I’ve just finished reading Liars and Outliers by Bruce Schneier.
I received a signed copy thanks to Schneier’s discounted signed book
offer
of $11 plus a review. So here’s a review:
In this book, Schneier takes on all of security: What is it, and why
does it work? The answer flows through diverse areas of study, from
evolutionary psychology to game theory. He begins (appropriately enough)
with history; a discussion of predators and prey. From microbiology, we
move rapidly forward through time to modern society.
After taking a look at history, Schneier moves into a discussion of the
four societal pressures: moral, reputational, institutional, and
security. Each kind of pressure is built off of the previous ones, with
security being the most advanced.
Once these basics are established, he moves into discussion of the real
world. In this part, he examines conflicting interests, organizations as
actors, corporations specifically, and institutions covering all the
ways that the theory breaks down in practice.
One of the most important things covered is the “security gap”:
defectors are faster to pick up on new technologies than defenders. This
means that security cannot solve all the problems. There are many
examples of this, the classic one being the arms race: attackers use
bows and arrows, so defenders wear armor. Then firearms are developed,
and the armor is no longer effective, so the defenders lose the armor
and hide in ditches. Defenders don’t invest in new technology without a
reason, and better attacks are the best reason.
This is another book I’ve read recently that is long on a description of
the problem and short on specific solutions. Near the end of the book,
Schneier gives the following list of principles:
- Understand the societal dilemma.
- Consider all four social pressures.
- Pay attention to scale.
- Foster empathy and community, increasing moral and reputational pressures.
- Use security systems to scale moral and reputational pressures.
- Harmonize institutional pressures across related technologies.
- Ensure that financial penalties account for the likelihood that a defection will be detected.
- Choose general and reactive security systems.
- Reduce concentrations of power.
- Require transparency—especially in corporations and government institutions.
These principles provide an excellent foundation on top of which
solutions can be built, and, given the scope of what he’s chosen to
tackle, it seems reasonable not to propose solutions to narrow issues
like airline security. However, I would have liked to see a specific
proposal for getting society’s “agent”, i.e. the government, to follow
these principles when implementing policy.