Computer security's dubious future

[InfoSec News <alerts () infosecnews org>]

http://www.infoworld.com/article/08/02/22/08OP-security-schneier_1.html

By Roger A. Grimes
InfoWorld
February 22, 2008

As longtime readers already know, Im a big fan of Bruce Schneier, CTO 
and founder of BT Counterpane. Besides being a cryptographic and 
computer security authority, cryptographic algorithm creator, and author 
of many best-selling books on security, Bruce produces some of the most 
relevant conversations on computer security. I consider his books, his 
Cryptogram newsletter, and his blog must-reads for anyone in computer 
security.

Bruce is a guy who pushes us to rethink our currently held paradigms. He 
lays bare unsubstantiated dogma. I dont always agree with Bruce. But 
many of the potent ideas that I disagreed with when he espoused them a 
half decade ago, I find myself agreeing with years later, ideas like how 
two-factor authentication wont stop malicious hackers from stealing gobs 
of money from the online banking industry, and how the biggest problem 
with security, in general, is us and our irrational ranking of threats.

I distinctly remember Bruce telling me a decade ago how computer 
security, with all of its advances, was more than likely going to get 
worse in the future. This was in the face of increasingly accurate 
anti-virus programs, improved patch management, and solid improvements 
in OS security across all platforms. He said this in the days of Windows 
95 with almost no security, and today weve got User Access Control and 
security so tight on a Windows system that vendors are frequently 
complaining. At the time, Bruce was the only voice saying that computer 
security was going to get worse. And he was right.

But its a decade later now. ISS annual report announced that the number 
of vulnerabilities went down for the first time in a long time, along 
with the amount of spam. (Interestingly, they also said that 50 percent 
of reported vulnerabilities could not be fixed by a patch.) The latest 
evolving security technologies (such as IPv6, IPSec, Network Access 
Protection/Network Access Control, anti-malware software, and so on) are 
promising. End-user education is higher than its ever been. Many 
professional entities and governments are requiring baseline security 
compliance. My friends only send me half the hoax virus warning messages 
now that I used to receive.

So, I asked Bruce the same question again, Will computer security get 
better or worse over the next decade?

Heres his response:

"Computer security is not likely to improve in the near future because 
of two reasons. One, bad guys are getting better at attacking us. And 
two, were not getting better at defending ourselves.

The overarching reason for both of these trends is complexity. 
Complexity is the worst enemy of security; as a system gets more 
complex, it gets less secure. There are several reasons for this, which 
I explained in an essay from 2000. And the Internet is the most complex 
machine mankind has ever built. We barely understand how it works, let 
alone how to secure it.

Complexity makes it both harder for us to secure our systems and easier 
for the attacker to find a weakness. Carl von Clausewitz talked about 
this with respect to war. Defenders have to defend against every 
possible attack, while attackers just have to find one weakness. Its 
called the position of the interior, and complexity makes that position 
less tenable.

Complexity explains one of the most perplexing questions about computer 
security: Why isn't it getting better? We in the computer world are used 
to technology making things better. Moore's Law means that computers get 
more powerful. Graphics get better. Printing gets better. Video gets 
better. Networking gets better. Everything gets better -- except 
security. Why? Complexity is an explanation of that. The reality is that 
security really is improving, just not when measured against the 
complexity juggernaut. Every year there's new research, new techniques, 
and new products. But complexity is making things worse faster. So we're 
losing ground even as we improve.

The result is the Wild West: a lawless society. On the Internet, there 
really isnt a rule of law imposed from above. Its every man, or every 
network, for himself. Those that can afford bespoke security have it, 
but those who can't -- think home computer users -- have to make do. 
This is very much the world of Internet security. Its hard to find 
Internet criminals, hard to build cases against them, and hard to 
prosecute them. Oh, there are the few high-profile exceptions, but by 
and large malicious hackers can commit Internet crime with impunity."

So, there you have it -- Bruces thoughts on the near-term future of 
computer security. And if his comments make you a little more despondent 
over the future, it might be piling on to realize that this time around 
almost no one disagrees with him. Usually it takes years for a lot of us 
to understand Bruces central points. This time we understand him with 
immediate clarity.

Even sadder is the fact that there are things we can do to resolve the 
key security issues but we, as a society, arent going to do them. It 
makes you wonder whether Bruces answer will be any different in another 
5 years. Another 10 years? What tipping point event might have occurred 
how bad was it? -- to make us change the way we do business? Or is it 
possible for Internet crime to hum along at current levels, never 
getting better or worse, and we live with it as a normal cost of doing 
business, and living? My money is on the tipping point event. Luckily, 
when we do decide to get serious about computer security, there are 
intelligent voices, everywhere, that are ready to lend assistance.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn