Internet too complex to secure, says executive

When he goes to Washington, D.C. this week to testify before the U.S. Congress on computer and Internet security, Bruce Schneier, the chief technology officer of Counterpane Internet Security Inc., would like to tell them that such efforts are currently done poorly and with the wrong goals.

He will also tell Congress that “the Internet is too complex to secure,” as he said in a speech on the last day of the Black Hat Briefings security conference held in Las Vegas last week.

“Often when I tell people that, they get very disturbed,” he said. “We’re losing ground every year,” because every new product is less secure, every new level of complexity or integration makes a product less secure, Schneier added.

Events seem to bear out his conclusions: despite there being more computer security companies and software than at any other time, viruses, worms, Web page defacements and other security incidents are seemingly happening more often than ever before.

This is because security is approached with the wrong attitude, he said.

“One of the reasons we do security so poorly on the Internet is because we think if computers are involved, it’s magic,” but it’s not, Schneier said. Applying the same principles used in physical security to Internet security will be more effective, he said.

“Firewalls will never prevent unauthorized network access. That’s OK: We can’t buy a device that will prevent murder (either),” he said.

Current computer security practices are too focused on prevention, leading to ineffective measures, he said. “If you want to secure your house, you wouldn’t get thicker walls.”

Rather, in the physical world, security is implemented to manage risks, not to try to eliminate them, he said. Grocery stores accept that some shoplifting will occur, but try to compensate for it by using security devices, employees and insurance, he said. Despite all this, they accept that shoplifting will never be eliminated. This is good business, however, because the alternatives would be unworkable, he said.

Computer security must adopt the same stance, but hasn’t yet, he said. “When (computer) security decisions are made, it’s only more or less secure, it’s not smarter or dumber (business).”

Despite the industry’s incorrect philosophical bent, Schneier sees hope on the horizon in the form of monitoring and response systems, insurance and law enforcement.

Rather than focusing energies and budgets on prevention, computer security efforts ought to be spread across prevention, detection and response, he said. Though prevention is important, it is not foolproof, he said. Having the other two features will help manage and mitigate risks, he said.

“Detection, response – if it works well enough – makes up for shoddy prevention,” said Schneier, whose company, Counterpane, sells a security monitoring service.

Additionally, Schneier sees more companies turning to the insurance industry for Internet or e-business insurance, a move that will drastically impact computer security.

“I believe insurance will make a great difference in computer security,” he said. “Since the turn of the century, the insurance industry has driven what sort of security you have.”

In this case, insurance companies will force their clients to make product purchase decisions based on security, which, in turn, will lead to more secure products. Schneier doesn’t expect this development to happen for three to five years, however.

Lastly, Schneier said that the continued prosecution of computer crime will create a deterrent effect which will reduce such crime.

“If crime doesn’t pay, then people are less likely to do it,” he said.

“The online world isn’t any different than the offline world,” and it ought to be secured the same way, he said. Perhaps Congress will take note.

Counterpane, in Cupertino, Calif., is online at http://www.counterpane.com.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now