Snowden And Schneier Point Out Another Reason Not To Undermine Internet Security: Information Asymmetry
from the all-using-the-same-stuff dept
Neither Edward Snowden nor Bruce Schneier needs any introduction around here. So Techdirt readers won’t require much encouragement to watch an interview of the former by the latter, conducted last week at the Harvard Data Privacy Symposium. It is frustrating that Snowden emphasizes at the start that he won’t be revealing anything new, because he believes it’s for journalists, not him, to decide what is in the public interest, and when it can be released. That said, the whole interview is well-worth watching to enjoy the interplay of two people who are experts in the field of security, although in very different ways.
Towards the end, they discuss an issue that hasn’t received much scrutiny so far: the relationship between offensive and defensive operations by intelligence services, and between surveillance and security. Here’s what Schneier says, around the 50-minute mark:
The NSA has to balance two different focuses: defend our networks, and attack their networks. Those missions made a lot more sense during the Cold War, when you could defend the US radios and attack the Soviet radios, because the radios were different. It was us and them, and we used different stuff. What’s changed since then is that we’re all using the same stuff: everyone uses TCP/IP, Microsoft Word, Firefox, Windows computers, Cisco routers.
Whenever you have a technique to attack their stuff, you are necessarily leaving our stuff vulnerable. Conversely, whenever you fix our stuff, you are fixing their stuff. This requires a different way of thinking about security versus surveillance, a different way of balancing, that we can’t simultaneously do both. And when we look at all the attack tools out there, the vulnerabilities are great but every time we hoard a zero day, hoard a vulnerability, we are leaving ourselves open to attack from anybody.
Snowden builds on that remark, referring to the recent revelation in Der Spiegel that the US has been spying successfully on North Korea‘s computers for years:
We have compromised their networks, according to the NSA documentation, since 2010. We have been hacking North Korea successfully, and yet it didn’t provide us a lot of detail, it didn’t provide us a lot of information. We missed missile launches, we missed nuclear tests, we missed leadership changes, we missed health issues, we missed military drills. And we even missed the Sony attacks that they launched, even though we were eating their lunch over and over, over the course of years. But then they hack us once, just one time, with Sony, and everyone in the nation is rending their garments and going: ‘this is terrible, they’re attacking our basic values,’ because it was so much more valuable to them to win once, than it it was for us to win thousands of times.
That asymmetry is why it makes no sense to put or leave vulnerabilities in that “same stuff,” as Schneier calls it. Leaving aside any self-interested desire by intelligence agencies to score points by breaking into systems elsewhere using backdoors, the West has far more to gain from well-wrought online security, and strong encryption, than it has to lose.