"We need to trust trust"
Bruce Schneier's new book, Liars and Outliers is a masterpiece of reason amidst a babble of security illiteracy
Bruce Schneier has had a distinguished career in security. He began as a cryptographer, inventing several well known, and well-respected algorithms for cryptographic tools. Then, following the success of his textbook Applied Cryptography, he took up the laudible goal of educating the world about the true meaning of security in a succession of popular books.
What I like the most about his career is that he has stood on the side of reason -- of scientific values, asking pertinent questions rather than peddling answers. Although I have never properly met Bruce Schneier, and we have only exchanged a handful of words over the years, I have often viewed him as a kindred spirit, handling the topics he discusses just as I might have. So I suppose it is no surprise that I am going to recommend his latest book.
The true meaning of ... Security++
In Liars and Outliers, Schneier goes deeper into what security really means than ever before. He describes why we need security, what we are really protecting against, and how the entire notion of security is fundamentally subjective and wrought with ambiguity.
Actually, the technical term is dilemma. He employs the basic tools of cooperative economics: the cooperative dilemma (whose well known example is the Prisoner's dilemma) and Dunbar's hierarchy, to unravel the deeper meaning of our behaviour as individuals within social groups. If you have followed my own writings over the years, for instance in the recent USENIX booklet, A Sysadmin's Guide to Navigating the Business World, you will recognize these tools and the basic reasoning about how our behaviour is fraught with the tradeoffs between short and long-term payoffs. The dilemma game is a basic tool to understand the non-cooperative economics of how we make our choices.
The title of Schneier's book refers to "outliers" (a technical term used in statistics to refer to cases that fall outside of the norm), which emphasizes that, in any societal group, there will be those who make different choices that go against the norms of the majority. Actually, the title of the book is probably its weakest feature. Had the book been called "The true meaning of security" or something more trite, it might have reached a wider audience, but I truly hope this this will not hold anyone back from reading it. But the title is accurate: he is discussing far more than "security" in this book, rather the whole notion of who we think we are and the values we stand for.
What makes this book unique, to my knowledge, is that it reveals the issues gradually as an societal and economic issue -- in the sense of what is sometimes called "bounded rationality" (accounting with multiple currencies, including emotional values). The Russian proverb goes: "Trust, but verify ..." -- alas, verifying is expensive so trusting someone is an economic strategy.
Consider the following example: at a meeting I had with a user of the CFEngine software recently this was pointed out beautifully. "We make our changes in CFEngine, and we have learnt to trust that everything will just work. Then we wait and see what went wrong in the few cases -- there are always a few cases where it doesn't quite work for some reason." These users were happy to be `lazy' and forego a verification of the technology. Was this laudible cost saving, or irresponsible lack of diligence?
Forces for normalization
Ultimately Liars and Outliers is about norms, not security per se, which is right. Security means nothing outside of the context of a plethora of subjectivities that either reach some equilibrium in society, or conflict.
Schneier writes about the fine line between underestimating and overestimating the need for security, relative to perceived risks. Rationalizing expenditure on security, at some point becomes irrational in someone else's view. He comments on why we need security in the first place, and why not trusting others leads to expense - sometimes more than can be rationally defended. Indeed, some institutional pressures brought to bear against possible threats to societal norms, e.g. the Patriot Act in the USA, and similar laws in other countries, disturb the balance of these games -- they might tighten the noose on terrorism, but they loosen out grip on civil liberties and activities that are much more commonly valued than rare acts of terror.
In my own experience, critics will try to attack this kind of reasoning somehow - why? Well, read this book and you might begin to understand what their motivations might be. The economics of how we balance selfish interest with perceived altruism are subtle, as pointed out a long time back by Richard Dawkins.
Rethinking the meaning of security
I recall being in the audience for a talk Schneier gave at LISA 2008 (Reconceptualizing security), and my asking him a question about the role of the Dunbar numbers in security. I don't know if that played any role in the thinking that led to this masterpiece, but the time was ripe and I can see that our thinking has proceeded along exactly parallel lines since then. His grasp of theory and the depth of examples he presents makes this book a treatise on the generality of the subject, while bringing it right down to Earth for a wide audience. I don't think the subject could have been handled better. He has striven for a balanced view.
No one has done as much as Schneier to educate the world on the subject of computer security, and, as IT spreads into every area of our lives, now he has gone a step further and taken on the rest. Read this book, whether you think you understand the issues of not. It contains deep insights and thoughts to challenge the most reticent of free-riders. You might be surprised at what you can still learn.