In this book, Schneier takes on all of security: What is it, and why does it work? The answer flows through diverse areas of study, from evolutionary psychology to game theory. He begins (appropriately enough) with history; a discussion of predators and prey. From microbiology, we move rapidly forward through time to modern society.
After taking a look at history, Schneier moves into a discussion of the four societal pressures: moral, reputational, institutional, and security. Each kind of pressure is built off of the previous ones, with security being the most advanced.
Once these basics are established, he moves into discussion of the real world. In this part, he examines conflicting interests, organizations as actors, corporations specifically, and institutions covering all the ways that the theory breaks down in practice.
One of the most important things covered is the “security gap”: defectors are faster to pick up on new technologies than defenders. This means that security cannot solve all the problems. There are many examples of this, the classic one being the arms race: attackers use bows and arrows, so defenders wear armor. Then firearms are developed, and the armor is no longer effective, so the defenders lose the armor and hide in ditches. Defenders don’t invest in new technology without a reason, and better attacks are the best reason.
This is another book I’ve read recently that is long on a description of the problem and short on specific solutions. Near the end of the book, Schneier gives the following list of principles:
- Understand the societal dilemma.
- Consider all four social pressures.
- Pay attention to scale.
- Foster empathy and community, increasing moral and reputational pressures.
- Use security systems to scale moral and reputational pressures.
- Harmonize institutional pressures across related technologies.
- Ensure that financial penalties account for the likelihood that a defection will be detected.
- Choose general and reactive security systems.
- Reduce concentrations of power.
- Require transparency—especially in corporations and government institutions.
These principles provide an excellent foundation on top of which solutions can be built, and, given the scope of what he’s chosen to tackle, it seems reasonable not to propose solutions to narrow issues like airline security. However, I would have liked to see a specific proposal for getting society’s “agent”, i.e. the government, to follow these principles when implementing policy.