Companies monetizing user data, bad laws and the cyber-arms race are significant risks to information security, British Telecom CTO Bruce Schneier told attendees at the RSA Conference.
The three biggest information security risks in 2012 are the
rise of big data, ill-conceived regulations and the prospect of cyber-war, a
prominent security expert told attendees at the 2012 RSA Conference.
The people who are taking advantage of technology to further
their own business models threaten the Internet, Bruce Schneier, a renowned
security expert and CTO of British Telecomm, said in a presentation at the RSA
Conference in San Francisco Feb. 28. His talk was in stark contrast to the
majority of the speakers at this year's conference, who focused on
cyber-criminals, terrorists and hacktivists.
Just as the tobacco industry is called Big Tobacco and
energy giants are called Big Oil, Schneier sees some of the larger Web
companies becoming part of Big Data.
"I think the rise of Big Data is as important a threat
in the coming years, one we should really look at start taking seriously,"
Schneier told his audience.
The shift toward looking at user data as a commodity is
inevitable as storing cheap becomes less and less expensive, said Schneier. Companies
such as Apple, Amazon and Google are basing their businesses on the prospect of
monetizing user data, such as photos, documents, video, search history,
shopping behavior and other online activity.
"It's easy and cheaper to search than sort," said Schneier.
Data is no longer being kept separate, but aggregated so
that users can be shown targeted ads or directed to customized services, said Schneier.
Advertising is only just one way data can be collected, aggregated and monetized.
Organizations can assess credit-worthiness, evaluate employees or even take the
step toward linking with government or other legal data.
The risks to security arise because users have to relinquish
control over their data. "Feudal security" refers to what happens
when users have to depend on a company to safeguard their private data. Big
Data cares about making money from advertisers. IT or user privacy are not
Users aren't just relinquishing control over their data,
Schneier said, noting that smartphones and portable devices are also restricted
in what the user could do with them.
For example, Apple doesn't give users the same access
control on the iPhone that it does on its computer. "I can't do things as
a security professional on my iPhone," said Schneier.
"Ill-conceived regulations from law enforcement" is
the second biggest risk, according to Schneier. While law enforcement and
legislators are operating with an "honest desire" to make the
Internet safer to use, the laws they create introduce a host of new problems. Legislators
are listening to law enforcement requests to pass laws that allow eavesdropping
to catch cyber-criminals. These kinds of laws do not make the Internet more
secure for the vast majority of users.
"Mostly, what they propose is dumb," said
Users concerned about privacy should use Skype, with its
encrypted peer-to-peer communications protocol, and secure personal information
by deleting it online, he suggested.
Businesses are manipulating the government to propose
problematic laws in order to further their business goals, said Schneier. They
are lobbying to get laws passed that benefit only their own businesses, instead
of what would have a universal benefit.
"The security community doesn't have a lobby, common
sense doesn't have a lobby, and technical excellence doesn't have a
lobby," said Schneier.
The proposal to move away from anonymity and requiring users
to have a trusted identity in cyber-space would be expensive to implement and still
be less secure, according to Schneier. It is not possible to eliminate
Schneider was also concerned about the prospect of an "Internet
kill switch," which would allow the government to shut down the Internet
in case of an emergency. "I don't trust my ability to ensure" that
only the president can push that button, he said.
The final threat is the technological arms race currently
going on between countries. As the hysteria about the prospect of a cyber-war
escalates, countries such as the United States, China, Russia and the United
Kingdom are developing defensive and offensive technologies and building up
cyber-military capabilities. Private sector firms such as HBGary are also part
of the race, Schneier claimed. The arms race is still in the early years, but
will escalate as the government and military gain more control over the
Internet and how it works.
"We are stockpiling cyber-weapons because we fear that
everybody else is and we don't want to be left behind," said Schneier.
Schneider predicted less security products will be sold
directly to consumers in favor of selling to Web companies, such as Facebook
and Google. These companies will then be responsible for keeping users safe.
The fundamental problem of security will go away, and there will be more
government involvement, he said. Worst of all, much of the government and
business activity online will be shrouded in secrecy.
"I think there's going to be a lot more security,"