SAN FRANCISCO -- Bruce Schneier had harsh words at RSA Conference 2018 for U.S. lawmakers on the topic of cyber regulations.
Schneier, security expert and CTO of IBM Resilient, spoke twice this week at RSAC about the coming wave of cyber regulations and the dangers those laws and policies will bring if the lack of input from technologists continues. Speaking at a panel discussion Wednesday titled "Identity Insecurity -- Another Data Hurricane Without 'Building Codes'," he discussed how new regulations are inevitable in light of recent privacy and data misuse episodes and renewed his call for more technology and security professionals to get involved in the policy-making process.
At his session on Tuesday titled "Security Orchestration and Incident Response," Schneier predicted that Europe will have to lead the way on cyber regulations that improve security and data privacy. "Europe is the regulatory superpower on the planet," he said, citing the General Data Protection Regulation (GDPR). "They're not afraid to impose fines that make companies notice, rather than fines that make them say, 'You know, that's cheaper than lawyers' fees, let's just pay it.' And that will make a difference."
U.S. lawmakers, however, don't seem to want to get involved in cyber regulations in any way. Any policy changes that are introduced will come with agencies like the Federal Trade Commission and Federal Aviation Administration, Schneier said. Congress, on the other hand, exhibits a "general unwillingness to regulate what is an enormous wealth creation machine" in the internet because lawmakers fear they will negatively impact the economy.
During the Q&A segment of Tuesday's talk, an audience member asked what potential policy changes could improve security, specifically around disposable IoT devices.
Bruce SchneierCTO, IBM Resilient
"In the United States, we're going to get no policy changes," Schneier said. "I think what we learned in the Facebook hearings and what we learned in the Equifax hearings is that lawmakers like to posture and will do absolutely nothing. And I think [Mark] Zuckerberg knows this.
"I think [Zuckerberg's] playbook is very much to take responsibility, apologize, promise to do better, wait for the storm to subside and then make no changes. It's worked so far," he said.
But Schneier said there's a chance the status quo may change this year with the coming election cycle because candidates will "have to have an opinion on data and Facebook," regardless of whether the opinions are informed or consistent. He also added that Zuckerberg, CEO of Facebook, said the social media site would apply GDPR protections for users worldwide, but "I don't believe he knew what he was talking about when he said that."
Getting involved in policy changes
Schneier said he fears that once cyberattacks start leading to loss of life, the public pressure will force U.S. lawmakers to get involved in cyber regulations, which will lead to hasty and uniformed legislation. Technology professionals and experts need to have ideas and plans ready for policy changes when that day comes.
"We as technologists need to get involved in policy. As internet security becomes 'everything security,' internet security policy becomes 'everything security policy,'" he said during Tuesday's session. "And we as a society will never get the policy right, if the policy makers get the tech wrong. You can see this in the going dark debate, you can see this in the equities debate on vulnerabilities, all the debates on voting machines, and you can even see it with driverless car security debates."
Schneier admitted he isn't optimistic about positive policy changes -- at least in the short term -- because of the current "dysfunction" within the federal government and the reluctance of U.S. lawmakers to act. But he encouraged the audience to become more active in policy and pushed technology companies to support nonprofit organizations such as Code for America as well as long-term sabbaticals for employees who want to devote to more time to policy and law.
"Policy makers don't get the tech. And we need to fix this," Schneier said. "We need to figure out how to get more technologists involved in policy discussions."