As long-time readers already know, I'm a big fan of Bruce Schneier, CTO and founder of BT Counterpane. Besides being a cryptographic and computer security authority, cryptographic algorithm creator, and author of many best-selling books on security, Bruce produces some of the most relevant conversations on computer security. I consider his books, Cryptogram newsletter, and blog must-reads for anyone in computer security.
Bruce is a guy who pushes us to re-think our currently held paradigms. He lays bare unsubstantiated dogma. I don't always agree with Bruce. But many of the potent ideas that I disagreed with when he espoused them a half decade ago, I find myself agreeing with years later. Ideas like how two-factor authentication won't stop malicious hackers from stealing gobs of money from the online banking industry, and how the biggest problem with security, in general, is us and our irrational ranking of threats.
I distinctly remember Bruce telling me a decade ago how computer security, with all of its advances, was more than likely going to get worse in the future. This was in the face of increasingly accurate antivirus programs, improved patch management, and solid improvements in OS security across all platforms. He said this in the days of Windows 95 with almost no security, and today we've got User Access Control and security so tight on a Windows system that vendors are frequently complaining. At the time, Bruce was the only voice saying that computer security was going to get worse. And he was right.
But it's a decade later now. ISS' annual report announced that the number of vulnerabilities went down for the first time in a long time, along with the amount of spam. (Interestingly, they also said that 50% of reported vulnerabilities could not be fixed by a patch.) The latest evolving security technologies (e.g. IPv6, IPSec, Network Access Protection/Network Access Control, anti-malware software, etc.) are promising. End-user education is higher than it's ever been. many professional entities and governments are requiring baseline security compliance. My friends only send me half the hoax virus warning messages now that I used to receive.
So, I asked Bruce the same question again, "Will computer security get better or worse over the next decade?"
Here's his response:
"Computer security is not likely to improve in the near future because of two reasons. One, bad guys are getting better at attacking us. And two, we're not getting better at defending ourselves.
The overarching reason for both of these trends is complexity. Complexity is the worst enemy of security; as a system gets more complex, it gets less secure. There are several reasons for this, which I explained in an essay from 2000. And the Internet is the most complex machine mankind has ever built. We barely understand how it works, let alone how to secure it.
Complexity makes it both harder for us to secure our systems, and easier for the attacker to find a weakness. Carl von Clausewitz talked about this with respect to war. Defenders have to defend against every possible attack, while attackers just have to find one weakness. It's called "the position of the interior," and complexity makes that position less tenable.
Complexity explains one of the most perplexing questions about computer security: Why isn't it getting better? We in the computer world are used to technology making things better. Moore's Law means that computers get more powerful. Graphics get better. Printing gets better. Video gets better. Networking gets better. Everything gets better -- except security. Why? Complexity is an explanation of that. The reality is that security really is improving, just not when measured against the complexity juggernaut. Every year there's new research, new techniques, and new products. But complexity is making things worse faster. So we're losing ground even as we improve.
The result is the Wild West: a lawless society. On the Internet, there really isn't a rule of law imposed from above. It's every man, or every network, for himself. Those that can afford bespoke security have it, but those who can't -- think home computer users -- have to make do. This is very much the world of Internet security. It's hard to find Internet criminals, hard to build cases against them, and hard to prosecute them. Oh, there are the few high-profile exceptions, but by and large malicious hackers can commit Internet crime with impunity."
So, there you have it -- Bruce's thoughts on the near-term future of computer security. And if his comments make you a little more despondent over the future, it might be piling on to realize that this time around almost no one disagrees with him. Usually it takes years for a lot of us to understand Bruce's central points. This time we understand him with immediate clarity.
Even sadder is the fact that there are things we can do to resolve the key security issues but we, as a society, aren't going to do them. It makes you wonder whether Bruce's answer will be any different in another 5 years. Another 10 years? What tipping point event might have occurred --- how bad was it? -- to make us change the way we do business? Or is it possible for Internet crime to hum along at current levels, never getting better or worse, and we live with it as a normal cost of doing business, and living? My money is on the tipping point event. Luckily, when we do decide to get serious about computer security, there are intelligent voices, everywhere, that are ready to lend assistance.