Computerworld Hong Kong (CWHK): Are we actually any more secure today than we were five years ago?
Bruce Schneier (BS): In short, no. It's interesting that every year we have new technologies, new products, new ideas, companies and research, yet people continue to ask why things are so bad with security? And the answer is that fundamentally the problem is complexity.
The Internet and all the systems we build today are getting more complex at a rate that is faster than we are capable of matching. So while security in reality is actually improving but the target is constantly shifting and as complexity grows, we are losing ground.
CWHK: And is this the reality that we have to accept today and for the foreseeable future?
BS: I'm sure that this isn't the answer that many would want to hear but yes this is the reality today. I'm sure that out there somewhere is a point where the complexity slows down and we find a way to gain back some ground. But it's hard to envisage as there is so much change and it's happening so fast that every new thing brings added complexity. And complexity is the worst enemy of security.
CWHK: So how do we reconcile the irony that complexity is something we desire?
BS: The thing is we absolutely love complexity. It's down to using these new apps on our smartphones, it's using Skype on our work device while using the airport WiFi. We all like these things and having access to our data at all times, but this creates more complexity and it makes security harder.
There's no way I would advise anyone to stop doing these things so we just have to find ways to live with this.
If you look back to five years ago, we were all discussing how to lock down all our access points to the enterprise. Today all the data resides outside the network, so who cares about where the access points are today? That's the ongoing evolution we have to accept and deal with.
CWHK: So do we have to constantly redefine the meaning of security?
BS: We do that almost on a daily basis anyway. In the real world we do this, as security is a very much a local construct. What it means to be secure in Hong Kong is very different to say Manila or downtown Kabul. We as humans are very good at adapting to scenarios to create a new sense of normal.
Intuitively humans can do this when walking down a street and perceive if it is a good neighborhood and you adjust accordingly. But you then go to the Internet and you take my father who has little understanding of the Internet, he will have a very different security posture on the web versus a teenager who has a very intuitive feel about being on the Internet.
Sign up for CIO Asia eNewsletters.