Cybersecurity Profile: Bruce Schneier, Legendary Cryptographer

Bruce Schneier

photo: www.american.edu/

You might be surprised to learn that legendary cryptographer Bruce Schneier’s initial academic focus was in physics. But cybersecurity is a field that often repurposes extraordinary minds from other fields, and in the early 1980’s when he was going to college, there were few computer science programs to choose from and almost no educational resources specific to information security.

But computer security is what Schneier is known for today, something he credits to his mindset and worldview—a common refrain from security experts, who look at the world as a set of systems to be tinkered with and who could just as easily make themselves rich on the dark side if they wanted to.

Bruce Schneier has found plenty of success wearing a white hat, though. Currently employed by IBM, Schneier is also a fellow at the Berkman Center for Internet and Society at Harvard Law School and a board member of the Electronic Freedom Foundation.

Unlike some security experts, Schneier isn’t well known for facing down some hacker nemesis or inventing some critical and acclaimed tool or technique in the trade. Instead, it’s been his constant insightful contributions to the community that have made him so influential over the years.

Schneier Inspired A Generation of New Cryptographers

Cryptography is an integral part of the education of the modern cybersecurity professional, but when Schneier was coming into the field, it was an arcane and poorly understood science that was more closely associated with shadowy national security work than such basic functions as communication encryption or transaction signing.

His 1994 book, Applied Cryptography, is one of the most influential books on cryptography ever written. The timing of its release and accessibility of the text primed a generation of security specialists to take cryptographic sanctity seriously in digital applications. As a history of digital cryptographic developments (at least the open source ones) since 1970, Applied Cryptography laid the groundwork for a generation of coders who built the foundations of the modern financial and secure communication processing networks that we take for granted as undergirding the Internet.

Schneier certainly has produced solid and widely used security tools. Among others, he invented or helped invent influential cyphers and functions including:

  • Blowfish, Twofish, and Threefish block ciphers
  • Fortuna and the Yarrow algorithm random number generations
  • The Skein hash function
  • The Stream ciphers Solitaire, Phelix, and Helix

But his broader systemic analysis of security has proven to be the more lasting and important contribution to cybersecurity work.

Looking At the Meta-System Is a Schneier Specialty

Getting caught up in the tools and forgetting to analyze the context in which they are used is a common pitfall for people in IT generally, and in cybersecurity in particular. That tendency to focus on the technical while missing the societal is somewhat endemic to personalities drawn to information technology, and can be seen in certain types of vulnerabilities that are repeatedly exploited by cybercriminals.

Schneier is nothing if not a big-picture guy, however. His ability to view the entire system in context, to weigh and acknowledge the inevitable trade-offs made in security systems, is key to his success as a researcher and adviser.

Schneier’s background in cryptography often lends his analyses an aspect of puzzle-solving. Growing up the son of a judge in Brooklyn helped hone his sense of reasoned analysis and argument. His father also inspired his interest in cryptography, leaving him secret messages in a private code. His judgment is such that, when journalists were first presented with the array of highly technical documents smuggled out of the National Security Agency by Edward Snowden, Schneier was one of the first people consulted to help verify their authenticity and importance.

Schneier’s adherence to realistic threat assessment has earned him the ire of politicians over the years. He coined the term “security theater” and consistently criticizes that aspect of many Department of Homeland Security measures. The way he calmly presents arguments against measures like mandatory photo ID checks, color-coded national threat levels, or confiscating liquids from airplane passengers has been known to drive politicians crazy, while his position that cybersecurity needs to become a more central part of the national defense strategy provides inspiration to genuine security professionals.

More than anyone, Schneier has attempted to convey his particular mindset to the cybersecurity world: it’s more effective to be able to think like an attacker than a defender. His ability to break that concept down rationally is something that few other security experts have been able to manage. This helps explain why Schneier’s books remain recommended reading and why he is in high demand on the speaking circuits today.

His gentle insistence on facing the real threats, and coming up with real solutions, doesn’t play well in the minute-by-minute, hot-take world of social media and 24/7 news media. But it is, in fact, a vital part of building realistic and effective security systems, encompassing a holistic view of risk and costs that all cybersecurity professionals have to account for to be successful in their jobs.

Walking the Walk As An Impartial Security Analyst

Schneier is held in such high regard not simply for his insights and analysis, but also his independence. This has been consistent throughout his career but was particularly on display after the Snowden NSA document release. The documents came out while Schneier was working for British Telecom (BT), which had bought his company, Counterpane Internet Security, back in 2006.

Among the other revelations in the documents were indications that a number of major telecom service providers had given NSA and GCHQ (Government Communications Headquarters, the British equivalent) cart blanche access to their networks for surveillance purposes. One of those providers was identified as BT.

Schneier’s public commentary on the actions of those providers pulled no punches. He publicly called for engineers to examine and expose the mechanisms used to perform the surveillance and to continue to leak information and provide methods to circumvent such broad-spectrum covert observation, and further declared that “…government and industry have betrayed the Internet and us.” There was very little question as to which industry he was referring to.

Although both Schneier and BT denied that his subsequent departure from the company had anything to do with his comments, the fact that he was willing to say what he said about BT despite drawing a paycheck from them really showed his overall commitment to security and openness, regardless of personal interests. That sort of credibility continues to bolster his reputation in the cybersecurity community and makes him a security expert to pay attention to.