"We need to start making more ethical and political decisions about how our technologies should work. But because the internet has been so benign until now, we’ve allowed programmers to have this special light in society to code the world as they see fit. I don't think we can do that anymore. I think this is becoming too critical to allow programmers to do what they want."Schneier then outlined the disparity between agile development processes and 'getting it right first time,' for the consequences of getting this piece wrong are potentially just too dire. He hinted, as an example, that if we stay on present course in terms of a lack of standards and accountability, we will soon see ransomware for smart cars (which have become less vehicles with some computer capability and transformed into more powerful computers with an attached vehicle capability attached that they control). Let’s face it, the extortion business model prospect of gaining payment for returning the reliable control of someone’s braking system trumps the present-day model of returning their often backed-up encrypted files. On the controversial topic of government intervention in cyber security and technology more broadly, Schneier presented a sound case as to why this is now simply an inevitability rather than a debate.
"More government involvement in cyber security is inevitable simply because the systems are more real – we’re getting into the world of catastrophic risks as our computers become more physical."The context for such a statement on which he elaborated, however, is that we actually need smart, informed government involvement rather than reactive 'stupid' involvement. He went on to say that if we don’t pre-empt that approach and instead carry on as we are (with policy makers who don’t really understand technology and technologists who don’t understand government, referencing the Apple/FBI case), then we will most certainly get the latter. He pointed out the huge difference between devices like smartphones (whose security has naturally evolved through the disposability and continual upgrade of the devices to more secure platforms) and domestic appliances like thermostats, which may be replaced rarely if ever. He also talked a lot about ethics and the need for a possibly more altruistic technologist path of practice. In particular, he drew parallels to the practice of Public Interest Law, which despite its less financially lucrative incentives (raising questions many years ago about which of the brightest and best would go into it) now enjoys a 10% take up at Harvard where he is a fellow. In fact, Schneier covered so much in the short time he spoke that it’s impossible to capture much of it meaningfully here. I hope someone makes available videos or transcripts of the talk soon. As a final observation, Schneier's continued enthusiasm for the industry and eye on the new was a breath of fresh air that dispels some of the cynicism you sometimes hear about Infosecurity Europe as an event. He had clearly walked around the public show floor before speaking and made a concerted point of praising new companies and solutions providers in attendance which he hadn’t previously come across. As a neat parting touch from someone with their feet still firmly on their ground despite their clear status in the industry, he even offered to make anyone who turned up at a certain stand afterward a cocktail! I had other commitments, so I have no idea how that panned out in reality, but it was a great gesture nonetheless. Hearing someone like Schneier speak can be a real inspiration and reminder that what we all do as security professionals can make a difference to the world we live in and leave behind. It was an inspired keynote speaker booking and my Infosecurity Europe 2016 highlight, for sure! Interested in learning more about this year's Infosecurity Europe conference? Read Tripwire's coverage of the event:
- Infosecurity Europe 2016 – Day One
- Infosecurity Europe 2016 – Day Two
- Infosecurity Europe 2016 – Day Three