Skip the navigation

Q&A: Improved Security Requires IT Diversity

Security expert Bruce Schneier explains why homogeneous systems are risky and why software vendors should be held liable for the bugs they create.

November 24, 2003 12:00 PM ET

Computerworld - In his recently released book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003), security guru Bruce Schneier argues for a more common-sense and less technology-centric approach to both IT security and physical security. In this interview with Computerworld, Schneier shares his views on IT security.

You recently co-wrote the report "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security." Would you have written it if the world had been standardized around another operating system? Of course. The problem is not specific to Microsoft; it's a general problem of monocultures. The security risks would be no different if the country standardized on Macintosh System 10 or Linux. The security risks were the same in 1989, when the Morris worm propagated freely in an Internet that standardized on Unix.

Are there benefits to having a homogeneous IT environment that outweigh the potential risks? In some ways, it's a judgment call. The question is whether you don't put all your eggs in one basket, or you put all your eggs in one basket and guard the basket. In balance, I think that the risks of a monoculture in operating systems outweigh the advantages.

Last year you wrote about the need to fix network security by hacking the business climate. What did you mean? Network security is plagued by good technical solutions that just don't work. Companies install firewalls but don't configure them properly. Network administrators don't install patches. Software companies don't write secure software. The problem here is not technical, but economic.

What do you mean when you say that secure software is an economic problem? The economics of security is such that the effects of insecurity are largely an externality -- the costs aren't borne by the companies making the security decisions.

Bruce Schneier, president at Counterpane Internet Security Inc.
Bruce Schneier, president at Counterpane Internet Security Inc.

The only way we can fix computer security is to fix this economic problem. We need to take the companies in the best position to fix all these security problems -- the software manufacturers - and make it in their best interest to do so. For years I've advocated software liability as a way to do this. Once a company like Microsoft is liable for damages as a result of its software vulnerabilities, you can be sure that they'll start taking those vulnerabilities seriously.

But don't users have a responsibility as well? It's clear that Microsoft doesn't bear 100% of the responsibility for these problems. But it is also clear they don't have a zero percent liability.


Our Commenting Policies