Guru Beaks Farewell to IT Security Firms

They'll be absorbed by big companies as security gets built into products, Bruce Schneier predicts to OO GIN LEE

The Straits Times
November 27, 2007

He is sounding the death knell of the consumer IT security market.

IT security guru Bruce Schneier is "100 per cent sure" that consumer security products will cease to exist in the future.

"Companies like Symantec, Network Associates and Qualis will be eventually subsumed as part of larger IT vendors," said Bruce, who was in town earlier this month to give a talk to the local security industry.

Bruce who is mentioned in the Da Vinci Code novel as a modern cryptologist, gave the recent examples of IBM buying security company Internet Security Systems (ISS)and British Telecom (BT) acquiring Counterpane, the company he founded.

He said this trend is inevitable as companies begin to demand for security to be built into products instead of separate solutions.

"Nobody wants to buy a door lock for a house but you will never buy a house without a door lock," he added.

Accountability

Bruce also called for the law to make software vendors liable for any losses suffered by users when both parties are not at fault. By passing the costs of security failure to the software companies, they will naturally develop more secure products, he added.

"It might mean the features get released later but every release is more secure," said Bruce.

This is perhaps the only solution to the current dilemma of consumers in the Internet world where security is very poor. He drew upon many real examples to support his proposal.

In the 70s, banks were hit by phantom ATM withdrawals. In the US, the courts held that the banks were liable unless they could prove consumers were at fault. In the UK, it was the reverse.

As a result, US banks developed many security measures. UK banks didn't until a decade later when British Parliament changed the law.

Similarly, a 1978 legislation in the US that limited the loss of credit card consumers to US$50 (S$72.26) galvanized the development of credit card security systems like holograms and online real-time verifications.

Bruce gave the example of a store which came up with a smart solution to deter cashier theft. With audit trails through receipts, the only way to steal was to take the sale off the register.

Instead of wasting time monitoring the cashiers, the solution was to get the customer involved - by giving him a free purchase if the cashier did not give him a receipt.

"If you want to solve the problem, solve the externalities. If you get your economics right, you will solve the problem," said Bruce.

Price war

Bruce likened the selling of consumer security products to selling lemons. Because it is not possible for consumers to tell the difference between a good and bad security product, the "lemon" product that is cheaper will end up outselling the better product that works.

Buyers can only judge the quality of a product by marketing signals like the reputation of the company, product reviews and market share.

"A lot of good security products actually lost the price war to the bad ones,' he added.

Hackers mean business

Bruce, who developed some of the world's cutting-edge cryptograms in the 90s to protect the privacy of data transmission through the network, said the new paradigm must now be on the end-points.

"Credit card numbers aren't stolen during transmission, they are lifted off the back end databases. It doesn't matter how many factors you have in your authentication because the hackers just install keyloggers (which reads everything you type on your screen)," he added.

He said that hackers changed three years ago from hobbyists out to boost their egos, to criminals out to steal identity and money.

"The hobbyist worm wants to erase your hard drive, the criminal one wants to keep it alive but not let you know that the Trojan is there. Hackers defacing websites? That's quaint today," he added.

earlier story: Interview: the Value of Bruce
later story: Everything about IT Security Will Change
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..