Bruce Schneier: We are losing the security war

'Security is getting worse,' says Counterpane CTO

Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, Bruce Schneier, the founder and chief technology officer of Counterpane Internet Security Inc., warned today.

"I don't think, on the whole, we are winning the security war; I think we are losing it," Schneier said in a speech webcast today at the Hack in the Box Security Conference (HITB) in Kuala Lumpur, Malaysia. As systems get more complex, they get less secure, he said. And as security technology improves, the complexity of modern IT systems increases even faster.

"The Internet is the most complex machine ever built," Schneier said. "This explains why security is getting worse."

In addition, the nature of the threat that companies face has changed in important ways. Where hacking was once considered an occupation for hobbyists, a growing number of hackers are now criminals with a profit motive. "The nature of the attacks are changing because the adversaries are changing," Schneier warned. "They have different motivations, different skill sets and different risk aversions."

Hobbyists now represent the minority of hackers, according to Schneier, which means hackers pose an even greater threat to companies. "The hobbyist is more interested in street cred; the criminal wants results," he said.

To turn the battle in its favor, the security industry must look beyond purely technical measures. "Look for the economic levers," he said. "If you get the economic levers right, the technology will work. If you get the economics wrong, the technology will never work."

Externalities, an economic term used to describe the effects of one person's actions on another, are central to building effective security, Schneier said. For example, U.S. banks do not spend heavily to defend against identity theft because they are not affected when such theft occurs. To the banks, this is an externality. However, when banks bear liability for a security breach, such as an unauthorized automated teller machine withdrawal, they make the investments necessary to prevent these incidents from taking place.

The same economic lessons can be applied to software vendors. To improve the security of software, Microsoft Corp. and others should be made liable for selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss," Schneier said.

That needs to change. "The organization that has the capability to mitigate the risk needs to be responsible for the risk," he said

HITB runs through tomorrow.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon