News

Bruce Schneier Questions Why We Need a Security Industry

By Paul McNamara, Network World

May 07, 2007 — CSO —

Security expert/pundit/provocateur Bruce Schneier, always entertaining, had one of those "He’s right but so what?" columns on Wired.com last week.

The headline—"Do We Really Need a Security Industry?"—is the giveaway in that you’d expect Schneier’s answer to the question to be no, just as you might expect the TV news tease "Big storm headed our way?" to mean that there’s a big storm headed our way. We know better in the latter case, and you’ll see the same in Schneier’s essay. (Of course, the headline may be the work of a Wired editor.) Schneier writes:

"The primary reason the IT security industry exists is because IT products and services aren’t naturally secure. If computers were already secure against viruses, there wouldn’t be any need for antivirus products. If bad network traffic couldn’t be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure."

See what I mean so far? He’s right. Unassailably right, in fact. Go ahead and try to pick a fight with any sentence in that paragraph. And he’s on a roll.

"Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn’t help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity—companies who will lose money if the Internet becomes more secure."

That first sentence is constructed quite cleverly: Naturally, the best antivirus product on the market cannot "improve" the security of even the most porous IT product; the best you can expect is for the security product to "compensate" for the vulnerabilities. Just as the best cannot increase the thickness of a door or the strength of a deadbolt. And as for the prospect of security companies losing money should the Internet become more secure, well, investors wager on the prospects of this happening every day—and they do not seem inclined to flock away from security companies.

Now Schneier begins to touch upon his real point:

"Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the Internet. Initially we’d still be spending a comparable amount of money per year on security—on secure development practices, on embedded security and so on—but some of that money would be going into improving the quality of the IT products we’re buying, and would reduce the amount we spend on security in future years."