Everything about IT Security Will Change

Asian Security Review
November/December 2007

Bruce Schneier, leading cryptologist described as a "security guru" and a "leading counterterrorism contrarian" by the media, shares his thoughts about the future of information security.

"Crime, Crime, Crime!" Bruce Schneier is adamant when asked to talk about the worst security threats. It's not coming from fanatics, but from people out to steal for money, he insists.

"It doesn't matter what form it takes," he says. "It's wrong that we defend ourselves against the tactics, because then these guys change tactics."

He describes a worst scenario where "the crime is so bad that people stop doing commerce on the net." Information security is there to prevent this from happening.

As a leading cryptologist, Schneier is the CTO of BT Counterpane, a security service firm and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World.

He believes the security industry will undergo a transformation: "In a vibrant security market, security research and security companies no longer sell to consumers." He believes that end users will soon expect that services they use over networks, such as online banking, will come with a guarantee of security from the service provider.

"The hardest thing about working in IT security is convincing users to buy our technologies," Schneier says. "An enormous amount of energy has been focused on this problem -- risk analyses, ROI models, audits -- yet critical technologies still remain uninstalled and important networks remain insecure."

Schneier is constantly asked how to solve this by frustrated security vendors but he says he has no good answer. "But I know the problem is temporary," he shares. "In the long run, the information security industry as we know it will disappear."

Security as Utility

Schneier thinks the entire IT security industry is an artifact of how the computer industry developed. "Computers are hard to use, and you need an IT department staffed with experts to make it work."

Whereas for other mature high-tech products, such as those for power and lighting, heating and air conditioning, automobiles and airplanes, the job of installation and maintenance is outsourced as a service. "No company has an automotive-technology department, filled with car geeks to install the latest engine mods and help users recover from the inevitable crashes," he comments.

According to Schneier, IT is heading in that direction of becoming a utility where users are buying more services than products.

"By their nature, services are more about results than technologies," he says. "Service customers -- from home users to multinational corporations -- care less about the technological specifics and just expect IT to work."

Counterpane, the internet security company that Schneier formed eight years ago on the premise that "large IT departments don't really want to deal with network security", was acquired by BT last year to have their network security services embedded in the service portfolio.

"Many customers don't want to deal with network management at all; they just want the network to work," he says. "They want the Internet to be like a phone network, a power grid, or a water system -- in short, they want it to be a utility."

Schneier goes on to explain that for these customers, security isn't even something they purchase, but a small part of a larger IT services deal.

That's why IBM has bought ISS and EMC has purchased RSA -to create a more integrated solution for customers.

"Someone is going to buy Symantec," Schneier says firmly. "And someone is going to buy Network Associates."

Bruce Schneier Schneier uses email as an example as some corporations have outsourced their corporate email to companies like Google. "If you have a new email security solution, convincing Google to embed it in its email service is far more efficient than trying to sell it to users."

He believes when the IT industry matures, there'll be no point in user conferences like InfoSec and RSA. "They won't disappear; they'll simply become industry conferences," he says. "If you want to measure progress, look at the demographics of these conferences. A shift toward infrastructure-geared attendees is a measure of success."

Meanwhile, security products won't disappear. "There will still be firewalls, antivirus software, and all sorts of new technologies and products," notes Schneier. "But users won't care about them."

Instead, the new technologies will be embedded within the services sold by large IT outsourcing companies or ISPs -- "just like new automotive technologies are marketed to automobile manufacturers, rather than individual car owners."

Schneier believes this is progress. "As IT fades into the background and becomes just another utility, users will simply expect it to work," he notes. "The details of how it works won't matter."

Security will become a commodity, "just like an airbag in a car."

Schneier explains that in the US companies advertise their airbags as a differentiator. "Security will come out as a critical differentiator. You buy a product because it comes more secure," he says. "It won't be a separate thing, but it's there to make a difference."

Schneier goes on to explain that when customers buy a service, they don't need to tick a check box on whether they want security -- security comes as part of what the service provider is offering.

"Nobody wants to buy a house because of a door lock," he says. "But you will never buy a house that didn't come with a door lock."

Schneier also believes that security as utility solves the problemoffinger-pointingwhich is now happening around a lot of security issues. "If a company provides both, it doesn't matter whose fault it is but they need to make it good."

Security Signals

Schneier explains that for end users, because they are not experts in security, they will rely on the "signals" -- such as consultants, certification and analyses -- to help them make decisions.

"It's dangerous for customers to rely too much on this signal, but there are no better options," he explains. "Your option is either learn it yourself or buy after the signals."

Schneier uses the analogy of an ill person seeing a doctor -- "what are your other options? Learn medicine?" he explains. "You could, but it's not realistic."

"I have no clue about pharmaceuticals, so I have to trust a doctor."

Schneier also believes vendors should be held responsible for security failure because "there is no other mature industry on the planet where this is not true."

He uses the electricity industry as an example to support his viewpoint and points out there are many liability models organisations can work on.

Security as Part of Risk Management

Schneier says the security people in the company won't be obsolete: "they may have different bosses, but they are not going to go away."

While technical people will more likely be moved to some of the outsourcing companies, he also affirms that CIOs will not disappear from companies, because "you can never outsource the business risk management, you just outsource how it works."

Schneier also asserts that there is currently too much focus on technology. "Businesses are seeing security just as IT or information security," he adds. "That's changing -- you see a lot of security go into general risk management."

Security, ultimately, is part of enterprise risk management and business continuity.

He says though IT person is the best one to be in charge of IT security, someone above him has to approve his budget and that person will not be an IT person, "so that the IT person has to speak a language of the people above you."

However, the overall risk management stretches much more than merely IT. "You need to be secure against burglary, you need to consider risks of fire and hurricane," Schneier says. "All those are basic business risks and information security should be seen as part of this larger landscape."

Bruce Schneier's Top Ten Trends in Information Security

1. Economic value of information
It always has had value but we never realised before, or at least not in the same way we do now. For a lot of banks, their database has become their only sellable asset.

2. Network as critical infrastructure
The recent blackout in the United States saw lots of companies take long time to resume operations, not because of the power outage, but the data outage.

3. Most of our information is controlled by third party
Most legal statements are designed for owners of the property, but nowadays you don't have the paper anymore, you have an outsourcing company. When your data resides on an outsourcer's server, your own rules of security don't apply anymore.

4. Complexity
Things get more complex, and less secure; the internet is the most complex machine humankind has ever built. There is an arms race. You wait a couple of years, computers get better, but security gets worse. When the security gets better, the system gets more complex, we lose the ground.

5. Criminals
Threats have evolved from hobby threats to more criminal threats: Identity theft, fraud due to impersonation, bot networks. There is a career path to become a hacker. The command and control of worms is so sophisticated that we don't know how to take it down. The criminal worm is quiet, unlike hacker worms.

6. Faster exploitation
Lots of embedded systems are now out in the market. Patches have to be released fast -- that's fundamentally impossible as on-the-spot patching can't have both quality and speed. In 2004, Microsoft started once-a-month patching -- they release patches on a schedule, which has proven to be effective.

7. The World War II model of security is wrong
People are squandering too much effort on technologies such as SSL and PGP to protect the communications channel, while end points are now easier targets -- hackers try to get decrypted information sitting on the harddisks.

8. Secrecy vs. Security
Secrecy is not security -- something that is truly secure should be made public. For example, if the value of an encryption algorithm depends on its secrecy, all security will be lost once it's no longer secret.

9. Notion of the end user as the attacker
Most security protects you from the bad guys; but now there are security roadblocks on your computer to prevent you from doing "bad" things. In 2005, Sony secretly installed a root key in music CDs to prevent users from copying the songs. The company viewed viewed users as potential attackers, and is an example of "I can either protect you or protect against you" thinking. The root kit had a side effect of opening the PC to malicious attack.

10. Regulations
Greed and fear are the two things based on which you can sell something; security has already been and is fundamentally a fear sale; regulation gives IT guys a stick to force their manager to give them budget; lots of money goes to regulations, but not security itself.

earlier story: Guru Beaks Farewell to IT Security Firms
later story: Bruce Schneier Blazes Through Your Questions
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..