[Infowarrior] - Schneier: Do We Really Need a Security Industry?

[Richard Forno]

(my take on this from 2006: http://infowarrior.org/articles/2006-01.html)


Do We Really Need a Security Industry?
05.03.07 | 2:00 AM
Bruce Schneier
http://www.wired.com/politics/security/commentary/securitymatters/2007/05/se
curitymatters_0503

Last week I attended the Infosecurity Europe conference in London. Like at
the RSA Conference in February, the show floor was chockablock full of
network, computer and information security companies. As I often do, I mused
about what it means for the IT industry that there are thousands of
dedicated security products on the market: some good, more lousy, many
difficult even to describe. Why aren't IT products and services naturally
secure, and what would it mean for the industry if they were?

I mentioned this in an interview with Silicon.com, and the published article
seems to have caused a bit of a stir. Rather than letting people wonder what
I really meant, I thought I should explain.

The primary reason the IT security industry exists is because IT products
and services aren't naturally secure. If computers were already secure
against viruses, there wouldn't be any need for antivirus products. If bad
network traffic couldn't be used to attack computers, no one would bother
buying a firewall. If there were no more buffer overflows, no one would have
to buy products to protect against their effects. If the IT products we
purchased were secure out of the box, we wouldn't have to spend billions
every year making them secure.

Aftermarket security is actually a very inefficient way to spend our
security dollars; it may compensate for insecure IT products, but doesn't
help improve their security. Additionally, as long as IT security is a
separate industry, there will be companies making money based on insecurity
-- companies who will lose money if the internet becomes more secure.

Fold security into the underlying products, and the companies marketing
those products will have an incentive to invest in security upfront, to
avoid having to spend more cash obviating the problems later. Their profits
would rise in step with the overall level of security on the internet.
Initially we'd still be spending a comparable amount of money per year on
security -- on secure development practices, on embedded security and so on
-- but some of that money would be going into improving the quality of the
IT products we're buying, and would reduce the amount we spend on security
in future years.

I know this is a utopian vision that I probably won't see in my lifetime,
but the IT services market is pushing us in this direction. As IT becomes
more of a utility, users are going to buy a whole lot more services than
products. And by nature, services are more about results than technologies.
Service customers -- whether home users or multinational corporations --
care less and less about the specifics of security technologies, and
increasingly expect their IT to be integrally secure.

Eight years ago, I formed Counterpane Internet Security on the premise that
end users (big corporate users, in this case) really don't want to have to
deal with network security. They want to fly airplanes, produce
pharmaceuticals or do whatever their core business is. They don't want to
hire the expertise to monitor their network security, and will gladly farm
it out to a company that can do it for them. We provided an array of
services that took day-to-day security out of the hands of our customers:
security monitoring, security-device management, incident response. Security
was something our customers purchased, but they purchased results, not
details.

Last year BT bought Counterpane, further embedding network security services
into the IT infrastructure. BT has customers that don't want to deal with
network management at all; they just want it to work. They want the internet
to be like the phone network, or the power grid, or the water system; they
want it to be a utility. For these customers, security isn't even something
they purchase: It's one small part of a larger IT services deal. It's the
same reason IBM bought ISS: to be able to have a more integrated solution to
sell to customers.

This is where the IT industry is headed, and when it gets there, there'll be
no point in user conferences like Infosec and RSA. They won't go away;
they'll simply become industry conferences. If you want to measure progress,
look at the demographics of these conferences. A shift toward
infrastructure-geared attendees is a measure of success.

Of course, security products won't disappear -- at least, not in my
lifetime. There'll still be firewalls, antivirus software and everything
else. There'll still be startup companies developing clever and innovative
security technologies. But the end user won't care about them. They'll be
embedded within the services sold by large IT outsourcing companies like BT,
EDS and IBM, or ISPs like EarthLink and Comcast. Or they'll be a check-box
item somewhere in the core switch.

IT security is getting harder -- increasing complexity is largely to blame
-- and the need for aftermarket security products isn't disappearing anytime
soon. But there's no earthly reason why users need to know what an
intrusion-detection system with stateful protocol analysis is, or why it's
helpful in spotting SQL injection attacks. The whole IT security industry is
an accident -- an artifact of how the computer industry developed. As IT
fades into the background and becomes just another utility, users will
simply expect it to work -- and the details of how it works won't matter.

Comment on this story.

- - -

Bruce Schneier is the CTO of BT Counterpane and the author of Beyond Fear:
Thinking Sensibly About Security in an Uncertain World.