Skip to main content
Cybersecurity

Schneier Warns of AI-Driven Cybersecurity Shift

Computer security expert stands in front of whiteboard with network diagrams and cityscape background.

“Cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on,” Bruce Schneier wrote in a June 20, 2010 column — a critique he returns to and reframes as encryption meets artificial intelligence.

Bruce Schneier’s continuing thesis: math versus messy systems

Schneier has made a sustained argument across decades that cryptography, while mathematically powerful, cannot by itself secure the complex, human-driven systems that run modern life. He first phrased the basic tension in the preface to his 2000 book Secrets and Lies, noting that “cryptography is a branch of mathematics” while real security “involves people: things people know, relationships between people, people and how they relate to machines.” He revisited the point again in 2016: math “has no agency; it can’t actually secure anything,” because cryptography must be written in software, embedded in larger systems, managed by operating systems, run on hardware, connected to networks, and configured and operated by users — each step introducing vulnerabilities.

Applied Cryptography on desks at Ft. Meade: the 1990s anecdote

Schneier recounts a conversation with a former NSA employee who told him that during the 1990s many cryptographers at Ft. Meade kept a copy of his book Applied Cryptography at their desks. The former employee said people were allowed to refer to it but not to cite it. That anecdote underscores the era when cryptography moved from academic niche to mainstream engineering and when readable, comprehensive references for practitioners were scarce.

Cryptographic mathematics: a real but limited defensive edge

Schneier emphasizes a concrete mathematical point: increasing key length creates a disproportionate burden on attackers. “Adding a single bit to the length of a key adds only a slight amount of work for the defender but doubles the amount of work the attacker has to do,” he writes; similarly, doubling key length roughly doubles defender work while increasing attacker workload exponentially. That mathematical imbalance is important and explains why correctly implemented cryptography remains necessary, even as Schneier insists it is not sufficient.

Computer security as a fragile, fast-moving arms race

By contrast with cryptography’s predictable mathematics, Schneier describes computer security as an arms race in which “there’ll be a new attack, and a new defense, and a new attack, and a new defense.” Vulnerabilities are discovered continually; the balance between attacker and defender can “tip from defender to attacker overnight, and back again the night after.” That inherent fragility arises from the complexity of software, networks, and human operators.

AI’s impact: “superhuman” exploit finding and the age of “instant software”

Schneier argues that artificial intelligence is changing the contours of that arms race. He states that AI “has demonstrated a superhuman ability to find vulnerabilities in software and to write exploits,” and that a similar ability to write patches “is probably coming.” The combination — faster exploit creation and faster patch creation — has “profound implications for both attackers and defenders,” and Schneier calls the resulting dynamic a world of “instant software.” He also notes that cryptography still prevents “particular attack and forms of mass surveillance,” even as AI reshapes how vulnerabilities are found and acted upon.

What this means for technologists, policymakers, and end users

  • Technologists and security teams: Schneier’s framing suggests they must treat cryptography as a necessary building block, not a complete solution; they will confront a faster discovery-to-exploit cycle driven by AI and should prepare for both rapid exploit generation and a coming ability to generate patches.
  • Policymakers and regulators: The arrival of AI that can “find vulnerabilities” and “write exploits” changes the operational tempo of cyber risk and surveillance dynamics, focusing attention on how to manage a security environment in which defensive advantages can be transient.
  • End users and the general public: While cryptography prevents “particular attack and forms of mass surveillance,” Schneier’s account warns that broader system fragility — software, networks, configuration, and human factors — remains a point of exposure as AI accelerates both offensive and defensive capabilities.

Schneier’s core, reiterated across two decades of writing, is simple and unsettling: mathematics gives cryptography a real defensive advantage, but the larger systems in which cryptography operates are unstable and human. Now, with AI’s “superhuman” capacity to discover and craft exploits — and the prospect of automated patching — the question he poses remains acute and open: in a world of “instant software,” who will win the particular arms race between attackers and defenders?

Original column