When he speaks to the US Congress next week about computer and
Internet security, Bruce Schneier, chief technology officer of
Counterpane Internet Security, will argue that such precautions are
taken poorly and with the wrong goals.
He will also tell Congress that "the Internet is too complex to
secure", as he claimed in a speech on the last day of the Black Hat
Briefings security conference yesterday.
"Often when I tell people that, they get very disturbed," he said.
But nonetheless, Schneier feels companies are losing ground every
year due to new products and new levels of complexity or
integration becoming less and less secure.
Events seem to bear out his conclusions: despite there being more
computer security companies and software than at any other time,
viruses, worms, Web page defacements and other security incidents
are seemingly becoming more frequent.
This is because security is approached with the wrong attitude,
according to Schneier.
"One of the reasons we do security so poorly on the Internet is
because we think if computers are involved, it's magic," but it's
not, said Schneier, who believes the same principles used in
physical security should also be applied to Internet
security.
"Firewalls will never prevent unauthorised network access. That's
OK: We can't buy a device that will prevent murder," he said.
Schneier claimed current computer security practices were far too
focused on prevention, leading to ineffective measures.
"If you want to secure your house, you wouldn't get thicker walls,"
he said.
Rather, in the physical world, security is implemented to manage
risks, not to try to eliminate them, Schneier said. Grocery shops
accept that some theft will occur, but try to compensate for it by
using security devices and insurance. Despite all this, they accept
that shoplifting will never be eliminated. This is good business,
however, because the alternatives would be unworkable, he
said.
Computer security must adopt the same stance, but has not yet,
according to Schneier. "When [computer] security decisions are
made, it's only more or less secure, it's not smarter or dumber
[business]."
Despite the industry's flawed philosophical approach, Schneier sees
hope on the horizon in the form of monitoring and response systems,
insurance and law enforcement.
Rather than focusing energies and budgets on prevention, Schneier
believes computer security efforts ought to be spread across
prevention, detection and response. Though prevention is important,
it is not foolproof. Having the other two features will help manage
and mitigate risks, he said.
"Detection, response - if it works well enough - makes up for
shoddy prevention," said Schneier, whose company, Counterpane,
sells a security monitoring service.
Additionally, Schneier sees more companies turning to the insurance
industry for Internet or e-business insurance, a move that will
drastically impact computer security.
"I believe insurance will make a great difference in computer
security," he said. "Since the turn of the century, the insurance
industry has driven what sort of security you have."
In this case, insurance companies will force their clients to make
product purchase decisions based on security, which, in turn, will
lead to more secure products. Schneier does not expect this
development to happen for three to five years, however.
Lastly, Schneier said that the continued prosecution of computer
crime will create a deterrent effect which will reduce the number
of offences.
"If crime doesn't pay, then people are less likely to do it," he
said.
"The online world isn't any different than the offline world and it
ought to be secured the same way," he said. Perhaps Congress will
take note.
Contact Counterpane at
www.counterpane.com.