An interview with Bruce Schneier on the Internet of Things, global surveillance, and cybersecurity

Bruce Schneier on IoT

Bruce Schneier is a world-renowned cryptographer and security technologist whom the Economist has dubbed an “internet-security guru.” Schneier has authored a dozen books since 1993, with his next book—Click Here to Kill Everybody: Peril and Promise in a Hyper-Connected World—due for release in September 2018, and set to tackle the burgeoning trends of cybercrime, corporate surveillance, and how to mitigate the catastrophic risks from unsecured devices.

Earlier this year, Schneier wrote a chilling article in New York Magazine detailing the pressing dangers of unsecured IoT devices and, more recently, consulted on bipartisan legislation that will ensure devices purchased by the U.S. government meet specific security standards.

On top of all that, Schneier frequently blogs on internet and security matters and runs a monthly newsletter, ‘Crypto-gram,’ that has amassed a following exceeding 250,000—so we thought he’d be perfect for an ExpressVPN cybersecurity Q+A.

We asked Bruce Schneier what his thoughts were on the origin of the problems that permeate improve their cybersecurity practices.

1. Firstly, thank you so much for talking to us! We appreciate you have a busy schedule, so let’s get straight to it—why does the problem of unsecured technologies exist in the first place?

Security is an afterthought in product design and not something that’s taken seriously enough. Companies are rewarded for features, price, and time-to-market. It’s easy to slough off security because it’s not immediately obvious that you’ve done so.

2. You’ve previously called surveillance “the business model of the internet.” What does this mean to the average internet user?

It means that they are spied on 24×7. They’re spied on when they surf the web. They’re spied on when they send e-mail. They’re spied on whenever they use their smartphones. Companies like Facebook are the largest surveillance organizations on the planet, and they need to be recognized as such.

3. Why is there such little market incentive to provide security if this is something consumers demand in their products?

Customers don’t know how to make buying decisions based on security because the details are complex and specialized, so there’s minimal incentive for companies to provide it. They’re rewarded for price, features, and time to market—it’s smarter for them to take the chance with security.

This is no different from any other industry. We don’t get safety or security improvements without government intervention. It’s true for cars, planes, medical devices, pharmaceuticals, workplace safety, restaurant sanitation, food safety, nuclear power plant safety, and—most recently—the safety of financial instruments.

4. If companies lack the incentive to do it, what type of mass event do you think could force a better knowledge of cybersecurity onto the general public?

I have no idea. I used to think that it was whatever massive data breach was in the news, but I’ve given up on that. I’m afraid that it’s going to be a security event involving the Internet-of-Things killing people that will wake people up to the dangers. As long as that event doesn’t involve guns, we might then have a sane and reasoned conversation about government regulation.

5. Speaking of government regulation, you recently consulted on legislation proposed by Senators Warner and Gardner to improve IoT cybersecurity this year—what do you hope this first step will accomplish?

As first steps, it’s very minimal. It doesn’t impose any security regulations on anybody. All it says is that IoT devices purchased by the federal government meet some basic security standards. And even this modest improvement isn’t going anywhere.

6. Thanks again for speaking to us. Finally, what’s a good cybersecurity best practice we can all start doing right away?

Enable two-factor authentication wherever possible. And maintain good backups.

If you want to read more of Bruce Schneier’s thoughts on cybersecurity, check out his blog and sign up to his newsletter!

Also published on Medium.


  1. Schneier is brilliant on security and I can’t overstate my appreciation for his expertise there enough, but he is clueless on history and economics. He seems to think that the world was aimless and chaotic until “the government” somehow magically appeared and solved all problems. He doesn’t recognize that “the government” is just a term we use to refer to a group of people who assume a supposedly-legitimatized monopoly on the use of force and violence in a given geographic territory. It is composed of the same types of people who design IoT devices and run major corporations, and if they can use their privileged position for their advantage over and against the rest of us, they will and do.

    Schneier’s proposed solution, then, is that by giving more power to these monopolists, somehow that will solve our problems with corporations, even though corporations, through lobbies and the revolving door, are the ones pulling the strings on “the government.” It won’t work. It will actually make things much worse.

    The only thing that will work is getting government out of the way, repealing special liability protections for corporations, abolishing the patent/IP system which prevents innovation and competition.


Please enter your name here
Please enter your comment!