Q&A: Improved Security Requires IT Diversity
Security expert Bruce Schneier explains why homogeneous systems are risky and why software vendors should be held liable for the bugs they create.
Computerworld - In his recently released book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003), security guru Bruce Schneier argues for a more common-sense and less technology-centric approach to both IT security and physical security. In this interview with Computerworld, Schneier shares his views on IT security.
You recently co-wrote the report "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security." Would you have written it if the world had been standardized around another operating system? Of course. The problem is not specific to Microsoft; it's a general problem of monocultures. The security risks would be no different if the country standardized on Macintosh System 10 or Linux. The security risks were the same in 1989, when the Morris worm propagated freely in an Internet that standardized on Unix.
Are there benefits to having a homogeneous IT environment that outweigh the potential risks? In some ways, it's a judgment call. The question is whether you don't put all your eggs in one basket, or you put all your eggs in one basket and guard the basket. In balance, I think that the risks of a monoculture in operating systems outweigh the advantages.
Last year you wrote about the need to fix network security by hacking the business climate. What did you mean? Network security is plagued by good technical solutions that just don't work. Companies install firewalls but don't configure them properly. Network administrators don't install patches. Software companies don't write secure software. The problem here is not technical, but economic.
What do you mean when you say that secure software is an economic problem? The economics of security is such that the effects of insecurity are largely an externality -- the costs aren't borne by the companies making the security decisions.
Bruce Schneier, president at Counterpane Internet Security Inc.
The only way we can fix computer security is to fix this economic problem. We need to take the companies in the best position to fix all these security problems -- the software manufacturers - and make it in their best interest to do so. For years I've advocated software liability as a way to do this. Once a company like Microsoft is liable for damages as a result of its software vulnerabilities, you can be sure that they'll start taking those vulnerabilities seriously.
But don't users have a responsibility as well? It's clear that Microsoft doesn't bear 100% of the responsibility for these problems. But it is also clear they don't have a zero percent liability.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!