Bruce Schneier, a security commentator and author who The Register calls, "The closest the security industry has to a rock star," took time to correspond via e-mail with Government Technology about the latest security threats to public-sector IT.
He publishes a popular blog and newsletter on Schneier.com. His most recent book, Schneier on Security, is a collection of previously published essays on security-related topics, such as identification cards, cyber-crime, election security and the psychology of security.
A few CIOs in government are touting "user-generated government" -- i.e., mash-up applications and open source built by citizens. Though this appears to be an economical move, do you think turning to everyday citizens like this opens government to security threats?
Everything involving computers is ripe for security threats. As a security technologist, I'm often pointing out how bad things can be, but it's also important to remember that computers do a lot of good too. User-generated government initiatives have enormous potential to transform the way citizens interact with their elected officials and with government agencies. It will help citizens get more involved with the issues that affect their lives. This is all good. Of course there are potential security threats, and we should watch them, but that's no reason not to do this sort of thing.
Obama said he'll overhaul the nation's IT infrastructure when he takes office. If he somehow manages to fund and build new smart roads, smart buildings and a smart electrical grid, I assume it would open up a can of worms as far as security. Could a smart road be hacked, for example, and if so, what's vulnerable?
Everything involving computers is vulnerable and can be hacked. Again, that's no reason to deny ourselves the benefits of technology. Security is a trade-off, and the benefits of smart utilities, smart buildings and smart roads need to be balanced against potential abuses. I'd like to see us designing these systems in such a way as to minimize the potential for abuse -- by maximizing personal privacy for example -- to make that trade-off more beneficial.
Security is only as good as its weakest link, of course, so should the incoming Obama administration focus instead on the security of state and local government IT -- where in many instances security is lacking -- rather than what appears to be Obama's infatuation with the overarching national IT infrastructure? And what do!--[if> !--[if> !--[if> !--[if> !--[if> !--[if> ![endif]--> !--[if>
Security is lacking at all levels -- local, state and federal -- and it makes sense for the federal government to focus on the federal level. But infrastructure is infrastructure. Anything the government does in terms of technological improvements to the federal infrastructure can be replicated at the state and local level.
Do you think a key job responsibility for Obama's yet-to-be-named national chief technology officer (CTO) should be to improve IT security? If so, how would you advise that person to be most effective and efficient, given the country's bleak budget picture?
Get more budget. Security isn't free: not for corporations and not for the government. If the nation's CTO is going to try to do security on the cheap, then we're going to get cheap security. But given that Obama seems to realize that restricting budgets in our current fiscal situation is stupid, this shouldn't be a problem.
What's an under-the-radar security threat in government that people aren't paying enough attention to?
The threats have been the same for a while now: crime and privacy. One problem is that decisions we make now about data storage and use will be around for decades, so it's important to get it right.
In your book, you often mention security "theater" -- security measures that provide the feeling of effectiveness but don't really do anything. What's the most egregious instance of that going on right now, excluding security checkpoints at airports?
Security theater is everywhere in society. Photo ID checks in buildings are an excellent example. What exactly is the point of verifying that people have a valid photo ID?