Expert: If you want secure Internet, go back to DOS
Bad programs, and smarter hackers. How do you win? Bruce Scheiner says, “If you want security, go back to DOS.”
Telephony LIVE conference keynote speaker Bruce Schneier, security expert and CEO of BT Counterpane, spoke on how there are many security products currently being offered that sell the “feeling” of security rather than offering true security. He said such products offered “security theatre” either by making their customers feel secure but not delivering on the promise, or by offering protection against threats that were not that great in the first place.
“There is no functional test you can run to tell which one is good and which is bad. We’ve seen this in practice. If you go back 15 years, there were hundreds of firewalls. The ones that survived weren’t the best ones. Buyers can’t tell the difference between good and bad. Bad products can drive good products out of the market,” he said.
Schneier added there is still not enough accurate information available for users to make informed choices. Many security companies play on emotion and fear, thus prompting irrational purchases. Realistically evaluating and mitigating risk by weighing up the likelihood of an attack against the cost of investment becomes a challenge for businesses.
“As techies, we’re used to technology making things better. The interesting paradox is that technology makes things worse,” Schneier said. “Old attacks don’t go away, and new attacks appear every week. Complexity is what’s going on; it’s the worst enemy of security. Complexity makes things worse faster, so we lose ground even as we improve.”
Since no one really wants to go back to DOS, Schneier advises thinking about networking and computer security in terms of four basic economic principals to understand how to make networks safer:
- The Network Effect. In short, the network effect means that the value of a network increases with the number of people who use it. And because the platform is increasingly valuable, the economic truth is that the big get bigger, no matter what kind of network, whether it’s telephone, Internet, virtual, Schneier said. This economic principal leads to dominant firms emerging in the market (think Microsoft), and because they’re valued, they will get still bigger. In terms of security, the bigger the network, the more attention from hackers.
- High Fixed Costs/Low Marginal Costs IT doesn’t operate using the traditional rules of capitalism, Schneier said. With software, for example, the cost of making the first copy can be millions of dollars and the following copies are free. In normal markets, competition drives down marginal costs. But society has built in anti-capitalist defenses to help recover fixed costs for some industries, which include software, movies and entertainment, and pharmaceuticals. “Patents, copyrights and trademarks fly in the face of capitalism and allow companies to recover fixed costs,” Schneier said. Compatibility and proprietary accessories also work the same way. “This leads to a dominant market structure, so the bigger firms get bigger, again.
- Switching Costs. In most markets, the cost of switching to a competitor could be zero, Schneier said. “In IT, switching costs can be extremely expensive, which means the value of a company can be judged on how expensive it would be for customers to move to a competitor. “Companies don’t have to do a good job if switching costs are high. In fact, a company has to be pretty bad before you leave,” Schneier said. “The cellphone number portability battle was about switching costs,” he said. “No one wanted to switch providers even if they had bad service because they didn’t want to switch their numbers.”
- A Market for Lemons. In a lemons market, sellers knows a lot more about the products than the buyer, and this relates directly to the security and used car markets, according to Schneier. “In markets where buyers can’t tell the difference between a bad and a good product, bad products drive good products out of the market,” he said, and it is unfortunately true of the security market. Ten years ago during the great firewall battles, the products that survived weren’t the best ones, Schneier said, because buyers couldn’t tell the difference.
Schneier closed by stating that he is confident that the industry will eventually get the balance right in the long run.
Related Posts:
