When he goes to Washington, D.C. next week to testify before the U.S. Congress on computer and Internet security, Bruce Schneier, the chief technology officer of Counterpane Internet Security Inc., would like to tell them that such efforts are currently done poorly and with the wrong goals.
He will also tell Congress that "the Internet is too complex to secure," as he said in a speech on the last day of the Black Hat Briefings security conference here Thursday.
"Often when I tell people that, they get very disturbed," he said. But nonetheless, "we're losing ground every year," because every new product is less secure, every new level of complexity or integration makes a product less secure, he said.
Events seem to bear out his conclusions: despite there being more computer security companies and software than at any other time, viruses, worms, Web page defacements and other security incidents are seemingly happening more often than ever before.
This is because security is approached with the wrong attitude, he said.
"One of the reasons we do security so poorly on the Internet is because we think if computers are involved, it's magic," but it's not, Schneier said. Applying the same principles used in physical security to Internet security will be more effective, he said.
"Firewalls will never prevent unauthorized network access. That's OK: We can't buy a device that will prevent murder (either)," he said.
Current computer security practices are too focused on prevention, leading to ineffective measures, he said.
"If you want to secure your house, you wouldn't get thicker walls."
Rather, in the physical world, security is implemented to manage risks, not to try to eliminate them, he said. Grocery stores accept that some shoplifting will occur, but try to compensate for it by using security devices, employees and insurance, he said. Despite all this, they accept that shoplifting will never be eliminated. This is good business, however, because the alternatives would be unworkable, he said.
Computer security must adopt the same stance, but hasn't yet, he said. "When (computer) security decisions are made, it's only more or less secure, it's not smarter or dumber (business)."
Despite the industry's incorrect philosophical bent, Schneier sees hope on the horizon in the form of monitoring and response systems, insurance and law enforcement.
Rather than focusing energies and budgets on prevention, computer security efforts ought to be spread across prevention, detection and response, he said. Though prevention is important, it is not foolproof, he said. Having the other two features will help manage and mitigate risks, he said.
"Detection, response -- if it works well enough -- makes up for shoddy prevention," said Schneier, whose company, Counterpane, sells a security monitoring service.
Additionally, Schneier sees more companies turning to the insurance industry for Internet or e-business insurance, a move that will drastically impact computer security.
"I believe insurance will make a great difference in computer security," he said. "Since the turn of the century, the insurance industry has driven what sort of security you have."
In this case, insurance companies will force their clients to make product purchase decisions based on security, which, in turn, will lead to more secure products. Schneier doesn't expect this development to happen for three to five years, however.
Lastly, Schneier said that the continued prosecution of computer crime will create a deterrent effect which will reduce such crime.
"If crime doesn't pay, then people are less likely to do it," he said.
"The online world isn't any different than the offline world," and it ought to be secured the same way, he said. Perhaps Congress will take note.