Q&A: Improved Security Requires IT Diversity
Security expert Bruce Schneier explains why homogeneous systems are risky and why software vendors should be held liable for the bugs they create.
Computerworld - In his recently released book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003), security guru Bruce Schneier argues for a more common-sense and less technology-centric approach to both IT security and physical security. In this interview with Computerworld, Schneier shares his views on IT security.
You recently co-wrote the report "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security." Would you have written it if the world had been standardized around another operating system? Of course. The problem is not specific to Microsoft; it's a general problem of monocultures. The security risks would be no different if the country standardized on Macintosh System 10 or Linux. The security risks were the same in 1989, when the Morris worm propagated freely in an Internet that standardized on Unix.
Are there benefits to having a homogeneous IT environment that outweigh the potential risks? In some ways, it's a judgment call. The question is whether you don't put all your eggs in one basket, or you put all your eggs in one basket and guard the basket. In balance, I think that the risks of a monoculture in operating systems outweigh the advantages.
Last year you wrote about the need to fix network security by hacking the business climate. What did you mean? Network security is plagued by good technical solutions that just don't work. Companies install firewalls but don't configure them properly. Network administrators don't install patches. Software companies don't write secure software. The problem here is not technical, but economic.
What do you mean when you say that secure software is an economic problem? The economics of security is such that the effects of insecurity are largely an externality -- the costs aren't borne by the companies making the security decisions.
Bruce Schneier, president at Counterpane Internet Security Inc.
The only way we can fix computer security is to fix this economic problem. We need to take the companies in the best position to fix all these security problems -- the software manufacturers - and make it in their best interest to do so. For years I've advocated software liability as a way to do this. Once a company like Microsoft is liable for damages as a result of its software vulnerabilities, you can be sure that they'll start taking those vulnerabilities seriously.
But don't users have a responsibility as well? It's clear that Microsoft doesn't bear 100% of the responsibility for these problems. But it is also clear they don't have a zero percent liability.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts