Schneier’s Deconstructions Will Never Work – No Matter What He Does
That title sounds a little harsh – we know that. But it serves a purpose none the less – namely using Bruce Schneier’s latest essay title for our own purposes, and we like that. The title isn’t the point, however. The point is to point out that Bruce Schneier, the cryptologist who has seen fit to call himself and present himself and take on a role that he has no qualifications for; “security expert” (or “security guru”…) has made a few more strange mistakes in his latest essay; “Our Security Models Will Never Work – No Matter What We Do”. And here’s our reply.
Basic Security, anyone?
Schneier’s essay is based on a few, strange assumptions. First, he says; “Traditional security largely works “after the fact”. Which is true. Sort of. There’s a major flaw in that statement, and anyone who has ever worked in physical security or hold any kind of certification in it will see what it is. However, here it is; “after the fact” should only be about 30% of the total security framework. If that, even. So what about the other 70-80%? Schneier doesn’t seem to think that percentile is important.
The premise of Schneier’s essay and apparent opinion and belief is that security today is based on a prevention-only frame, and that the main goal of security is to prevent attacks and unwanted events at all cost. This is also the basis of the entire essay, where Schneier tries to point out that as technology and capabilities progress and evolve, society and security will have no way of preventing attacks with ever more powerful technologies and weaponry.
If security had been solely based on a goal of prevention, this would be partly true, and Schneier would have somewhat of a point when he states that security doesn’t stand a chance in that race. Here’s what will come to Schneier as a shock, however; security isn’t based on a goal of prevention only. There is, in fact, more to it than that.
That Schneier, a so-called “security guru” is unaware that no successful security organization would ever be built on “after the fact” and with the sole goal of stopping or preventing an attack is staggering – if he in all honesty doesn’t know even the most basic premises for security, he should stop publishing immediately, and retract his nonsensical books from the market as well.
Resilience? Don’t you mean…
Bruce spends a lot of words on explaining why security can’t keep up with technological advances that “the bad guys” will use, eventually, to carry out large scale and devastating attacks on society. That’s fine. The most telling part of Schneier’s little essay comes up for air in one of the last paragraphs, however. Here it is;
“If security won’t work in the end, what is the solution?
Resilience — building systems able to survive unexpected and devastating attacks — is the best answer we have right now. We need to recognize that large-scale attacks will happen, that society can survive more than we give it credit for, and that we can design systems to survive these sorts of attacks.”
Here’s the problem with Bruce’s “solution”; it has been done, it is being done, and it is basic security knowledge.
While Schneier has a point in that “before the fact” security – i.e. banning things before they’re used for something dangerous, for example, isn’t a viable solution, the fact that he thinks there’s no “resilient” systems behind contemporary security thinking is mind-blowing, and it makes the whole essay and train of thought presented nothing but useless.
As usual.
A Lesson for Bruce Schneier
Let’s take a look at a core concept in modern organizational structure and modern security; the “PDCA Cycle”, or the Plan-Do-Check-Act Cycle (Brown & Blackmon, 2001).
Now, this is called a cycle simply because it’s a never ending circle of security. That sounds a bit silly, but it’s in fact just the system Bruce doesn’t think already exists, and it’s exactly the system Bruce couldn’t think up on his own but could merely see a need for.
Well. Somebody saw it before Bruce. Long before. Here’s what’s at the core of most security operations, frameworks and plans that actually work;
Plan – Preventive measures.
Do – Mitigation functions.
Check – Loss event. Or attack, if you will.
Act – Response functions, or “after the fact” security, as Bruce calls it.
This means planning protective measures before they’re put into action. Then you DO all those mitigating things during daily operations. Verification or validation of those measures happens, strictly speaking, when an attack occurs, or a “loss event” arises, but there should also be inspections and audits. At the end of the cycle, there’s the response functions, where operations and situations are brought back to normal, and the cycle (system/security framework) is updated accordingly.
This tells us two important things, Bruce;
1: Theres a scalable, resilient system out there to provide evolution in security, and it works.
2: This is the very first chapter of any security textbook! You should try reading one some time.
Or fact check. Call a CPP or something. Jeez.