Futurist Logo

Is the Future Secure?


Bruce Schneier

This week on The Futurists we get into the future of cybercrime and personal security in the smart world with renowned “security guru” Bruce Schneier. The author of over a dozen books (his latest bestseller being “A Hacker’s Mind”), Lecturer on Public Policy at Harvard Kennedy School, Congressional advisor and Media personality. Will AI and Quantum kill passwords? How secure will your DNA records be? The answers might surprise you. https://www.schneier.com/blog/about/

Analysis complete. No addtional information is required for context. Proceed with transcript display ...

View Transcript

document button

this week on the futurists Bruce schne and 5G is not about you watching
Netflix faster 5G is about things talking to other things behind your
[Music] back welcome back to another episode of
the futurists I'm Rob Turk and this is my co-host Brett King King yeah I'm here
good to see you again Brett and welcome back everyone for yet another week of the futurists where we talk to the
people who are designing building inventing planning and protecting the
future and this week on that last note we've got a great guest Bruce schne
Bruce schne is a man of many hats wearing a excellent hat today um Bruce
is a is well known as a cyber security expert and that's how I got acquainted with him many years ago um he's written
a number of excellent books on the subject and on related topics but he also is an entrepreneur and a professor
at Harvard University Bruce Welcome to our show it's great to see you again thanks for having me we're excited to
talk to you uh because this is a big topic you know while everybody's been preoccupied with um artificial
intelligence there have been a record number of hacking attacks it seems like a a kind of um ever increasing number of
attacks and we wanted to catch up with you because this seems like it's going to be a big theme going into the future
can you give us a sense of the lay of the land these days like what is uh what is the Cyber secur landscape out there
you know it's complex enough that I'm you know not GNA be able to answer that and in one one question so I guess
that's your answer right there's a a lot of attacks out there criminals nation states everything in between yet we're
all on the internet all the time and it's mostly pretty good so it is both good and bad like everything else in
society there's stuff happening but largely it doesn't affect us until
sometimes it does and then it's bad I'm not helping right but the landscape's complicated and there isn't a single
thing you can point to and say you know here it is because what are you talking about talking about cars or your
computer or the war in the Ukraine or anything else right those are all
different yeah that's true well actually that's a really good point though so you know when we think of cyber security we
tend to think about PCS um I think is a secondary afterthought maybe you do but I don't well you may not that's true but
then people think about their phones but not as much right we're careless with our phones we we T we tend to think of that as a phone I'm speaking about the
average person but what we stopped thinking about is all the other things that are connected to the internet and I
think since the last time you and I spoke that's what's changed because there are something on the order of 60 billion devices attached to the web that
aren't computers or phones and those are so-called in fact um phones overtook PCS
as the primary internet access device a few years ago yeah that happened years ago everything else all cars are
connected and you know your appliances and your thermostat anything you buy new
that's at all interesting comes with internet connection even your your coffee maker and the Drone you bought
and some of your toys and right so this is stuff from expensive cars to super
cheap and whenever whenever you buy a product that's called connected or smart
that's code word for vulnerable uh that's another way to think about it you know your smart devices in the home are
vulnerable you know about 10 years ago we were I think when we first met we were talking about how the Internet of
Things is just going to spread the attack surface has there been any success in making those Internet of
Things devices more uh hardened more protected uh less less vulnerable I mean
so the answer is yes but we tend not to do it because it costs money yeah if I
hand you two drones or two thermostats or two coffee makers and one cost $30
more and it says you know added security you gonna buy it probably not oh so you
think that consumers don't care consumers don't know enough to care I but
that's that's because they are not educated in cyber security just like if you walked into a pharmacy and they were
two of the same drugs and one was cheaper than the other you'd buy the cheaper one now you know that the FDA
ensures that both of those won't kill you but you know if one of them was more likely to kill you and didn't say so on
the label you're not going to know and that's not your fault you're not a pharmaceutical expert you expect the
government's going to keep you safe there and the same is true for cyber security the things that people buy are
the cheap stuff and the cheap stuff is less secure so there's really an economic model here especially when you
get to things right you know the phone phones we have two makers of phones and they're competing with each other on on
things like security so both Google and apple are doing their best they're doing a real good job car manufacturers
somewhere in the middle you know like they're doing a okay job but you know I mean Tesla has vulnerability is left and
right and the other manufacturers do as well but when you get to cheap things
cheap is what people are paying for so you're not seeing a lot of of discernment on
security and not to be not unexpected Bruce um one of the things
that you know obviously we're seeing more sophisticated attacks from criminals these days the ransomware
attacks and so forth but um you moving away from iot one of the functional
issues we have is that identity is really no longer secure in its current
form um you know that you know your social security number mother's maiden name data birth this information is all
exposed now due to social media and so forth um and we've seen other markets
try and Tackle this China with their facial recognition Technologies as a
result if you look at just a simple area like payments China is now significantly
more secure than the United States when you're using a credit card online as an example um and so you know part of this
is an infrastructure issue as well as as an approach but again trying to get
these things you know particularly in in markets like the US you know having a national approach to digital identity
infrastructure you know is is a tough problem but as we move through the next
10 20 years with uh increasing attack vectors with artificial intelligence and
quantum computers and stuff like that it would seem that this becomes more of a core infrastructure issue than just like
you know device manufacturing approaches what are you identity is a tough problem
and right remote remote identity authentication is always
hard so in let's you know like like pre computers how do you identify someone
you see them and you recognize them it's a biometric and you recognize their face
telephone appears how do you recognize somebody you recognize their voice it's another biometric or maybe you recognize
that they know things about you right so there's a shared history that you and I have and we have
a conversation that history comes out and I know it's you because only you knew that or the way you talk I mean
there's a lot of of social cues we use to identify each other you move that
online and it becomes much more formal and much really less
robust username and password is what we normally use and lots of attacks against
those we get we get tricked into giving up our passwords all the time whether it's fishing or a fake website or
whatever it is or we choose lousy ones and the bad guys guess them we move to other things you know I used to identify
myself to my iPhone with my fingerprint uh now I do with my
face those are both pretty good and there are are ways to uh to subvert that
uh my bank now uses username and password then also a uh a pin that comes
to my phone so it is also using the fact that I can get to my phone as a way of
authenticating me we're really kind of just making this up and doing our best
yeah but these are all pce meal right they like but honestly peace meal peace meal is what you get right it will it
will never not be peace meal honestly you eating meals is peace meal you have lunch you have dinner you have this you
have that it's just peace meal yes life is peace meal that's okay uh a
centralized authentication Authority sounds like a freaking disaster right it's a single point of
failure yeah juicy Target yeah it's a monster Target it's uh it's monolithic I
mean I don't think that's better open your wallet today right there's no well
it is it I mean it's functionally better from a payments perspective uh Chinese
mobile wall perspective 10,000 times safer do there's no reason in the world
why uh your airline or your library or
whatever card you have in your your wallet doesn't use your driver's license as an ID mean why do you have an airline
frequ fower card that's why do you have a library card why can't they just use your driver's license they don't not
because they never thought of it because it's not actually a good idea you want to control your own
credential whether you are a library membership organization or an airline or
a payment system you don't want to use the centralized authentication system because then you're locked into it you
have no flexibility this is what blockchain was all supposed to solve right yeah but blockchain's stupid I mean forget blockchain uh I we talking
we're talking like like real answers uh a Federated system right right consensus
based mechanism makes more sense because when I get a library card I probably
show them my driver's license I show them some utility bill to
to to verify my address I'm making this up I don't know I got a library card years ago I don't even remember how I did it but there are some breeder
breeder documents you will have to have to show but in the end the library
issues use it its own credential that it uses to authenticate you it doesn't use the breeder documents and that's the way
the world's going to be forever you're not going to have a singular ID and I'm not convinced that China is more secure
I'm not sure where that uh that factoid came from but I I well I can give you the numbers behind it if you're
interested but you know who is yeah I'm curious no well so Al Ali pay um you know here's the stats right so Alli pay
um during singles day which is their highest frequency trading um day at November 11th doing about 500,000
transactions per second and according to their annual report getting 0.00006 basis points of fraud or
identity theft whereas card not present card not present is 11.2 basis point so
that they're the numbers okay so self-reported data so we don't know if it's true but let's assume it's true how
much of that is the uh Chinese Criminal Justice System versus the inherent security of uh the uh the computer
system I don't know and and and it might be true but there's a lot of reasons why
it might be true I mean but I mean as a practitioner in that space I would say that the key problem you've got is not
is not just identity and the criminal justice system it's also the the
vulnerability of the 16 digigit card number that we use instead of you know
having tokenized all of that and so forth you know we we can look at tokenized transactions on mobile wallets
and see they're significantly safer you know versus you know just typing in a card number as as an example the goal
isn't maximum safety so these are MasterCard these are for-profit businesses they are weighing additional
security with customer convenience understand that and they're and they're weighing
losses due to profits and if there was a security measure that you know the
looking at the costs and benefits was beneficial they would do it the reason is not more Security in Visa is because
they're making more money with less security because there's more usage because there's more you know it's more
ubiquitous for whatever reasons so when you get a system where the entity in
charge of security is also the entity that pays for security failures you get Optimal Solutions an optimal solution
isn't maximal security and and Visa shows that and that is very much a uh a
government uh government action caused that so it's 1975 Fair Credit Reporting Act which
made credit card companies liable for credit card fraud so instead of you me you were me being liable the credit
companies liable so they are going to do what is optimal for their profit and they have decided and I think they have
good analysis that that says this that more security is less profitable so they're not going to have
that way different than uh you know security of a power plant there's a blackout and we all suffer right because
there a lot of externalities there but credit cards you know the economics works so it's just a cost of doing
business for the for the credit card companies Bruce one of the things you me you you refer to is uh is U I think the
Fair Credit act the government intervention government regulation um talk to us a little bit about how government regulation plays a role in
Security in cyber security because I think it has unintended consequences as a general observation but in the case of
the digital markets act uh in Europe right now there's going to be some real consequences for security messaging
interoperability so basically the way I think of government intervention is that it sets the playing field on which the
market operates right so we want a market where buyers compete for seller
sorry where sellers compete for buyers and in that competition prices go down
Innovation comes up right that that is what we want at the same time we want there to be rules like we don't want
like Airlines competing on safety we want them all to be safe so we set standards right pajamas can't
catch on fire you're just not allowed to sell pajamas that catch on fire right baby food has to be nutrition
nutritional you can't sell crap and call it baby food uh Pharmaceuticals can't
poison you right right and similarly we could set rules that say you know the routers that you're selling to home
users have to have this level of security and and what it does is it's
stops the the collective action problem and that no one wants to provide better
security because we said in the beginning that that you know the the buyers can't sell the difference and
they're not going to choose the more secure option it's like adding seat belts in a car right like seat belts like if we think we think pajamas
shouldn't catch on fire we just say make it a rule none of them can and that way nobody advertises like and this one
doesn't catch on fire right and charges $20 more and and nobody buys it so I
think there's a real important role for government and this gets lost in kind of libertarian nonsense government can't do
any good the goal of government is to solve Collective action problems and to
set the rules on which the market operates and it does that in many
Industries and there's more space for do it in cyberspace now we're seeing some movement uh President Biden's National
Cy cyers security plan unveiled last month talks about a lot of this talks about liabilities talks about
standards it doesn't have any real uh enforcement power in the moment I mean
you know Congress has to act and you know we know Congress doesn't actually do anything
so we're gonna get there slowly but that's the way to think of it but none
of this is free me the real problem is security is expensive and none of us
want to pay it got it um talk to me a little bit about um two Factor because you
mentioned um that as one of the ways that your uh some of the companies you do business with will verify your
identity but I've heard that that's actually um that's quite vulnerable as well uh getting a
confirmation but everything's everything's quite vulnerable as well just doing degrees here right it's
better yes there are ways to attack two-factor okay and uh there are ways to
attack two Factor over SMS over text message that aren't true if you're doing it in an app but sometimes it's the best
we got so we're really trying to improve things yeah are those authentication
apps better you know like the Google Authenticator they are better they are and the basic reason is Sim swapping so
there is a type of fraud where I call your I called the phone company and I
pretend to be you and I got a new phone and I basically get your identity on my phone and once I do that I get your
calls and texts right so now I can get those text messages where you get the
code you have to type in the website but if you're using an app like Google Authenticator or Duo when I cloned your
phone I didn't get those apps so that is that is safer it's a little more
annoying right you got to use the app it is but you know I teach at Harvard and
we use Duo and it's they make it super easy right you know you log in you click
Send me a send me a push I get a little notice on my phone I push the green button suddenly we're in yeah
yeah I've noticed that with Google as well with Google now they'll say just check your Google app and you just open the app and it it authenticates you
right it automatically does it and you can set it so Harvard sets it to to do that every once a month so you log in
normally with a password and then every month they require to do this the second Factor so again we're playing with
security versus usability now if it was a bank maybe you don't want to do that maybe you want to do that every time but
for the Harvard Network where it's students and profess professors you know they figure you know once a month is a
good balance you know would I make the same decision I have no idea how kind
thing you think about how long before we can meaningfully get rid of passwords
because we know they're no longer really safe answers never uh people have been trying for
decades there'll always be a class of authentication where password is the best choice you don't get rid of them
you just push them down into the less significant you know I'm logging into the New York Times I'm always going to use a password
because you know who cares it's the New York Times I'm logging into my bank kind of never want to use a password because
oh my God it's my bank so the amount of authentication that happens is going to be very
varied and something we should talk about after the break is the notion of thing to thing authentication because
what's going to change in the next couple of years is the rise of things authenticating to other things and
that's a whole separate issue that sounds like a great topic before we jump into that you know what we like to do on
the show Bruce is we like to ask a few short questions uh just so our audience can get to know you and get to know uh
what how you got formed how you got shaped as as you were coming up so uh Brett's gonna ask I never revealed
personal information on podcast you should know that not this is not social engineering this interest based unless
the security questions you use right what is your mother's M name Man car
what are the last part now um okay so um uh you know I'm going to adjust this a
little bit because we normally uh focused on the futurist sci-fi element but I want to I want to tweak it to your
expertise so I can be futurist okay great all right well then what was the first science fiction you remember being
exposed to on TV or in books media so I read a lot of science fiction fantasy uh
as a kid and I still do what do I remember early on mostly the fantasy
series I remember uh the Conan series remember morock I remember tolken uh in
science fiction Clark and heinlin azimov alazne I mean these are
the authors uh Larry nien Andre Norton uh CJ
Sherry W yeah good collection H what technology do you believe has most
changed Humanity in my lifetime or in general
just in general wow and probably uh the printing
press change Humanity the most you know and that continues today in a sense the
Internet is just the latest iteration of the printing press yeah so I would I would even count them as the same but I
think I think communication Technologies the ability for humans to coordinate and
communicate over time and space is just is it's so transformative
yeah name a futurist or an entrepreneur or specialist in some way that is
influenced you and why you know there have been several and I'm not going to be good at names because I tend to be
Broad and shallow I read a lot of different people and I synthesize what
they uh what they say so I'm not no name comes to mind but I'm always reading
people who are thinking about the future and and their ideas and and then I sort of interpret them to my lens which of
course is security but so no person comes to mind all right here's here's
one that calls on a bit of a mix of sci-fi and your expertise in security is
what science fiction story do you think is best representative of the future of
security oh wow that's interesting I mean science fiction never talks about the future
that's kind of myth talks about the present using the future as a foil right you know I wow best
represents you know I like to think that the stories where security just works
right the Utopias versus the dystopias so you think of a Star Trek world right there aren't any computer
viruses computers do weird things sometimes but you know they're no
hackers it's kind of weird it's also true in Stars solve security just like they solved scarcity and no one knows
how but I like that they did is that representative probably not I think what
we know is that complex socio techical systems are vulnerable so really the
question is where are they designed where uh they're resilient so
where is resilience have a play and I don't think any author is really gotten that right well because it's such a
different world than ours today that you can't really write about it either write about the Utopia or the dystopia which
are the things we're we're currently balancing right you want it probably right no that's fine which brings us to
AI Quantum and stuff like that which is what we want to get into after the break you're listening to the futurist we're
going to take a quick break uh we we have as our guest Bruce schne and uh
we're getting deep into the future of security we'll be right back after these words from our
sponsors provoked media is proud to sponsor produce and support the futurist podcast provoke FM is a global podcast
Network and content creation company with the world's leading fintech podcast and radio show Breaking Banks and of
course it's spin-off podcast breaking Banks Europe breaking Banks Asia Pacific and the fintech 5 but we also produced
the official finate podcast Tech on regg emerge everywhere the podcast of the Financial Health Network
and NextGen Banker for information about all our podcasts go to provoke FM or
check out breaking Banks the world's number one fintech podcast and radio
show welcome back to the futurists I'm Rob Turk and my co-host Brett King hey
hey hey this week we're talking to Bruce schne uh from shyon security a superb
website filled with interesting news his blog is really worth paying attention to if you're interested in the Lively topic
of security that we're I actually have that book too schne on security I have it up on my bookshelf right here I don't
know if you can see it very proudly there yeah I I have your books as well and actually uh you know what Bruce I
want to talk to you about your newest book because you've taken the concept that you've been studying for years um
this idea of a hacker and now you're starting to extrapolate from that it seems to me the new book a hacker's mind
uh where you're talking about the hacker mentality across the board not necessarily with cyber security but loopholes in the law and so forth tell
us about the Hacker's mind so this is my pandemic project and what I'm doing is
I'm taking the notion of hacking which I'm defining as subverting the rules not
breaking the rules but doing something the system permits but is unintended and
unwanted by the designers right so computer hack right the code allows you to do the thing but it's a bad thing
that the programmers didn't want you to do they just made a mistake uh very similarly a loophole in the tax code is
the same thing it is something that the tax code which is code it's not computer code but it's code allows but the
designers of the code the writers of the law didn't intend you found a loophole
you found a mistake you found a vulnerability an exploit and you could think about lots
of things as hacks and whether it's Uber hacking various taxi laws to get around
the rules or hedge funds hacking different Financial laws or taxpayers
hacking tax code these are all hacks and what I'm trying to do in the book is to
take this very computer idea move it to these social political economic systems
in a way that helps us think about them I think I did a great job I really liked writing it it's fun I like I have
examples from history from religion from social science from Natural Science from
uh Airline frequent flyer programs and casino games and sports you know all
ways that rules have been subverted and what the reaction has been happened afterwards it's good you
brought up casino because that was the thing I was thinking of uh casino is very attractive obviously it's where the money is but it's a rules-based
environment right those games have rules that we all think we commonly understand but there's a certain class of player
who has a different take on what those rules permit or what they can get away with in the casino and casinos have
pretty elaborate systems for tracking that behavior and discovering those people and card counting is the obvious
one yeah right I mean you look at the rules of blackjack nowhere do the rules say you are not allowed to employ
interand strategy which is all that card counting is but of course card counting
is something that is profitable for the uh player right it flips the odds not very much but it does flip the odds in
the favor of the player so the casinos like don't want this so what they do they can't like ban it because it
doesn't make any sense they use their right to expel
anyone from the casino for any reason right it's a private property you are playing in their facility they can say
you are not welcome you're making too much money fashion yeah exactly right so
they have elaborate system for detecting card counters and so Contin the story I if you know the the MIT card counting
story right so detecting card a movie about it right there's a movie about it so you detect card counting by looking
for certain player behavior when a player exhibits it he's obviously counting and that involves changing your
bet when the shoe the deck of cards reaches near the end so that's when
there's either advantage or disadvantage but the MIT group did is very CL ever is they divided up the roles of card
counting among different players so one player never changed his
bet he just moved from table to table someone else never changed their bet they just did the card counting someone
else did did something else and they were able to basically they were never
discovered the casino couldn't figure out what was happening because it never occurred to them that you could divide
the C the card counting strategy among several different people each of whom's
behavior is individually innocuous now Bruce it seems to me this
mentality of hacking the system uh has spread and and part of the reason I think it's spread is that we've had
maybe 15 years of bully boys from Silicon Valley telling us all about disruption which is really about you
know hacking the system right and and there's great rewards for the companies that have done it you mentioned Uber you know one of Uber's classic things is
simply to take on the the mess of local legislation that governs the kind of corrupt quasi corrupt taxi cartels and
turn it against itself right so they they they did that in city after City in different ways sometimes they got busted
but it was sort of a price of doing business as you mentioned in the beginning of the show but now it seems
like that mentality that kind of like you know go disruption mentality has spread everywhere including a recent
president who made his entire career out of hacking the the law and hacking the justice system and using law lawsuits to
to punish his enemies and so forth um what's your take on the idea that this is spreading through society and what's
it doing to society everyone's there uh there's things
unpack one is that hacking is not necessarily bad that hacking is a form of
innovation and you know we can look at Uber and dislike the fact that the way
they're harming their workers by not classifying them as employees the way they're harming cities by uh undermining
regulations it could Airbnb in the same way with Hotel regulations you could
also look at Uber as saying what you said the taxi industry is morban it is
captured by these local cartels there's no way to innovate and taxis are
terrible and Uber fixed a lot of that right Taxi Driver used to be one of the most dangerous professions in the United
States and now with Uber because there surveillance on both sides because there
is a competition for rankings star rankings on both sides that they've made
Taxi Driver much much safer not entirely safe but much much safer so right here
Uber is definitely hacking regulations but whether it's good or bad
in the end is not at all obvious you know similarly there are hacks against
Financial regulations that we might look at and say that's a good Innovation like a account or a money market account
these are all hacks these are all ways for banks to to give more interest than the law allowed and they they created
these weird accounts that skirted the rules you can also look at ways companies are hacking Dodd Frank to get
around controls so hacking is is that worked out well for Silicon Valley Bank right
right yeah Silicon Valley Bank they not sure they hacked the rules they just kind of got them changed which is
separate uh the question you're asking is an interesting one is hacking more prevalent today so I think there are
several things at play I think hacking is more common in a low trust Society if I think you're not paying your fair
share of taxes I am more likely to look for loopholes for myself right there's a notion that if someone else is getting
away with something yeah that's true you are more okay with getting trying to get away with something yourself and that is a robust psychological uh uh result the
other thing that's happening is technology is making systems larger and more complex which makes them more
vulnerable to hacking and and our our legal code is similar yeah right computer code is similar so I think
those two things are at play now one is cyclical I think trust in government goes up and down one seems to be only
going in One Direction complexity is always increasing so whether this is a
long-term or short-term Trend we will see but I think you're right that hacking is at least at a local maximum
but certainly you go into history and lots of hacking of rules and then some of my history examples were I enjoy I
have some good examples from the history of religion because religious rules are hacked all the time and uh you know sort
of other laws this art of understanding the behavioral element of
security um you know where does where does the behavioral psychology and so
forth come into systems design versus just purely you know like the immune
system response um when it comes to security I think it's real important and
and there people who study this there's the human factors uh in larger crime it's called crime science as opposed to
criminology like criminology studies criminals what they do crime science is the whole ecosystem in which criminals
operate and sometimes your solution is not harsher laws but to uh you know put
us put a sign on your gas pump that says you know we have a camera and all Drive
offs are going to be prosec Ed right you know and it's a different solution for a
similar problem so I like looking at incentives you know when I teach cyber
security here at the Kennedy School school of government I speak a lot about economic and societal incentives and
that designing for incentives is a much better way of building security than
technology that tries to push back against incentives and we talked about social care numbers ear
mean the problem is that a social security number is valuable the real solution to protecting Social Security
numbers is to make them all public and make that okay right well I mean the real problem is it's it's having what if
I have your social security number I can do something yeah in your stead like
that's the problem yeah yeah and fixing that is way better than trying desperately to secure these numbers that
we're using everywhere right yeah and they already are everywhere they're already which brings me sort of to the
next topic which is um you know the the recently we've seen um you know Chinese
action U with signal intelligence trying to capture uh you know encrypted Communications and things like that for
the on the basis that they may be able to break this encryption sometime in the future and one of these the areas that
we keep coming up against as as a potential way to sort of break open a lot of the security we have is Quantum
Computing right and this methology that Quantum once mature can break any of the
existing encryption we're going to have and we're going to need to use quantum Computing to secure you know our
Technologies and so forth where where do you sit on this you know um you know 20 years out with Quantum how is it going
to change the security landscape so not that much I mean there's a lot of talk but in the end uh we're going to be okay
so a couple things you said right a couple things you said wrong uh yes our exist listing publicly algorithms are
likely to fault to a quantum computer so that's not good nist the U US Government
standards body is currently having a competition in postquantum
algorithms the cryptography is going to be well ahead of the physics so we will get these algorithms well before we're
going to need them so that's good uh the transition is hard what is called crypto
agility the ability to swap algorithms we're not very good at so we got to get better at that in order to swap from
these insecure algorithms to these more secure algorithms but this is just public key cryptography symmetric
cryptography is fine quantum computers cannot break the current size key lengths and uh doubling key lengths is
easy so there's no issue there at the same time a lot of our security doesn't
use public key at all you know right now the security between your cell phone and the tower is encrypted and it's not
public encryption so that's not that's not going to be affected so we have a bunch of systems that aren't going to be
affected we have Paths of migration some easier some harder to go into Quantum
resistance and my guess is that's not going to be much of an issue and honestly crypto agility is important in
general because there a lot there you know things break for other reasons on quantum computers so you're talking
about like adaptive security systems adaptive algorithms but this I mean this
this is where AI is is the challenge is that AI presumably will be able to adapt
in terms of attack vectors as well right yeah but that's not that's not mathematical attacks those are going to
be computery attacks so yes I think AI will change cyber security
dramatically but that is in the sort of the computer attack and defense not the math attack and
defense Crypt analytics it's going to be a long time before an AI can do that because that kind of
specialized math is very difficult to train an AI for a lot of reasons that
are probably are are too de to get into here the the back and forth of finding vulnerabilities in code and in launching
an attack and a defending that it know it's already being done so was it yeah
2016 I think it was uh United States had a uh DARPA had a capture the flag
contest for for AIS uh finals were at Defcon that year an AI from Carnegie melan one
is now a commercial product but there AIS are attacking each other and defending their networks you know as as
a exercise in using this computer speed attack and defense uh darpin never
repeated that but China has every year China host something called robot hacking games where they're doing this
AI versus AI Cyber attack and defense and guaranteed they're getting much
better at it we don't know a lot because now the Chinese military runs it but you know surely there are
advances in that that are happening in China because of that so I think that AI will change cyber screw dramatically but
it's not going to be in the cryptography area it's going to be in this this more hacking area so systemically just just
out of interest you know where do you rank China versus say the US and the EU in in terms of their you know security
responsiveness these days systemically you know it's hard to know
the uh a lot of a lot of that is classified a lot of that we don't have access to a lot of it is is things
countries have and they're they're keeping in their back pocket and so I mean I know there are efforts to try to
rank countries in terms of their cyber capabilities I think they're all making it up right I don't think anybody has
enough actual data to produce that kind of ranking so whenever I see those
rankings I'm always very skeptical yeah Harvard here we produce one and it just feels like you're just making this stuff
up you're you're you're you're basing it on on guesswork on stuff in the Press since when is like you know stuff that's
in the news is stuff you got wrong it's like the CIA if something is in the news they made a mistake you can't you can't
rate the CIA based on what's in the news that's the ex opposite of how to how to R rate Bruce let me redirect to AI
because I have a related question uh which is that um we're beginning to delegate more and more um authority to
machines we're beginning to delegate more and more to autonomous systems uh and I'm not just talking about Tesla's
uh you know autopilot uh in their car although that's one example of that earlier we talked about internet of
things you these are systems that we set up we kind of forget about and they're running in the background and we don't update them or patch them but now
increasingly we're going to have autonomous systems and and as we were talking about the military just a moment ago it occurred to me that the next big
war will probably be a war fought between robots now the minute we delegate to a machine we're creating a
whole range of vulnerabilities can you talk a little bit about machine to machine or thing to thing uh
security so I think this is something that's going to be a big issue moving forward because this is 5G right 5G is
not about you watching Netflix faster 5G is about things talking to other things behind your back and right they're going
to be doing things they're going to be sensing thinking and acting they're
going to be sensing the world making decisions and acting on them and that could be a driverless car that could be
your thermostat that could be a City's power grid that could be a National
Defense System right so this is what we frame as agency right AI based agency
right I think of it as as as as as physical phys but physically agency agency in the real world like my
thermostat at home turns my heater on and off now I'm fine with that right I mean it can do that by itself I don't
need to to monitor it but you know if it's if it's deciding whether to break my
car that's a different thing uh there are authentication issues right strug
about in our first half where we really don't know how to do thing thing authentication at scale so imagine a
driverless car or some kind of computer assisted driving car we have to authenticate to to thousands of other
cars and traffic signals and road signs and emergency alerts all in real time all at hoc we have no idea how to do
that and more importantly we don't know if we can trust that signal right so we might but that's the point right I mean
you have to be able to trust it because what we want is like the car three ahead to announce that I'm breaking so that I
in the car three back know it before or the brake lights go on I mean there's
there there's this promise that we could synchronize communication between
Vehicles we can have much tighter uh traffic going much faster because you
don't need human reaction time but the whole network now knows that we're going
fast there was an accident we have to break we have to Route all those things that requires right authentication do we
know these signals are real lots of issues there so you know
whether things make autonomous decisions depends a lot right I mean I'm I I'm
okay with a computer that tells me how many you know what I owe in taxes if my tax return is simple I'm not okay if
it's complicated right I'm fine if a computer you know we now have chat GPT
hooked into uh open table if it recommends a restaurant for me that sounds okay uh you know but what if the
computer like in charge of the US foreign policy says like you need to invade Russia Today can't tell you why because we're a
black box unexplainable but you really need to invade Russia Today are we okay with that probably not and probably not
for a long time so this is going to be an interesting bunch of years as you say
these systems start moving into more aspects of our life and we figure out
yeah an AI reading an x-ray being a radiologist that's good an AI making a bail par decision that's bad well it
seems to me we're going to have like a Cascade of different systems that rely upon each other so it's not just the
cars talking to the cars but it's also the traffic lights and the city systems and emergency signals and so on Y and
and if just one of those is vulnerable then a malicious hacker could shut the whole system down or create a kind of cascading effect of accidents or
something that's a scary scenario well that's the idea that's where I mentioned resilience you know uh sometime earlier
that we need our system to be more resilient because that is a critical failure that comes from systems being
fragile from a failure in one thing cascading to multiple things now
earlier fails you wanted just to stop and not speed up in an earlier episode
we interviewed um we Brad Templeton who talked about autonomous vehicles in a very fun and interesting way and yeah
Brad's great on that issue he is great he's very passionate about it and very Lively one of the things we talked about
was whether whether those uh should be connected uh autonomous vehicles or whether they should be self-contained
and his feeling was very much important he said it's very important that each car is going to be self-contained that it has sufficient computing power uh to
be autonomous on on the car yeah we also know that those cars are gathering tons of data right they're collecting uh very
very precise data that could be usefully shared such that you could have like a city scale model like a real-time model
of what's happening in the city from the perspective of of thousands or maybe a million cars
uh but his perspective he was very very uh pessimistic about the the reliability of that system of the communication
what's your perspective on that I mean that strikes me as a vulnerability these systems do need to communicate and they have to send messages back and forth I
it's a vulnerability it's also how they work so me welcome to the Internet it's a vulnerability
but it's how we do everything we do uh I don't think they're going to be self-contained I think we got robots
wrong in science fiction getting back to one the earlier question now we kind of think of a robot as a
thing with the you know with the brain in the Middle with sensors and actuators
on the edges and some kind of shell to protect it from the rest of the world
that's not the way robots work you know nowadays your robot will have sensors
around the environment actuators around the environment the smarts are probably in the cloud there isn't a thing it's
not like R2D2 or data it's not an object it is it doesn't have a positronic
Matrix yeah yeah so I I don't think it's going to be the car that is going to be
the robot I think the system of cars together is going to be the robot makes
sense and all the cars together will decide we're gonna break we're gonna go
we're gonna make a left turn uh all the cars and the roads and the sensors so
the sensors that the car is going to use some of them are not going to be in the car they're going to be on the road because it's better to have them there
and the car just car just borrows them as it drives by so this notion of of of
Robotics a as these these units I think is not the way it's gonna go I think
that makes sense particularly particularly in a big city imagine when your car you know when you're in in a
not too distant future when there's a lot of autonomous vehicles in a big city like Los Angeles or Chicago you can
imagine that at that point the city is going to need to take over the management of the vehicles yes absolutely it's like you air traffic
control when you're flying into a region Air Traffic Control says okay we're taking over the direction of this flight
at this point you know and they start to issue commands to the pilot uh you know the car might still retain limited
autonomy around that particular vehicle breaking and so forth but you can imagine that the city will say okay
everybody's passing through to San Diego we're going to put you in the left lane so you can go fast everybody's exiting we're going to move you over to the
right it just makes sense to me versus the chaos of a million well it's it's it's Resource Management you know like
that's the function of government and you know as you start thinking about traffic movement if you start TR
thinking about delivery and so forth It's all Resource Management which is where AI is going to be hugely
transformative for the way we think about governance you know creat a huge dependency then on a good solid AI that
we can rely upon or a network of AIS that we can trust and so we're right back and good policy setting right
that's right so uh Bruce um you know as we wrap up the show we like to get a bit
sci-fi um you know obviously we are the futurist so you know looking 20 to 30
years out what's the security landscape look like and what are you optimistic
about so 20 30 years is hard and you know this if you do you know any kind furology we're really good the next few
years we're terrible further out and basically we tend to be good at
predicting technical Trends but are terrible at predicting social changes
due to technology right so we can predict that you know cars will allow people to go faster but no one predicts
like the modern suburb and we can predict that you can buy and sell things on the internet internet makes buying
and selling easier but no one predicts eBay right so those so I think there is an a blind spot because we always see
Society in terms of our societal Norm so we project future technology onto our
society which is why like Star Trek is so weird it's super future Tech but it's
current social problems so I just don't think you can do that kind of futurology
I would like to see the attack defense arms
race solved right the notion that every attack every defense every attack every
defense is already Queen's race and you you never get better even as you uh as
you improve I'd like there to be some way out of that it is not obvious that that
is g to be true forever it's only true today that will make an enormous difference that will allow us to build
systems for that do good without worrying about the bad that comes with it which is really what this whole whole
show has been about is that likely I don't know I I the math graphy is not going
anywhere right you know I have an essay called cryptography after the aliens land where I talk about far future
possibilities we're still gonna have secure messaging but all everything else is kind of up for grabs I think AI is going
to change things more than anybody thinks even those who think it's going to change everything I don't think we have any
idea and the analogies of that you know the early days of the steam engine he has he has to predict what the future
will look like in 30 years you have no idea and if you do you just get it completely
wrong so the idea of having non-human decision makers in our Mists that in a
lot of ways better than us as decision makers is going to be really interesting to watch yeah I I mean I just read the
age of AI with you know from Eric Schmidt and Henry Kissinger and put the other the guy but um really emphasizes
that particularly that we're already seeing AI logic you know come up with
different results from the way humans operate and and better as as you say so
the more Reliant we become on that the the less it follows human logic right
right I mean and they think differently than humans they come up with solutions that humans don't think about yeah and
which is why this whole explanation issue is a problem because they really can't explain their stuff because they're not explanations are human
shorthand so yeah we're not great at explaining our decisions either we terrible at it Congress yeah
well gosh Bruce it's been a great pleasure having you on the show for those who are listening Our Guest this week is Bruce schne and he is the author
of a terrific book a hacker's mind how the powerful Bend society's rules and
how to bend them back a very playful idea uh to take your your expertise on
on cyber security and extend it out to the real world all the other code-based systems that govern the way Society
works you can check them out on the web at schne on security his his blog which is prolific and filled with interesting
things many of which he shared today uh where else can people find you on the web honestly that's the only place I
don't tweet I don't Facebook I don't LinkedIn I don't Instagram I don't
WhatsApp I don't whatever else Tik Tok whatever else kids do these days makes me a freak but highly productive so
sch.com is my website that's where everything is super well thanks for joining us it's been great to see you
again thanks for having me thank you bru right that's it for this week's show if you like the show be sure to leave us a
uh a five star review on your platform of choice tweet us out um you there are still people that do do use Twitter even
though Bruce does doesn't um so post about it tell your friends all of that
and let us know who else you'd like to see on the futurist we've been having some Stellar guests lately but uh tell
us which areas you're interested in uh our thanks go out to the provoke team for their work on producing the show
each week uh particularly to Kevin ham our audio engineer Elizabeth sens our producer Carlo Sylvie and the whole rest
of the team that's it for the futurist this week but you can rest assured that we will see you again in the future
future well that's it for the futurists this week if you like the show we sure hope you did please subscribe and share
it with the people in your community and don't forget to leave us a five-star review that really helps other people
find the show and you can ping us anytime on Instagram and Twitter at
futurist podcast for the folks that you'd like to see on the show or the questions that you'd like us to ask
thanks for joining and as always we'll see you in the [Music]

Related Episodes