Data, Laws, Cyber-Weapons Biggest Threats to Information Security

Companies monetizing user data, bad laws and the cyber-arms race are significant risks to information security, British Telecom CTO Bruce Schneier told attendees at the RSA Conference.

The three biggest information security risks in 2012 are the rise of big data, ill-conceived regulations and the prospect of cyber-war, a prominent security expert told attendees at the 2012 RSA Conference.

The people who are taking advantage of technology to further their own business models threaten the Internet, Bruce Schneier, a renowned security expert and CTO of British Telecomm, said in a presentation at the RSA Conference in San Francisco Feb. 28. His talk was in stark contrast to the majority of the speakers at this year's conference, who focused on cyber-criminals, terrorists and hacktivists.

Just as the tobacco industry is called Big Tobacco and energy giants are called Big Oil, Schneier sees some of the larger Web companies becoming part of Big Data.

"I think the rise of Big Data is as important a threat in the coming years, one we should really look at start taking seriously," Schneier told his audience.

The shift toward looking at user data as a commodity is inevitable as storing cheap becomes less and less expensive, said Schneier. Companies such as Apple, Amazon and Google are basing their businesses on the prospect of monetizing user data, such as photos, documents, video, search history, shopping behavior and other online activity.

"It's easy and cheaper to search than sort," said Schneier.

Data is no longer being kept separate, but aggregated so that users can be shown targeted ads or directed to customized services, said Schneier. Advertising is only just one way data can be collected, aggregated and monetized. Organizations can assess credit-worthiness, evaluate employees or even take the step toward linking with government or other legal data.

The risks to security arise because users have to relinquish control over their data. "Feudal security" refers to what happens when users have to depend on a company to safeguard their private data. Big Data cares about making money from advertisers. IT or user privacy are not priorities.

Users aren't just relinquishing control over their data, Schneier said, noting that smartphones and portable devices are also restricted in what the user could do with them.

For example, Apple doesn't give users the same access control on the iPhone that it does on its computer. "I can't do things as a security professional on my iPhone," said Schneier.

"Ill-conceived regulations from law enforcement" is the second biggest risk, according to Schneier. While law enforcement and legislators are operating with an "honest desire" to make the Internet safer to use, the laws they create introduce a host of new problems. Legislators are listening to law enforcement requests to pass laws that allow eavesdropping to catch cyber-criminals. These kinds of laws do not make the Internet more secure for the vast majority of users.

"Mostly, what they propose is dumb," said Schneier.

Users concerned about privacy should use Skype, with its encrypted peer-to-peer communications protocol, and secure personal information by deleting it online, he suggested.

Businesses are manipulating the government to propose problematic laws in order to further their business goals, said Schneier. They are lobbying to get laws passed that benefit only their own businesses, instead of what would have a universal benefit.

"The security community doesn't have a lobby, common sense doesn't have a lobby, and technical excellence doesn't have a lobby," said Schneier.

The proposal to move away from anonymity and requiring users to have a trusted identity in cyber-space would be expensive to implement and still be less secure, according to Schneier. It is not possible to eliminate anonymity.

Schneider was also concerned about the prospect of an "Internet kill switch," which would allow the government to shut down the Internet in case of an emergency. "I don't trust my ability to ensure" that only the president can push that button, he said.

The final threat is the technological arms race currently going on between countries. As the hysteria about the prospect of a cyber-war escalates, countries such as the United States, China, Russia and the United Kingdom are developing defensive and offensive technologies and building up cyber-military capabilities. Private sector firms such as HBGary are also part of the race, Schneier claimed. The arms race is still in the early years, but will escalate as the government and military gain more control over the Internet and how it works.

"We are stockpiling cyber-weapons because we fear that everybody else is and we don't want to be left behind," said Schneier.

Schneider predicted less security products will be sold directly to consumers in favor of selling to Web companies, such as Facebook and Google. These companies will then be responsible for keeping users safe. The fundamental problem of security will go away, and there will be more government involvement, he said. Worst of all, much of the government and business activity online will be shrouded in secrecy.

"I think there's going to be a lot more security," said Schneider.