Security maven Schneier wants to teach you something

MINNEAPOLIS — It must say something about our times that Bruce Schneier, a geeky computer-encryption expert turned all-purpose security guru, occasionally gets recognized in public.

"My life is just plain surreal," he says.

Schneier, 43, has made it so by popping up whenever technology and regular life intersect, weighing in on everything from the uselessness of post-Sept. 11 airport-security measures to the perils of electronic voting machines and new passports with radio chips.

He does it by writing books, essays, a blog and an e-mail newsletter with 125,000 subscribers. It helps that he has never met a reporter whose phone calls he will not return. "I'm a media slut," he admits.

That might make it tempting to dismiss Schneier as being in the business of promoting Schneier. Of course, there's some of that — he has a program "ego-scan" his book-sales ranking on Amazon.com every hour.

But that doesn't detract from the respect he engenders.

A former Pentagon and Bell Labs technologist who invented important methods of cryptography and wrote a textbook on the subject (meriting him a mention in "The Da Vinci Code"), Schneier has testified before Congress.

"Bruce Schneier is a master of explaining security, and a master of telling us why security and freedom are the same thing, why security can't ever be had at freedom's expense," says Cory Doctorow, an author and fellow at the Electronic Frontier Foundation.

Schneier sees himself as a teacher dispensing clear-headed lessons in an era poisoned by irrational fears of terrorism.

His favorite topic these days is the intersection of security, economics and psychology.

For example, Schneier blasts almost all airport-screening measures as meaningless "security theater" that makes people incorrectly believe they are safer. After all, who says the next terrorist attack will involve the methods used last time? Who says it even has to involve airplanes?

"The game of having all these tactics is one we can't win, because terrorists get to see it in advance," he says. "By definition you're going to pick a plot we're not going to catch. It's a game we can't win. Let's stop playing it."

Instead, Schneier says the game ought to be about stopping bad people — mainly through better intelligence and police work. That money would be much better spent, he says, than making sure security screeners confiscate corkscrews or any other particular item from passengers.

"Airport security only works against the sloppy and the stupid," he contends.

Security recipe

Taken to its logical end, Schneier's alternative-security recipe of better policing could seem to be a call for stronger surveillance or data mining. But Schneier — a member of the American Civil Liberties Union — says he opposes many such tactics not so much on privacy grounds but because they're bad security.

How so? Because snooping through vast storehouses of personal records in search of clues to terrorist activity invariably turns up too many wrong leads to be cost-effective, he argues. These methods can sniff out the predictable crime of credit-card fraud, for example, but terrorism is much rarer, he notes.

To some ears, Schneier's analyses are too simplistic.

"I regard his views, frankly, as dangerous," says Clark Kent Ervin, a former Department of Homeland Security inspector general who argues that incompetence at the agency has left gaping security holes.

He says Schneier erroneously claims "the threat is exaggerated and we're overreacting."

"Some people [including policymakers] take this view seriously and, therefore, are deluded into thinking that we're safer than we are," says Ervin, director of the homeland security program at the Aspen Institute. "His writings can be used as an excuse by DHS and its supporters for DHS' not having done more."

Challenging ideas

Although his career began at the Department of Defense — he won't say what he did there — Schneier is used to challenging prevailing ideas in government. In the 1990s, he objected to Clinton administration attempts to stifle the spread of encryption, the science of obscuring data to keep it secret. Schneier stressed then that computer cryptography was of huge economic value because of the security it gave companies and people against intruders.

But Schneier soon saw that those claims were overstated.

While encryption has its place — it is what secures Web-based banking and shopping — Schneier realized that too often it was deployed in silly ways. For example, some companies let employees unlock encrypted files with simple passwords, which often ended up being easy to steal or guess.

In other words, all the technical sophistication in the world can lock data from prying eyes, but if people leave the keys in the open, not much security results.

Since then, Schneier has been on his mission to explain that security is a complex system unlikely to be saved by technology alone.

Nonstop commentary

Some commentary seems to emanate from him almost daily, on top of his duties as chief technical officer for Counterpane Internet Security, a network monitoring company he co-founded. He and his wife, Karen Cooper, also contribute restaurant reviews to the Minneapolis Star-Tribune.

Schneier has repeatedly said "we are one attack away from a police state," and says such a civil-liberties crackdown would be even more likely under a Democratic administration. That is from the same school of thought that only an ardent anticommunist like Richard Nixon could get away with engaging with Red China in the 1970s.

But beneath Schneier's someday-I'll-say-I-told-you-so realism is a streak of optimism. He fully expects to change people's minds about the need for cost-effectiveness rather than showmanship in security.

"Eventually we will all come to our senses about security," he says. "I think it's 10 to 20 years. A generation."