Walls Don't Work in Cyberspace

By Bruce Schneier
Wired Magazine
June 2003

Internet security is usually described as a fortress, with the good guys inside the wall and the bad guys outside. Network owners buy products to shore up the barrier, on the logic that a stronger wall will give them better security. Flaws in the network are holes in the barricade, patches the mortar that closes them.

This metaphor might have been appropriate 10 years ago, when the Internet was made up of disparate networks that occasionally communicated, but it's outdated today. There are too many of us, doing too many things, interacting in too many ways. The Internet is more like a town.

In a town, security space is fluid. Barriers exist, yet they're only part of the solution. Sometimes the bad guys are already inside, while the good guys are outside, needing a legitimate way in. As in a town, Internet users interact with a number of people. We forge friendships of all sorts, long-lasting as well as fleeting. We create our own spaces, both permanent and temporary. Good guys and bad guys intermingle. The same door that opens for customers allows in shoplifters; from the outside, there's no way to tell one from the other.

Because the Net is so often compared to a fortress, most Internet security relies on prevention. That's not bad, but it's incomplete. Prevention is the least effective solution, because it's static and passive. In a town, security is a combination of prevention, detection, and response. There are walls - and also alarms and police. A town has a complex social structure that keeps its inhabitants safe. The Internet needs a similar social network atop its digital network.

Detection and response are far more effective - and cost-effective - than increased prevention. No bank ever says: "We have an impenetrable vault, so we don't need an alarm system." No museum ever takes such pride in its door and window locks that it fires the night watchman. No home-security expert would ever recommend making your walls thicker.

I'd like to see security products and services that treat the Internet as a town instead of a fortress, monitoring those on the inside as well as keeping others out. For example, my security company, Counterpane, recently detected a pattern of suspicious activity in the system of a large airline that led us to believe an employee was trying to break into the human resources server. We alerted the IT department and traced the attack to a reservations office in Mexico City. The employee was caught in the act and terminated.

I'd also like to see Internet users develop relationships with each other based on trust. The street you live on matters more than the lock on your front door. Knowing your neighbors is more important than knowing karate. And in both the real and virtual world, nothing improves security more than gentrification.

earlier essay: Guilty Until Proven Innocent?
later essay: The Speed of Security
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..