such losses are made, they would be hammered but the banks would still remain—

  Mr Schneier: Right, and I think that is backwards. If I am a consumer and I want to make an intelligent buying decision on which bank I should use, which software I should buy, I should have as much information as possible.

  Q565  Lord O'Neill of Clackmannan: Short of discouraging people from looking for flaws in the system, do you think there is any way that we could adequately protect researchers, or is it just one of the risks? They are in the jungle, there are big animals there, and they are going to get caught?

  Mr Schneier: No, I think researchers should be solicitously protected under laws protecting free speech or academic research. I would like to see protections for researchers. There really is not something like that in the United States. You would do well for the researchers in your country by ensuring that anything they do they will not be penalised for. There are analogues and whistleblower laws that you can look at, but I think that it is really important to have viable research. You learn about security by breaking things. That is the way you learn. If you cannot break things, you cannot learn. The criminals are always going to learn, always going to break stuff. We need to be smarter than them. We are not going to be smarter than them unless we can break things too. I think it is very important.

  Chairman: Mr Schneier, we have asked you a lot of questions and you have answered them in a most interesting way. It has been extremely useful to us and we are very grateful indeed to you. Thank you for coming to talk to us.





 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007