Bruce Schneier, a security commentator and author who The Register calls, "The closest the security industry has to a rock star," took time to correspond via e-mail with Government Technology about the latest security threats to public-sector IT.
He publishes a popular blog and newsletter on Schneier.com. His most recent book, Schneier on Security, is a collection of previously published essays on security-related topics, such as identification cards, cyber-crime, election security and the psychology of security.
A few CIOs in government are touting "user-generated government" -- i.e., mash-up applications and open source built by citizens. Though this appears to be an economical move, do you think turning to everyday citizens like this opens government to security threats?
Everything involving computers is ripe for security threats. As a security technologist, I'm often pointing out how bad things can be, but it's also important to remember that computers do a lot of good too. User-generated government initiatives have enormous potential to transform the way citizens interact with their elected officials and with government agencies. It will help citizens get more involved with the issues that affect their lives. This is all good. Of course there are potential security threats, and we should watch them, but that's no reason not to do this sort of thing.
Obama said he'll overhaul the nation's IT infrastructure when he takes office. If he somehow manages to fund and build new smart roads, smart buildings and a smart electrical grid, I assume it would open up a can of worms as far as security. Could a smart road be hacked, for example, and if so, what's vulnerable?
Everything involving computers is vulnerable and can be hacked. Again, that's no reason to deny ourselves the benefits of technology. Security is a trade-off, and the benefits of smart utilities, smart buildings and smart roads need to be balanced against potential abuses. I'd like to see us designing these systems in such a way as to minimize the potential for abuse -- by maximizing personal privacy for example -- to make that trade-off more beneficial.
Security is only as good as its weakest link, of course, so should the incoming Obama administration focus instead on the security of state and local government IT -- where in many instances security is lacking -- rather than what appears to be Obama's infatuation with the overarching national IT infrastructure? And what do!--[if> !--[if> !--[if> !--[if> !--[if> !--[if> ![endif]--> !--[if>