Q&A: Bruce Schneier, CTO of BT Counterpane

Security expert Bruce Schneier is well-known for his candid views on the security industry - one of the reasons he was named as one of this year's Agenda Setters.

silicon.com caught up with Schneier at the RSA Conference Europe 2007 to find out how internet security company BT Counterpane is doing, and to ask what tips Schneier has for dealing with cyber crime.

silicon.com: What are the current and future threats within the IT world?
Schneier: Crime - it's been around since Egyptian times so that's unlikely to change.

So how can CIOs fight cyber criminals?
You do that by dealing with threats and attacks because it's an arms race, which continues, is never perfect and you just sort of have to get along.

One future security technology is biometrics - what do you think of it?
Biometrics is complicated and I can't give a soundbite answer. Biometrics works in areas which it works and not in areas where it doesn't work is the short answer.

So biometrics is an authentication mechanism. As an authentication mechanism, it works very well, when you don't have an authentication issue it's irrelevant.

It was sold as a panacea, that the biometric ID card will [makes things] better and I'm not exactly sure how. No security mechanism is a panacea, it all just has some value.

Do you think the UK needs legislation similar to that seen in US, such as in California, on data breach notifications?
The basic mechanism we have is that when a company loses your data, they don't actually care.

Full Disclosure campaign

silicon.com is aiming to make businesses and government take data security more seriously. Read more here.

It doesn't affect them, it affects you because it's your identity that's been stolen. So we need to raise the cost to a company for a data breach by using public shaming as a cost, so that if a company loses its customers' data, it has to announce it and we laugh at [these companies] in the media.

That's the way that it works but this mechanism only works if the media laughs. So it worked really well in the beginning but now that there are a dozen a day, the media just isn't writing about it anymore.

But I do agree with that, even though it's not perfect, it's a decent mechanism.

How is life at Counterpane since it was acquired by BT?
It's actually going better than I thought it would. It's always weird when a little company gets bought by a bigger company but - in a surprising display of wisdom - we have largely been left alone and [BT is] treating us as an independent company within BT.

As a company we had two basic issues. One, we were not a big public company so there were a lot of times when we would win technically but we would not be chosen because we weren't a big phone company. And we did not have access at the boardroom level to the major deals and BT instantly solved that problem for us, instantly.

So suddenly we are now part of lots of major global IT contracts that we would never have seen otherwise. And suddenly we had this huge amount of credibility because of BT - and no one has ever heard of BT in the US - but in the rest of the world they seem to have a good reputation.

Would you recommend other smaller IT companies to go down this route?
It seems that way and it surprised me. It's frustrating to hear 'we like you but we can't take the risk because you may go bankrupt next week'.

There is that fear so I think there's a point in your growth cycle where you have to be public, because then you're part of the public company club. I didn't expect that - I never expected that we would be bought by a large ISP because fundamentally no one ever wants to buy security, ever.

In a previous interview with silicon.com you questioned the need for a security industry - do you still see it the same way?
After that interview, I wrote an essay called 'The Death of the Security Industry' where I expanded on [what I said] and I'm not saying security will die, of course it won't. But this [the RSA conference] will stop being a user conference and instead be an industry conference.

If I come up with a really clever windshield wiper, I don't try and sell it to you. I try and sell to Mercedes so it's an industry conference I go to.

So the future of the security industry is that. I'm not going to sell to you, I'm going to sell it to BT, AT&T, Pricewaterhouse - because that's going to the market and those guys are going to sell the bundle to you.

And the bundle will include airbags, it will include all the brakes and great inventions that are there in cars but you, the consumer, don't buy them individually and security becomes the same thing.

What will be next for Counterpane and BT?
We had a wish list of what we wanted to do which was as long as your arm and we just didn't have the time or the budget.

BT has given us the research money to do a lot of cool stuff and a lot of it is just getting better at protecting and responding - seeing the network, fighting the false alarms better, being able to make better prognoses, being able to work with more devices and integrating into BT's management systems because security is part of overall management.

You see better monitoring and tighter integration and those are the areas where you will see the work.

What is the theme of your keynote?
I'm going to talk about the difference between the reality and feeling of security and how the different pressures on both diverge and when they converge.

And it's tough - it's a hard talk to do because English doesn't have the right words because security is both a feeling and a reality.

You can feel secure even if you're not, you can be secure and you don't feel it - they are two very different concepts covered by the same word.

So we really don't have the language, so my thesis is that we need to pull those two things apart and understand them better but we don't have the language to pull them apart very well because the language is very muddy.