Bruce Schneier: 'We live in a feudal security world'

 We live today in a "feudal security world", says internationally renowned security technologist Bruce Schneier."

We pledge our allegiance to the service providers -- the likes of Google, Facebook - and expect them to provide us with security in return -- akin to serfs and peasants paying tribute to their lords in the form of personal data, says Schneier, the author of Liars and Outliers: Enabling the Trust Society Needs to Survive, and chief security technology officer at BT.

"What I am seeing is a shift in power on the internet, that we generally have less control over our IT infrastructure, our products, our user devices, our services. "We basically have to trust our vendors," he says. "We just don't have the ability to control security or configuration the way we did when we owned and controlled the platforms.

 "This is very much a feudal model," he says, where users are "pledging their allegiance" to companies like Google with their data.

 "They have our calendar, our address book. They have our photos. In return, we are expecting them to protect us." "In some ways, it is a dangerous model because Google really doesn't have a lot of interest in protecting us."

 CIO New Zealand interviews Bruce Schneier on the feudal security model and its implications to privacy and security:

In his presentation last week at the RSA Conference in San Francisco, Schneier points out how historically, "disruptive technologies" like the plough, gunpowder, printing press and radio, have upset the power balance, and the internet is no exception.

"Entire industries disappeared," he says, "Remember travel agents, or video rental stores or bookstores?

"Different companies are gaining and losing power," he says. Before, people were worried about Microsoft as the "big company", now their attention is on Amazon, Facebook and Apple.

Traditional models are now breaking because of the rise of devices like the iPhone and Kindle where the vendor controls the device more than you do, he says. At the same time, users of cloud services like Gmail or Flickr do not control the security in these services.

 "You get what they provide, that is the new model of security. Someone else is taking care of it," says Schneier.

The tradeoff? "We give up some control and in return we get this very useful service. We have to trust our vendors will protect us, our data will be safe, that governments will not illegally spy on us. "This is our only option," he says. "This model is starting to permeate security today," he says. An advantage is vendors are doing a better job at security, but a disadvantage is you can't audit their security. "Once you pledge allegiance, it will be hard to undo that -- often you can't pull data out of these sites," he says.

Power wielders "Power is power," he says. "Unless we take Draconian measures, our data is no longer under our control." The powerful are trying to steer and succeeding using power to change the rules of the game, he says, from media companies shoring up their copyright claims, or Netflix lobbying to make it easier to use and share data on what movies you like.

"I think this is going to happen more and more as companies get more control of data," he says. With cloud computing where cost of data storage is dropping except for lifecycle maintenance costs, cloud service providers can put computers wherever it is on the planet that is cheapest to maintain them. "We see data disassociated from the devices [from where] we access the data," he says. Debates on the future of the internet are around moral and political issues. "How do you balance privacy with law enforcement needs?"

He poses further questions: "Do we have the right to see data about ourselves, correct it delete it? Do we really want to live in a world that never forgets?

"We live in a world where there is no more forgetting," he says, "we don't know whether it is a good idea or not". The worry is that the powerful are winning the debates, he says.

Sometimes, he says, "we can block actions of the powerful," citing the decision to remove the body scanners producing near-naked images at airports, which users found intrusive.

But these, he says, are the exception. Schneier sees bigger power struggles on the horizon. Feudalism fell out of favour with rise of nation states, he says. "We need something similar to the internet, we want someone to enforce obligations on these companies instead of just giving them rights." He warns that this is going to be a "long and bloody battle".

"No one gives up power easily."

Feedback to @divinap and

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecurityFacebook

More about Amazon Web ServicesAppleApple.BT AustralasiaEnablingFacebookGoogleMicrosoftNetflixRSASurvive

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Divina Paredes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts