[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Computer security's dubious future
By Roger A. Grimes
February 22, 2008
As longtime readers already know, Im a big fan of Bruce Schneier, CTO
and founder of BT Counterpane. Besides being a cryptographic and
computer security authority, cryptographic algorithm creator, and author
of many best-selling books on security, Bruce produces some of the most
relevant conversations on computer security. I consider his books, his
Cryptogram newsletter, and his blog must-reads for anyone in computer
Bruce is a guy who pushes us to rethink our currently held paradigms. He
lays bare unsubstantiated dogma. I dont always agree with Bruce. But
many of the potent ideas that I disagreed with when he espoused them a
half decade ago, I find myself agreeing with years later, ideas like how
two-factor authentication wont stop malicious hackers from stealing gobs
of money from the online banking industry, and how the biggest problem
with security, in general, is us and our irrational ranking of threats.
I distinctly remember Bruce telling me a decade ago how computer
security, with all of its advances, was more than likely going to get
worse in the future. This was in the face of increasingly accurate
anti-virus programs, improved patch management, and solid improvements
in OS security across all platforms. He said this in the days of Windows
95 with almost no security, and today weve got User Access Control and
security so tight on a Windows system that vendors are frequently
complaining. At the time, Bruce was the only voice saying that computer
security was going to get worse. And he was right.
But its a decade later now. ISS annual report announced that the number
of vulnerabilities went down for the first time in a long time, along
with the amount of spam. (Interestingly, they also said that 50 percent
of reported vulnerabilities could not be fixed by a patch.) The latest
evolving security technologies (such as IPv6, IPSec, Network Access
Protection/Network Access Control, anti-malware software, and so on) are
promising. End-user education is higher than its ever been. Many
professional entities and governments are requiring baseline security
compliance. My friends only send me half the hoax virus warning messages
now that I used to receive.
So, I asked Bruce the same question again, Will computer security get
better or worse over the next decade?
Heres his response:
"Computer security is not likely to improve in the near future because
of two reasons. One, bad guys are getting better at attacking us. And
two, were not getting better at defending ourselves.
The overarching reason for both of these trends is complexity.
Complexity is the worst enemy of security; as a system gets more
complex, it gets less secure. There are several reasons for this, which
I explained in an essay from 2000. And the Internet is the most complex
machine mankind has ever built. We barely understand how it works, let
alone how to secure it.
Complexity makes it both harder for us to secure our systems and easier
for the attacker to find a weakness. Carl von Clausewitz talked about
this with respect to war. Defenders have to defend against every
possible attack, while attackers just have to find one weakness. Its
called the position of the interior, and complexity makes that position
Complexity explains one of the most perplexing questions about computer
security: Why isn't it getting better? We in the computer world are used
to technology making things better. Moore's Law means that computers get
more powerful. Graphics get better. Printing gets better. Video gets
better. Networking gets better. Everything gets better -- except
security. Why? Complexity is an explanation of that. The reality is that
security really is improving, just not when measured against the
complexity juggernaut. Every year there's new research, new techniques,
and new products. But complexity is making things worse faster. So we're
losing ground even as we improve.
The result is the Wild West: a lawless society. On the Internet, there
really isnt a rule of law imposed from above. Its every man, or every
network, for himself. Those that can afford bespoke security have it,
but those who can't -- think home computer users -- have to make do.
This is very much the world of Internet security. Its hard to find
Internet criminals, hard to build cases against them, and hard to
prosecute them. Oh, there are the few high-profile exceptions, but by
and large malicious hackers can commit Internet crime with impunity."
So, there you have it -- Bruces thoughts on the near-term future of
computer security. And if his comments make you a little more despondent
over the future, it might be piling on to realize that this time around
almost no one disagrees with him. Usually it takes years for a lot of us
to understand Bruces central points. This time we understand him with
Even sadder is the fact that there are things we can do to resolve the
key security issues but we, as a society, arent going to do them. It
makes you wonder whether Bruces answer will be any different in another
5 years. Another 10 years? What tipping point event might have occurred
how bad was it? -- to make us change the way we do business? Or is it
possible for Internet crime to hum along at current levels, never
getting better or worse, and we live with it as a normal cost of doing
business, and living? My money is on the tipping point event. Luckily,
when we do decide to get serious about computer security, there are
intelligent voices, everywhere, that are ready to lend assistance.
Subscribe to InfoSec News