I've always considered anything written by Bruce Schneier to be part of my ongoing education about IT security. Like Warren Buffet of the financial world, Schneier has a special talent for simplifying complex IT concepts by stripping away the fat. Each book is like its own little graduate course on whichever subject he happens to be discussing. I had a chance to review a pre-release of his forthcoming book "Liars and Outliers: Enabling the Trust that Society Needs to Thrive," and I can say that it is among his best. It explores the end-game emotion for all computer security, trust -- and it prompted me to rethink my long-standing proposal for fixing the Internet.
Schneier (who also pens a can't-miss blog and newsletter) started his career as a nuts-and-bolts cryptographer. His more recent books have tended to touch instead on realms of computer security, such as privacy, human nature, and fear. In "Liars and Outliers," he argues that in order for societies to advance, they have to trust the systems designed to keep them secure.
[ Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Fear of something naturally leads to the contemplation of whether or not we should trust related scenarios. A ready example is how we treat unexpected emails arriving from friends with strange-looking subject lines, asking us to click on unknown links. Is it really from a friend touting some interesting new content, or is it from a malware program just hoping we will click on the link and get pwned? Schneier's first main argument is that we need security systems to extend trust beyond small, intimate groups to handle scaling issues. Without trusted security systems, the book declares, we would never have been able to evolve into a civilization.
I tend to measure the quality of a nonfiction book by the amount of highlighting I do in them so I can come back later to revisit the salient points. By that measurement, I liked "Liars and Outliers" a tremendous amount. I highlighted an average of two to three sections on every page. Although some topics are a little overly academic (a theme in some of his more recent works), the mix is very good. Chapters and subjects are short, yet meaty; at no time did I feel like I was plodding along -- well done.
I'm sure every reader will come away with different lessons, but these are the ones that will stick with me:
- Trust underlies all civil society in everything we do.
- When security or societal pressure is applied, it takes time for the lessons and outcomes to be effective, and subsequently measured. As a result, we will always be playing catch-up with cyber criminals.
- Civil society must always bear some negative outcomes or it won't remain civil in the long run. For example, to get rid of all crime would require a complete loss of freedom. Or from an IT perspective, eradicating all spam would require a severely restricted, and probably, unusable email system.
- Stateless civil-disobedience organizations, such as Anonymous and WikiLeaks, are far harder to control than state-bound institutions.
- Lastly, informal societal pressures have a greater impact on outcomes than formal laws and controls.