Internationally renowned security technologist Bruce Schneier discusses Joe Lieberman’s proposal for an internet ‘kill switch,’ why shutting down the internet during a crisis would cause more harm than good and how controversial websites like WikiLeaks use data redundancy spread out in different countries to prevent being shut down.
Podcast: Play in new window | Download
All right, y'all, welcome back to the show, Santi War Radio, I'm your host, Scott Wharton, and our next guest on the show today is Bruce Schneier.
His website is schneier.com, S-C-H-N-E-I-E-R.com, and he is a world-renowned computer security expert.
He's written for every publication on Earth, I think, and especially for Wired.com.
Welcome to the show, Bruce.
How are you doing?
I'm doing great.
All right.
Now, good.
Let me ask you this.
Well, let me ask you a bunch of things.
Let me figure out which is the best first question.
Joe Lieberman says that he wants the president to have the power to be able to shut off parts of the Internet in case of war, and he says that, well, the Chinese Politburo has this authority.
Why can't we?
What do you think of that?
You know, it's kind of an odd justification, right?
The Chinese do it, too.
The Chinese do a whole lot of things that we wouldn't dream of doing and shouldn't do, and we'd be embarrassed if we did, so let's sort of leave that aside.
This is not a new idea, the idea that the Internet should have a kill switch, that there might be some circumstances where we'd want to shut it down.
I think we first heard this a couple of years ago, maybe last year, it was Senator Rockefeller talked about it.
This year, it's Lieberman.
It was a crazy idea then, it's a crazy idea now, I hope it dies a quiet death, and we never hear of it again.
Well, what's so crazy about it?
Other than, I mean, if you have your own website, you don't want anybody messing with it.
That makes sense, but in the larger sense, I don't know, we're at war with major powers.
Is it crazy to want to turn off the Internet?
Well, only if you want to do damage to yourself, right?
We're at war with people.
Shouldn't we, you know, shut down our government?
Shouldn't we?
I mean, the Internet is used for a whole lot of critical things.
You shut down the net, and there's a lot of damage to us.
We can't communicate with people, maybe, I don't know, does the airline reservation system work anymore?
How much of banking is shut down?
How much of commerce is shut down?
The damage, I mean, shutting down the Internet is something that we actually spend a lot of time defending against, right?
This is what the bad guys want to do, right?
Shut down the Internet.
Make it so we can't do our stuff.
This is what sometimes is called cyber-terrorism.
This is what we're afraid of in a war that the Chinese would do to us.
Well, I think, isn't that Lieberman's point, though, is that if we shut it down, then we can prevent them from waging these attacks.
This would be a defense from those kind of attacks.
All right, so if I throw away all my valuable stuff, I'm protected against being robbed.
Right.
I mean, yeah, but that doesn't make a whole lot of sense.
The Internet is so valuable and also so international that doing that, shutting it down, would do so much damage to us.
Now, there are lots of other issues.
One, could you do it safely?
I mean, let's say there was this big switch.
Let's say we called all the phone companies and backbone providers and say, hey, you know, shut it down.
You know, just flick power switches.
Shut it all down.
What happens?
Can we turn it on again?
Do we know?
Does anybody know?
I don't think so.
But what are the effects of doing something like this?
Well, now, let me stop you right there, because before we even get to can we turn it back on again, I wonder if they can even turn it off, because, you know, I learned years and years ago that there were, you know, many years ago that there were a few major backbone routers that were really without them, there's no Internet.
So you got WorldCom headquarters and AT&T headquarters and a few other places where you have these backbone routers that, you know, control major proportions of the Internet and that if you were to seize those and turn those off, that the Internet would basically be shut off.
But then I think that I've learned since then that, man, forget it.
The Internet has increased in size and complexity by a million times since then, and there are enough regular servers and dorm rooms to take the place of those routers that no one ever could shut off the Internet with all the SWAT teams in the world.
So please help me out to even understand, you know, the technical ability of something like this to even work.
We don't know.
The short answer is we don't know.
Most of the world's Internet traffic goes through the U.S.
There isn't a switch, right?
You can't call up these companies and say, hey, that Internet switch, turn it off.
The best you could do right now is, say, pull power to your data center.
So it would be an extremely, you know, ham-handed, heavy fist.
In any normal circumstance, we would call this a disaster, right?
And these companies have spent millions and millions of dollars to prevent this kind of thing from happening because it's so bad.
I don't know.
I believe if the president called the CEO, I'm making this up, of AT&T and said, shut the net down, they'd figure out some way.
Would it be easy?
What would it look like?
You're right.
There's a whole lot of redundancy.
And it's probable that it wouldn't work completely.
It would definitely clog the net because a lot of the worldwide capacity would disappear.
The answer is we don't know.
And it would be really scary if the law required some capability be built into the net to shut it down.
Because once you do that, now we suddenly invite the bad guys to hack into the shut-off system.
And that would be a disaster.
The thing you have to remember is Internet's a force of good.
Internet is positive.
Shutting it off does damage to us.
It's like doing the terrorist's job for them.
It's like doing the enemy military's job for them.
I can't imagine wanting to do this.
Well, I've got to tell you, and this is the same thing that occurred to me, was it makes perfect sense why Joe Lieberman would want to be rid of antiwar.com, maybe even of wired.com.
But what about wellsfargo.com?
They can't shut down.
I mean, they'd be completely ruining all of corporate America, the government's ability to communicate with itself, all the bankers, all the people that Joe Lieberman is there to serve.
And the people are a big deal.
Think of 9-11.
After the terrorist attacks, you know, one of the towers fell on a major New York phone switch.
There was a lot of trouble getting, communicating.
And people used the Internet to communicate with their loved ones, to find out they were safe.
If the president shut down, and I'm making this up even more, shut down the Internet in New York City, right, we're scared of terrorists, shut them down in New York City.
That would actually increase the terror.
That would make people more scared.
That would be magnifying the effects of the attacks.
Communication is what works, is what keeps us safe.
Well, and it's also a matter, isn't it, of just sort of the form of the Internet as a decentralized thing.
That's why it works so well, right?
It seems like if there was, say, I don't know, the Russians and the Chinese and the Europeans all decided they were going to do a sneak cyber attack on the United States, it seems like the best defense is not having any sort of centralization over it.
In fact, to take your analogy, do you want to get rid of your government in case there's a war?
I do, because at least if there's a chance that my government might lose, that way there's no government for the new opposing force to come and take over.
Yeah, you know, but a scorched earth strategy is pretty desperate.
I mean, this isn't the sort of thing that we really worry about day to day.
I mean, I don't think we need to design the Internet just in case there's a foreign invasion and we need to burn our crops before we retreat.
That just doesn't feel like the kind of world we're living in.
Yeah.
Well, but I mean, what I mean is like, you know, I know a guy who does computer security stuff and it seems like there must be, you know, like you and him, there's got to be, I don't know, a hundred thousand of y'all in this society and each of y'all doing your own thing as best you can is really the defense against any kind of cyber attack.
He wouldn't want the cyber attack czar to be in charge of all response and securing all the networks from an attack.
He wouldn't be able to do it as well as a hundred thousand separate security experts all around the country.
Right.
Yeah, it's true.
I wish it was a hundred thousand, a lot less, but you're right that a decentralized security is a better defense, just like a decentralized Internet is more survivable.
I mean, so there are two questions here.
One is, can it be done?
And we don't know.
And then if it could be done, should it be done?
And the answer to that, I think is hell no.
So now as far as those backbones, those few router switches that, you know, take so much of the burden of Internet traffic, is that really still the case as it was years and years ago?
Or are there so many of these routers now that there are more routers than SWAT teams available to grab them?
There are lots of routers and lots of redundancy, but there are dominant paths.
You know, there are paths because they're so big and so easy that a majority of traffic goes through.
And what we find is, and occasionally parts of the Internet get collapsed.
A few years ago, three undersea cables to Egypt were cut accidentally.
It's a weird coincidence, I think.
And you know, the net slowed down in random places.
It was kind of surprising, but things mostly worked.
You'll see satellites.
All right, we'll have to hold it right there, Bruce, and come back after this break.
Everybody, it's Bruce Schneier from WIRED, and we'll be right back.
Antiwar Radio.
You're listening to the best Liberty-oriented audio streamed around the clock, on the air and online.
This is the Liberty Radio Network at LRN.
FM.
All right, y'all, welcome back to the show, it's Antiwar Radio.
I'm Scott Wharton.
I'm talking with Bruce Schneier.
His website is schneier.net.
Is it net or com?
I forget.
Let me see here.
I got it right here.
It is com.
S-C-H-N-E-I-E-R.
Schneier.com.
And, Bruce, I noticed during the break there that you haven't written for WIRED since December, so I was wondering if you could help me out with your bio here, and tell people where they can read all your latest stuff.
Yeah, honestly, the place to read it is on my website.
I write op-eds for CNN, for Forbes, for anybody who'll publish them.
I write op-eds for CNN, for Forbes, for anybody who'll publish them.
I write op-eds for CNN, for Forbes, for anybody who'll publish them.
Okay, so now here's a question for you.
I read this thing in boingboing.com or .net or something, and it said that all this stuff about cyber attack is mostly a bunch of public relations for a bunch of military industrial complex firms that want the contract to protect the government from attack and whatever, but that basically the whole thing is way overstated.
Well, I mean, there is truth to that, and there's falsehood to that.
What is overstated is the threat of cyber war, and we're seeing a lot of jockeying in government right now on sort of who's in charge of the internet, who gets to control internet security, and the NSA is winning effectively.
And they're doing that by pushing this meme of cyber war and the threat of cyber war, and that's really what Lieberman's bill is about, right?
In the event of war, we need to give the president the ability to shut down the internet.
And that's grossly overstated.
I mean, we hear about cyber 9-11, cyber Katrina, cyber Pearl Harbor, cyber Armageddon, and I'm not making this stuff up.
This is stuff we're hearing from people in the government, from senators, and all of these really scary cyber things.
Yeah, Bruce Willis, too, said we better look out.
I'm sure you saw that movie, right?
Yeah, so the threat that's real is crime.
I mean, the internet is a dangerous place, and the real threat is crime.
It's lone criminals.
It's organized crime.
It's identity theft.
It's fraud.
There's extortion.
I mean, there's a lot of money on the internet, and criminals have discovered it.
So the internet's a risky place.
And we all know, you know, to be smart with our passwords, to, you know, check our credit card statements to make sure there aren't any false things, to, you know, what might happen if someone gets a credit card in our name, be careful about bank accounts, you know, all these phishing attacks.
These are all real, and these are all actual threats.
So they're not war threats.
They're not threats of someone shutting down the net or blowing something up.
Richard Clarke, former cybersecurity advisor for Clinton and then for Bush, wrote a book called Cyberwar, where he has these scare stories of the enemy setting your home printer on fire.
That's all nonsense.
But crime is real, and crime is big money out there.
Yeah, well, and that's why that less than 100,000 of you computer security experts make a real good living securing those computers.
And I know a guy I knew worked for a major corporation in this country that everybody's heard of.
And his lesson to me was there is no security, really.
All there is is the very best you can do until something new comes up.
But that's true for everything.
That's not just computers.
That's true for your home.
That's true for your family.
That's true for your country.
I mean, there's no absolute security in life.
Anyone who thinks there is is living in a dream.
All there is is the best you can do, the realistic assessment of the risks that are out there.
And then, you know, you live with your life.
You're probably going to drive home from the studio today.
That's the most dangerous thing you'll do this month.
And you do without a second thought.
Right.
Well, I'm a very good driver.
Even so, 40,000 people die each year in the United States in car crashes.
Good drivers, too.
Indeed.
Well, so let me ask you this.
In the event that, I don't know, Joe Lieberman got his way and the government did try to crack down on the Internet, are there any projects that you know of, of people trying to sort of create a separate Internet infrastructure that would be beyond the reach of the Joe Liebermans and the General Petraeuses of the world?
You know, the only thing we can do is to make stuff as international as possible.
So a great example might be WikiLeaks.
I mean, there's a website that the U.S. government doesn't like.
And it survives by being everywhere.
So it's in many countries.
It's replicated so that no one country can shut it down.
So every piece of the Internet exists in somebody's country, right?
Somebody can, you know, rip the wires out of the wall, you know, take a fledgehammer to the equipment, right?
You know, if you try hard enough, you can make it go away.
But while you can do that geographically, you can't do it globally if it's replicated.
And that's true for information, for websites.
That's true for connectivity.
That's true for applications.
That's true for everything.
Our best defense against, you know, maybe the United States if we're that stupid or the, you know, the Chinese if they're that stupid or anybody else who might be that stupid is to replicate things.
Redundancy of communications, of data, of capabilities.
Right.
Well, and, you know, I'm reminded of the big blackout in the Northeast a few years back.
And I saw this guy on TV say, well, you know, the Internet or no, actually said, well, the electric grid is a lot like the Internet.
And then I just thought that that was self evidently false since when the electric grid had a problem, the whole Northeast went black.
And yet the Internet was fine.
The Internet just went around the black.
Right.
And so but you sort of say the power went around that area also.
I think what he's trying to say, and it's kind of a sloppy analogy, is that pieces of the infrastructure can go down, but the whole works fine.
The Internet is actually not like the power grid.
There are some big differences in cascading effects.
So, you know, when you see the equivalent of a blackout on the Internet, it's not geographically based, but it's equipment based.
So it might be a new worm that affects a certain version of Windows.
And then computers that use that version will be affected and some of them will disappear.
So you'll see an epidemic like result, whereas, you know, many millions of computers are affected, but they're not geographically uniform.
They're they're equipment uniform, their software uniform.
So there's a difference there.
Mm hmm.
And now I'm glad you brought up WikiLeaks.
I guess I'd like to kind of wrap up with with your opinion.
It seems like as into computer security as you are, you must really be into free speech as well, huh?
Yeah, I'm a big fan of WikiLeaks.
I think they provide a very valuable service.
We just don't see in the mainstream media.
I think they're in a very dangerous time.
You know, a lot of countries don't like them and they need to find legal safe harbors.
But I think it'd be very, very hard to dismantle it because of the the way they've built redundancies into what they do.
Yeah, well, very good, too.
And it's it is interesting.
The government of Iceland, Iceland apparently just passed a law providing even more protection for sites like WikiLeaks.
Yeah, I just happened to be in Iceland last week, really by coincidence.
And they're a neat country.
I'm proud of them.
Yeah, I mean, that was a really big blow on the side of freedom and resistance to the empire.
I thought that they were willing to go that far.
I mean, this is a country that is an ally of the United States, after all.
Well, but, you know, being an ally often means doing the right thing.
And I and information is valuable and keeping it in the hands of the people is is what what makes our country great.
And, you know, if temporarily we're not seeing that, that's someone else that has to pick up the ball and carry it.
Right.
Well, right on.
And thank goodness for them for doing it.
And thank you for your expertise and your insight on the show today.
I really do appreciate a lot, Bruce.
Hey, thank you.
All right.
But that's Bruce Schneier.
His website is Schneier dot com, S-C-H-N-E-I-E-R dot com.
And as he mentioned there, you can read him in just about every published source in the Western world anyway.
Just Google his name, Bruce Schneier.
And we'll be right back with the heroic Andy Worthington right after this.
