It is said that the song Wipe Outlaunched a generation of drummers. In the world of information security, the classic Applied Cryptography: Protocols, Algorithms, and Source Code in Cby Bruce Schneiermay have been the book that launched a generation of new cryptographers.
Schneier latest work of art is Liars and Outliers: Enabling the Trust that Society Needs to Thrive. For those that are looking for a follow-up to Applied Cryptography, this it is not. In fact, it is hard to classify this as an information security title and in fact the book is marked for the current affairs / sociology section. Whatever section this book ultimately falls in, the reader will find that Schneier is one of the most original thinkers around.
In Applied CryptographySchneier dealt with the pristine world of mathematical cryptography where aspects of pure mathematics could be demonstrably proven. For example, non-repudiation is absolutely provable.
In Liars and Outliers, Schneier moves from the pristine world of mathematics into the muddy world of human trust. Non-repudiation is no longer an absolute in a world where a Windows kernel can be compromised and end-users can be victims of social engineering.
The book addresses the fundamental question of how does society function when you cant trust everyone. Schneier notes that nothing in society works without trust. Its the foundation of communities, commerce, democracy, in truth — everything. And Schneier deals extensively with social and moral pressures that effect trust.
Liars and Outliers is very similar to books Umberto Eco, that have a Renaissance feel to them; bringing myriad and diverse topics together. Schneier does this here and intertwines topics such as game theory, evolution, surveillance, existentialism and much more. Schneier's brilliance is that he is able to connect seemingly disparate dots around information security and society, and show how they are in truth tightly coupled.
In the book, Schneier makes note of those that don't follow the rules. He calls these people defectors, and these are the liars and outliersof the book. The book notes that everything is a trade-off, and these defectors are the ones that try to break the rules.
An overall theme of the book, in which Schneier touches and references sociology, psychology, economics, criminology, anthropology, game theory and much more, is that society can't function without trust. He writes that in our complex interconnect and global society, that we need a lot of trust.
Schneier makes frequent reference to Dunbar's number, which he first references in chapter 2. Dunbars number was first proposed by British anthropologist Robin Dunbar and is a theoretical cognitive limit to the number of people with whom one can maintain stable social relationships. It is generally in the area of 150. So when someone sees a person with 3,000 Facebook friends, something is clearly amiss.
In chapter 9 on institutional pressures, Schneier takes a very broad look at threats facing society today. One of the biggest perceived threats we have today is terrorism, and the book astutely notes that we can never ensure perfect security against terrorism.
If Schneier had his way, the TSA budget would be measured in the millions, not billions of dollars. He incisively observes that all the talk of terrorism as an existential threat to society is utter nonsense. As long as terrorism is rare enough (which it is), and most people survive (which they do), society will survive. He writes that while that observation is true, it is not politically viable for our leaders to come out and say that.
While the book is heavy on the people focus, Schneier also acknowledges that sometimes and for some people, the incentives to commit crimes are worth the risk. To deal with those, that is where security technologies come into play.
An interesting observation made in chapter 10 around technology is that sometimes the technological changes have absolutely nothing to do with the societal dilemma being secured. For example, he notes that between the ubiquity of keyboards and the tendency for teachers to focus on standardized tests, cursive is no longer being taught that much in schools. The result is that signatures are more likely to be either printed text is an illegible scrawl; making them easier to forge; which in turns creates new security risks.
In the book Schneier makes scores of astute observations on how society functions around security. He notes in chapter 16 that we are currently in a period of history where technology is changing faster than it ever has. The worry is that if technology changes too fast, the attackers will be able to innovate so much faster than society can that the imbalance become even greater; with failures that negatively affect society.
In many of the examples in the book, Schneier paints a dark picture given the advantage that the attackers and defectors have. But he also notes that we are in a period of history where the ability for large-scale cooperation is greater than it has ever been before. On that topic, he refers to the book The Penguin and the Leviathan: How Cooperation Triumphs over Self-Interestby Yochai Benklerwhere he writes that the Internet can and has enabled cooperation on a scale never before seen. And that politics, backed by science, is ready to embrace this new cooperation.
On the lighter side, in chapter 17, Schneier notes that Mussolini didn't make the trains run on time; he just made it illegal to complain about them.
Schneier notes at the end of the book that its lesson isn't that defectors will inevitably ruin everything for everyone. Rather that we as a society need to manage societal pressure to ensure that they don't.
Liars and Outliersis an absolutely fascinating and groundbreaking book. In this election year where the candidates attempt to make sweeping simplistic promises to fix complex problems, Schneier simply answers that in our complex society, there are no simple answers.
In Applied CryptographyBruce Schneier demonstrated he was quite the smart guy. In Liars and Outliers, he shows he is even smarter than most of us first thought.
Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know."