Bruce Schneier

Bruce Schneier is an internationally renowned security technologist, called a “security guru” by the Economist. He is the New York Times best-selling author of 14 books — including ”Click Here to Kill Everybody”—as well as hundreds of articles, essays and academic papers.

Subscribe to this Lawfare contributor via RSS.

Cybersecurity and Deterrence

Information Attacks on Democracies

Henry Farrell, Bruce Schneier Thu, Nov 15, 2018, 10:35 AM

Democracy is an information system.

That's the starting place of our new paper: “Common-Knowledge Attacks on Democracy.” In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks. Specifically, we wanted to explain why the same disinformation campaigns that act as a stabilizing influence in Russia are destabilizing in the United States.

Read more about Information Attacks on Democracies

Russia and Eastern Europe

Censorship in the Age of Large Cloud Providers

Bruce Schneier Thu, Jun 7, 2018, 7:00 AM

Internet censors have a new strategy in their bid to block applications and websites: pressuring the large cloud providers that host them. These providers have concerns that are much broader than the targets of censorship efforts, so they have the choice of either standing up to the censors or capitulating in order to maximize their business. Today’s internet largely reflects the dominance of a handful of companies behind the cloud services, search engines and mobile platforms that underpin the technology landscape.

Read more about Censorship in the Age of Large Cloud Providers

Cybersecurity

What “Efail” Tells Us About Email Vulnerabilities and Disclosure

Bruce Schneier Thu, May 24, 2018, 7:00 AM

Earlier this month, researchers disclosed vulnerabilities in a large number of encrypted email clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail.

Read more about What “Efail” Tells Us About Email Vulnerabilities and Disclosure

Cybersecurity

On Spectre and Meltdown

Bruce Schneier Fri, Jan 5, 2018, 3:38 PM

I wrote about the Spectre and Meltdown attacks for CNN and my blog. The piece begins:

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

Read more about On Spectre and Meltdown

Cybersecurity

What You See Is What You Get: Revisions to Our Paper on Estimating Vulnerability Rediscovery

Trey Herr, Bruce Schneier Thu, Jul 27, 2017, 3:18 PM

We recently published a paper on the rediscovery of software vulnerabilities. This was the final version of a paper that had been in the works since September, peer-reviewed by the WEIS community during the winter, and then circulated for additional revision in early March. Since publication, two mistakes have come to light.

Read more about What You See Is What You Get: Revisions to Our Paper on Estimating Vulnerability Rediscovery

Cybersecurity

Rediscovering Vulnerabilities

Trey Herr, Bruce Schneier Fri, Jul 21, 2017, 11:30 AM

Software and computer systems are a standard target of intelligence collection in an age where everything from your phone to your sneakers has been turned into a connected computing device. A modern government intelligence organization must maintain access to some software vulnerabilities into order to target these devices. However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue—the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched.

Read more about Rediscovering Vulnerabilities

Secrecy & Leaks

Who Is Publishing NSA and CIA Secrets, and Why?

Bruce Schneier Thu, Apr 27, 2017, 9:39 AM

There's something going on inside the intelligence communities in at least two countries, and we have no idea what it is.

Consider these three data points. One: someone, probably a country's intelligence organization, is dumping massive amounts of cyberattack tools belonging to the NSA onto the Internet. Two: someone else, or maybe the same someone, is doing the same thing to the CIA.

Read more about Who Is Publishing NSA and CIA Secrets, and Why?