I have been following Bruce Schneier for a long time. He literally wrote the book on cryptographic algorithms, Applied Cryptography, in two editions, both of which I own. He has run an email newsletter, Crypto-Gram, since 1998 (subscribe). He has a blog Schneier on Security read by 250,000 people (I'm jealous).

In recent years, he's written less about the technical aspects of cryptography and security, and more about the social and societal aspects, starting with his 2003 book Beyond Fear: Thinking Sensibly About Security in an Uncertain World, which was basically written after 9/11. His latest book is Click Here to Kill Everybody. He is CTO of IBM Resilient these days, but he is better known simply as the most widely followed communicator in the security world for the last two decades.

He did two things at the recent RSA Conference. He gave one of the keynotes, which I'll get to below. And he ran a full-day track about public interest security, which was a first step at putting the ideas of his keynote into practice (I couldn't attend that day since I went to other things).

Going Dark

Christopher Wray talked about "going dark" [see my post RSA: The Director of the FBI for details]. Remember the Clipper chip? The FBI wanting into that iPhone? The new Australian law? There is a real technical problem here, and we could talk about ways to build better or worse backdoors, about the things that underpin "surveillance capitalism", data in the cloud. The underlying security needs really matter here.

There are also real policy questions underlying these technologies. There is a security benefit having our data available to law enforcement, but there is also a security benefit in having our data secure even if law enforcement cannot access it. Your view might differ from that of the Director of the FBI.

But almost no policymakers are discussing this from a broad and technologically informed perspective. “Going dark” is a phrase designed to scare people. The FBI director was trying to scare people.

Back in the 50s, the British author C.P. Snow talked about "two cultures" in which he lamented the lack of dialog between the two cultures, broadly scientific and non-scientific. It was like they are two different worlds. It is like that today. We have technologists who build tools without regard to how they upend society. And we have policies that don't understand the technology that they were dealing with. Two cultures were okay in 1959 since technology and policy didn't overlap much except for a few areas like space programs and nuclear power. But today they are intertwined. Law is forever trying to catch up with technology. It is no longer sustainable for technology and policy to be in different worlds.

How We Got Here

The Internet was never designed with any public policy in mind. In early days, it was assumed that it would never be used for anything important ever, and you had to be a bona fide member of a research institution to even access it. So those two things made it easy to ignore the policy issues.

The internet became critical to all aspects of our lives without any planning or forethought. Pretty much every form of communication, for every piece of critical infrastructure, these technologies affect everything we do. And it is getting more so with AI, machine learning, robotics, autonomy. Technology has become a de facto policy.

Corporations more than the government have control over free speech and censorship. Corporations can set limits on personal freedom. Now we hear terms like surveillance capitalism, digital divide…we didn’t hear those five years ago.

The internet is no longer its own thing. It’s part of airplanes, auto, medical policy. It affects power, fairness, democracy. It’s part of everything.

Policy

Back to “going dark”. As internet security becomes everything security, we will never get the policy right if policymakers get the tech wrong. The DMCA debate had the exact same problem, policy without understanding technology.

Fixing this requires two parts. Policy makers need to understand technology. They don’t know enough to be useful. Lobbyists are happy to provide pseudo tech. Just look at those Facebook hearings. We saw policymakers with no idea how Facebook works. It would help if a few of them were actual technologists. At least they need good BS detectors. They need to hire the right staff.

The second thing is for technologists to get involved in policy. We need more public interest technologists. Tim Berners-Lee called them philosophical engineers. Another good definition is “people who study the application of technology expertise to advance the public interest and promote the public good.” We need public interest technologists to weigh in on the debate, on congressional staffs, part of press, in academia.

Supply Chain Security

We desperately need supply-chain security. Lots of people are asking about Chinese technology. The Chinese are asking about US technology. But supply chain security is complicated: where are the chips made, where is the software written. iPhone is not “made” in the US, its programmers carry 100 different passports. We've seen backdoors in routers. In 2003, a backdoor just barely didn’t make it into Linux. There have been fake apps found in the Google Play store. We have to trust the shipping mechanisms. We've all seen that photo of the NSA putting a backdoor component into Cisco routers destined for the Syrian telephone company.

Remember that story from Bloomberg last October about Chinese components on cloud datacenter circuit boards. We still don’t know if that was true or not. [See my post Did the Chinese Really Attach Rogue Chips to Apple and Amazon's Motherboards? for details]

We could make a US-only iPhone but it would be ten times the price and nobody would buy it. Any debate needs to consider all this stuff.

Another debate is over vulnerabilities. Should they be used for offense or defense? What do we do about cyber arms manufacturers? Election security: voting machines and beyond? Blockchain: what does security properties does it have? IoT? 5G? Machine learning... and adversarial machine learning?

Tomorrow

I'll cover the second half of Bruce's keynote, including the Q&A, tomorrow.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.