The Intersection of Encryption and AI

As part of their 20th Anniversary celebration, Dark Reading asked five cybersecurity industry leaders who wrote blogs or columns for them over the years to select their favorite piece and share their reflections on the topic today. This is my section.

Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography’s inability to secure modern networks, a point he says he has been trying to argue since 2000.

“For a while now, I’ve pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on.

“Recently, I talked to a former NSA employee at a conference. He told me that back in the 1990s, he had a copy of my book Applied Cryptography by his desk, as did many other cryptographers working at Ft. Meade. People were allowed to refer to it, but they were not allowed to cite it.

“The 1990s were an important decade for cryptography. This was before the internet went mass market, when cryptography was just emerging from a niche academic discipline to a mainstream engineering one. There wasn’t much that programmers could read. The NSA used my book for the same reason it became a bestseller: because it collected all the academic cryptography of the time in one place and made it understandable to people who weren’t mathematicians. They feared it for exactly the same reason.

“I’ve been thinking about that conversation as I revisit a 2010 essay I wrote for Dark Reading, ‘The Failure of Cryptography to Secure Modern Networks.’ Cryptography has inherent mathematical properties that greatly favor the defender. Adding a single bit to the length of a key adds only a slight amount of work for the defender but doubles the amount of work the attacker has to do. Doubling the key length doubles the amount of work the defender has to do (if that—I’m being approximate here) but increases the attacker’s workload exponentially. For many years, we have exploited that mathematical imbalance.

“Computer security is much more balanced. There’ll be a new attack, and a new defense, and a new attack, and a new defense. It’s an arms race between attacker and defender. And it’s a very fast arms race. New vulnerabilities are discovered all the time. The balance can tip from defender to attacker overnight, and back again the night after. Computer security defenses are inherently very fragile.

“That isn’t a new idea. I said much the same thing in the preface to my 2000 book, Secrets and Lies:

“‘Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, real security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.’

“I especially like how I phrased it in 2016: ‘Cryptography is harder than it looks, primarily because it looks like math. Both algorithms and protocols can be precisely defined and analyzed. This isn’t easy, and there’s a lot of insecure crypto out there, but we cryptographers have gotten pretty good at getting this part right. However, math has no agency; it can’t actually secure anything. For cryptography to work, it needs to be written in software, embedded in a larger software system, managed by an operating system, run on hardware, connected to a network, and configured and operated by users. Each of these steps brings with it difficulties and vulnerabilities.’

“It’s a lesson we have all learned over the decades. Cryptography is still necessary for cybersecurity—although I wouldn’t have used that word back then—but is not sufficient. There are particular attack and forms of mass surveillance that cryptography prevents. But as computers have infused throughout our lives, and networks have connected all those computers, those aspects of cybersecurity have become increasingly important, and vulnerable.

“Today, the cybersecurity world is changing yet again, this time due to the capabilities of artificial intelligence. AI isn’t advancing cryptography, but it’s changing cybersecurity. AI has demonstrated a superhuman ability to find vulnerabilities in software and to write exploits. A similar ability to write patches is probably coming. This has profound implications for both attackers and defenders, and it is unclear who will win the particular arms race in a world of what I call instant software.”

Tags: , , ,

Posted on June 2, 2026 at 7:06 AM5 Comments

Comments

Clive Robinson June 2, 2026 9:12 AM

@ Bruce,

With regards,

“The NSA used my book for the same reason it became a bestseller: because it collected all the academic cryptography of the time in one place and made it understandable to people who weren’t mathematicians”

I used to have three copies two blue and one red cover…

The reason I nolonger have them is they got “borrowed” by various people.

The last copy I had I made the mistake of leaving in the bookcase by my desk when I went on a business trip.

When I returned it was nolonger there and by then nolonger in print…

Enquires with secondhand book dealers revealed prices as high as $250…

So yeh, popular or coveted are two words that cover it.

KC June 2, 2026 10:47 AM

@ Bruce. As you point out, the complexities of cybersecurity exist in multiple dimensions, not only in software and applied mathematics, but also in social and networked realms. Just the advanced AI software models have shocked the field.

It’s equally wild to observe the ‘beyond LLM’ camp make advancements in domains such as quantitative AI, and wonder what its effects on the field will be – how they will shape areas like cryptography, material science, and risk management. The tools of the future could truly be very different.

lurker June 2, 2026 3:14 PM

@Bruce

In The Failure Of Cryptography To Secure Modern Networks you put it bluntly:

“Security is achieved by good access control …”

AI doesn’t need to break OAuth tokens, it just needs to know how to steal them.

Clive Robinson June 3, 2026 6:08 PM

@ KC, ALL,

With regards,

“It’s equally wild to observe the ‘beyond LLM’ camp make advancements in domains such as quantitative AI, and wonder what its effects on the field will be.”

Like any other “Castle built in the clouds” it is not realistically sustainable.

The first indicator is when you hear nonsense from the AI thought leaders like,

“Grow the economy by 10% every year”

It’s not going to happen and is easily provable that it’s not.

To give people a clue as to why and why they need to ground their thinking some basic facts,

1, Due to the gravity well the Earth is very nearly but not quite a bound environment when it comes to matter.
2, Due to other effects the amount of energy from the Sun needs to be balanced out by capture or re-radiation or we will cook.
3, Coherent energy sources decohere when the energy when any work is done and transports down to become heat.
4, Heat is the ultimate form of pollution in that to “actively transport it” to clean it up you need to generate more heat as work is being done.

Thus the economy can not really grow except by making work more efficient and there is a both a practical and theoretical limit on that both of which you can calculate if you feel so inclined.

The only way to change things is by making the movement of heat “energy” more efficient so you get to use the more coherent energy from the Sun and thus need to be able to push the less coherant energy into space so the balance is maintained.

As far as making tangible objects goes untill we get out into space the majority of our matter remains constant. It’s why effective and efficient recycling is now a primary requirement for all living things in the Earth’s sphere of use / environment.

But not all matter is finite or reusable.

A small amount drops into the Earth’s gravity well each year and although we say “burn up in the Earth’s atmosphere” that gives a false impression to most humans. That matter usually remains on Earth.

However some of the very light elements can escape the Earth’s gravity well which is why the loss of the second most available form of matter in the Universe “Helium and it’s isotopes” is becoming an increasing concern in the more interesting parts of the Science and Technology sectors with the likes of Body Scanners and Quantum Research that will eventually replace a significant amount of current technology are all critically effected by the increasing scarcity.

Then there are the heavy elements and their isotopes that decay by releasing energy/matter. We are loosing or using some way faster than they can be replenished from other parts of the Universe.

All of which indicates that unless we can increase efficiency faster, and get out of the Earth’s gravity well to acquire new resources, in the long term the “real economy” rather than the faux “financial economy” can only decrease.

Put overly simply the difference between the “real economy” and the faux “financial economy” is “inflation”. To decrease inflation to keep fiscal stability requires all “work / processes” to become less wasteful or “more efficient”. But as “the laws of nature” inform us there are very real limits on increasing tangible “efficiency”…

So much of what the “finance industry” and “Techbro industry” tell us is complete nonsense and based on the faux notion that “dialing up the digits” is “growth” when in fact it is simply a deceitful way to transfer “real tangible wealth” away from the majority of people.

Hence the WEF etc mantra of,

“You will own nothing”

You will only be allowed at best to,

“Rent what you need to survive”

And you will not be able to, let alone be allowed, to survive if you can not pay the ever increasing rent.

To live like that is effectively worse than being a slave… But don’t take my word for it, have a look at history. Including that recent history where we moved from an agrarian to industrial existence.

Before “industrial” wars were fought over simple resources like fertile land and more importantly water. Look up “water wars” and “salted ground” to see just how nasty some authoritarians have been.

The wars of today are more about mineral and similar resources with “Energy Wars” replacing “Water Wars” but practiced by the same sort of self interested malicious authoritarians…

I’ve talked about this on this blog and other places for a decade or more now. Back then the change was more discreet, now however in the past half decade or so, it’s become so obvious that you just have to look with unblinkered vision.

Al June 4, 2026 1:55 PM

Is this the same NSA that ridiculed Schneier’s book because of his lack of understanding of the math?

It would explain why no one was allowed to cite it. It would make any proposition less authoritative.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.