- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
About this book
A collection of popular essays from security guru Bruce Schneier
In his latest collection of essays, security expert Bruce Schneier tackles a range of cybersecurity, privacy, and real-world security issues ripped from the headlines. Essays cover the ever-expanding role of technology in national security, war, transportation, the Internet of Things, elections, and more. Throughout, he challenges the status quo with a call for leaders, voters, and consumers to make better security and privacy decisions and investments.
Bruce's writing has previously appeared in some of the world's best-known and most-respected publications, including The Atlantic, the Wall Street Journal, CNN, the New York Times, the Washington Post, Wired, and many others. And now you can enjoy his essays in one place—at your own speed and convenience.
- Timely security and privacy topics
- The impact of security and privacy on our world
- Perfect for fans of Bruce's blog and newsletter
- Lower price than his previous essay collections
The essays are written for anyone who cares about the future and implications of security and privacy for society.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access We Have Root by Bruce Schneier in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Ciberseguridad. We have over one million books available in our catalogue for you to explore.
Information
1
Crime, Terrorism, Spying, and War
Cyberconflicts and National Security
Originally published in UN Chronicle, July 18, 2013
Whenever national cybersecurity policy is discussed, the same stories come up again and again. Whether the examples are called acts of cyberwar, cyberespionage, hacktivism, or cyberterrorism, they all affect national interest, and there is a corresponding call for some sort of national cyberdefense.
Unfortunately, it is very difficult to identify attackers and their motivations in cyberspace. As a result, nations are classifying all serious cyberattacks as cyberwar. This perturbs national policy and fuels a cyberwar arms race, resulting in more instability and less security for everyone. We need to dampen our cyberwar rhetoric, even as we adopt stronger law enforcement policies towards cybersecurity, and work to demilitarize cyberspace.
Let us consider three specific cases:
In Estonia, in 2007, during a period of political tensions between the Russian Federation and Estonia, there were a series of denial-of-service cyberattacks against many Estonian websites, including those run by the Estonian Parliament, government ministries, banks, newspapers and television stations. Though Russia was blamed for these attacks based on circumstantial evidence, the Russian Government never admitted its involvement. An ethnic Russian living in Tallinn, who was upset by Estonia’s actions and who had been acting alone, was convicted in an Estonian court for his part in these attacks.
In Dharamsala, India, in 2009, security researchers uncovered a sophisticated surveillance system in the Dalai Lama’s computer network. Called GhostNet, further research found the same network had infiltrated political, economic and media targets in 103 countries. China was the presumed origin of this surveillance network, although the evidence was circumstantial. It was also unclear whether this network was run by an organization of the Chinese Government, or by Chinese nationals for either profit or nationalist reasons.
In Iran, in 2010, the Stuxnet computer worm severely damaged, and possibly destroyed, centrifuge machines in the Natanz uranium enrichment facility, in an effort to set back the Iranian nuclear program. Subsequent analysis of the worm indicated that it was a well-designed and well-executed cyberweapon, requiring an engineering effort that implied a nation-state sponsor. Further investigative reporting pointed to the United States and Israel as designers and deployers of the worm, although neither country has officially taken credit for it.
Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street, you knew the military was involved because only the military could afford tanks. Cyberspace is different. In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even the potential cyberterrorist. They are all exploiting the same vulnerabilities, using the same sort of hacking tools, engaging in the same attack tactics, and leaving the same traces behind. They all eavesdrop or steal data. They all engage in denial-of-service attacks. They all probe cyberdefenses and do their best to cover their tracks.
Despite this, knowing the attacker is vitally important. As members of society, we have several different types of organizations that can defend us from an attack. We can call the police or the military. We can call on our national anti-terrorist agency and our corporate lawyers. Or we can defend ourselves with a variety of commercial products and services. Depending on the situation, all of these are reasonable choices.
The legal regime in which any defense operates depends on two things: who is attacking you and why. Unfortunately, when you are being attacked in cyberspace, the two things you often do not know are who is attacking you and why. It is not that everything can be defined as cyberwar; it is that we are increasingly seeing warlike tactics used in broader cyberconflicts. This makes defense and national cyberdefense policy difficult.
The obvious tendency is to assume the worst. If every attack is potentially an act of war perpetrated by a foreign military, then the logical assumption is that the military needs to be in charge of all cyberdefense, and military problems beg for military solutions. This is the rhetoric we hear from many of the world’s leaders: the problem is cyberwar and we are all fighting one right now. This is just not true; there is no war in cyberspace. There is an enormous amount of criminal activity, some of it organized and much of it international. There is politically motivated hacking—hacktivism—against countries, companies, organizations and individuals. There is espionage, sometimes by lone actors and sometimes by national espionage organizations. There are also offensive actions by national organizations, ranging from probing each other’s cyberdefenses to actual damage-causing cyberweapons like Stuxnet.
The word “war” really has two definitions: the literal definition of war which evokes guns and tanks and advancing armies, and the rhetorical definition of war as in war on crime, war on poverty, war on drugs, and war on terror. The term “cyberwar” has aspects of both literal and rhetorical war, making it a very loaded term to use when discussing cybersecurity and cyberattacks.
Words matter. To the police, we are citizens to protect. To the military, we are a population to be managed. Framing cybersecurity in terms of war reinforces the notion that we are helpless in the face of the threat, and we need a government—indeed, a military—to protect us.
The framing of the issue as a war affects policy debates around the world. From the notion of government control over the Internet, to wholesale surveillance and eavesdropping facilitation, to an Internet kill switch, to calls to eliminate anonymity—many measures proposed by different countries might make sense in wartime but not in peacetime. (Except that like the war on drugs or terror, there is no winning condition, which means placing a population in a permanent state of emergency). We are seeing a power grab in cyberspace by the world’s militaries. We are in the early years of a cyberwar arms race.
Arms races stem from ignorance and fear: ignorance of the other side’s capabilities and fear that its capabilities are greater than one’s own. Once cyberweapons exist, there will be an impetus to use them. Stuxnet damaged networks other than its intended targets. Any military-inserted back doors in Internet systems will make us more vulnerable to criminals and hackers.
The cyberwar arms race is destabilizing. It is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, an enthusiastic hacker who thinks he is working in his country’s best interest, or by accident. If the target nation retaliates, we could find ourselves in a real cyberwar.
I am not proposing that cyberwar is complete fiction. War expands to fill all available theatres, and any future war will have a cyberspace component. It makes sense for countries to establish cyberspace commands within their militaries, and to prepare for cyberwar. Similarly, cyberespionage is not going away anytime soon. Espionage is as old as civilization, and there is simply too much good information in cyberspace for countries not to avail themselves of hacking tools to get at it.
We need to dampen the war rhetoric and increase international cybersecurity cooperation. We need to continue talking about cyberwar treaties. We need to establish rules of engagement in cyberspace, including ways to identify where attacks are coming from and clear definitions of what does or does not constitute an offensive action. We need to understand the role of cybermercenaries, and the role of non-state actors. Cyberterrorism is still a media and political myth, but there will come a time when it will not be. Lastly, we need to build resilience into our infrastructure. Many cyberattacks, regardless of origin, exploit fragilities in the Internet. The more we can reduce those, the safer we will be.
Cyberspace threats are real, but militarizing cyberspace will do more harm than good. The value of a free and open Internet is too important to sacrifice to our fears.
Counterterrorism Mission Creep
Originally published in TheAtlantic.com, July 16, 2013
One of the assurances I keep hearing about the US government’s spying on American citizens is that it’s only used in cases of terrorism. Terrorism is, of course, an extraordinary crime, and its horrific nature is supposed to justify permitting all sorts of excesses to prevent it. But there’s a problem with this line of reasoning: mission creep. The definitions of “terrorism” and “weapon of mass destruction” are broadening, and these extraordinary powers are being used, and will continue to be used, for crimes other than terrorism.
Back in 2002, the Patriot Act greatly broadened the definition of terrorism to include all sorts of “normal” violent acts as well as non-violent protests. The term “terrorist” is surprisingly broad; since the terrorist attacks of 9/11, it has been applied to people you wouldn’t normally consider terrorists.
The most egregious example of this are the three anti-nuclear pacifists, including an 82-year-old nun, who cut through a chain-link fence at the Oak Ridge nuclear-weapons-production facility in 2012. While they were originally arrested on a misdemeanor trespassing charge, the government kept increasing their charges as the facility’s security lapses became more embarrassing. Now the protestors have been convicted of violent crimes of terrorism—and remain in jail.
Meanwhile, a Tennessee government official claimed that complaining about water quality could be considered an act of terrorism. To the government’s credit, he was subsequently demoted for those remarks.
The notion of making a terrorist threat is older than the current spate of anti-terrorism craziness. It basically means threatening people in order to terrorize them, and can include things like pointing a fake gun at someone, threatening to set off a bomb, and so on. A Texas high-school student recently spent five months in jail for writing the following on Facebook: “I think I’ma shoot up a kindergarten. And watch the blood of the innocent rain down. And eat the beating heart of one of them.” Last year, two Irish tourists were denied entry at the Los Angeles Airport because of some misunderstood tweets.
Another term that’s expanded in meaning is “weapon of mass destruction.” The law is surprisingly broad, and includes anything that explodes, leading political scientist and terrorism-fear skeptic John Mueller to comment:
As I understand it, not only is a grenade a weapon of mass destruction, but so is a maliciously-designed child’s rocket even if it doesn’t have a warhead. On the other hand, although a missile-propelled firecracker would be considered a weapon of mass destruction if its designers had wanted to think of it as a weapon, it would not be so considered if it had previously been designed for use as a weapon and then redesigned for pyrotechnic use or if it was surplus and had been sold, loaned, or given to you (under certain circumstances) by the secretary of the army…
All artillery, and virtually every muzzle-loading military long arm for that matter, legally qualifies as a WMD. It does make the bombardment of Ft. Sumter all the more sinister. To say nothing of the revelation that The Star Spangled Banner is in fact an account of a WMD attack on American shores.
After the Boston Marathon bombings, one commentator described our use of the term this way: “What the United States means by terrorist violence is, i...
Table of contents
- Cover
- Title Page
- Copyright
- About the Author
- Introduction
- Chapter 1. Crime, Terrorism, Spying, and War
- Chapter 2. Travel and Security
- Chapter 3. Internet of Things
- Chapter 4. Security and Technology
- Chapter 5. Elections and Voting
- Chapter 6. Privacy and Surveillance
- Chapter 7. Business and Economics of Security
- Chapter 8. Human Aspects of Security
- Chapter 9. Leaking, Hacking, Doxing, and Whistleblowing
- Chapter 10. Security, Policy, Liberty, and Law
- References
- End User License Agreement