Words of Warning from a Cyber-Security Guru

Bruce Schneier of Counterpane Internet Security says computing today is unsafe at any speed. But we can minimize the dangers

By Neil Gross
Business Week
December 29, 1999

Hardly a week goes by when corporate computing czars don't have to absorb some rude piece of news from the security front. It may be a gaping hole somebody discovers in a browser or e-mail system, or a virulent new pest with a name like Melissa or Worm.ExploreZip. Against these mounting threats, the usual defensive arsenal of virus-scanning software, encryption, and firewalls seems flimsy indeed.

Brace yourself: The situation is going to get worse, according to Bruce Schneier, 36-year-old cryptography guru and author of Crypto-gram, an influential monthly newsletter. As new releases of common software grow more complex -- and interact with one another in ways that nobody can predict -- security products purchased off-the-rack will offer less and less protection from malicious viruses and hackers, Schneier warns. To be safe, companies may once again have to reengineer how they do business on the Net.

Schneier speaks with authority. His 1994 book, Applied Cryptography (John Wiley & Sons), has sold more than 120,000 copies. "It is probably the definitive work in the field," says Roy D. Thetford, director of Carnegie Mellon Research Institute's CyberSecurity Center. As founder and chief technology officer of Counterpane Internet Security Inc., a computer security company in San Jose, Calif, Schneier has provided security tips to the likes of Hewlett-Packard, Microsoft, Intel, and Merrill Lynch. "He understands the technology, but he also understands how it applies to the real world," says Thetford.

"INCREDIBLY NAIVE." Given this background, it's intriguing to find Schneier, in recent issues of Crypto-gram, expounding on the limitations of math-based cryptography. "In my book, I wrote that we needed to protect ourselves not with laws, but with mathematics," he says. "It was interesting, but incredibly naive." Now Schneier, the inventor of the popular encryption algorithm called "Blowfish," believes that such schemes will never be sufficient. Instead, his efforts focus on dealing with complexity, which he sees as the root cause of security vulnerabilities.

Based on his latest insights, Counterpane will soon launch a new business initiative. Schneier is not ready to divulge the details. But there are tantalizing clues in the aphorism he repeats often in writing and interviews: "Security is not a product. It's a process," he says. And if the future conforms to his bleak predictions, this thought may well become a mantra for 21-century computing.

Increasingly these days, virtually all big programs are cobbled together from smaller pieces, which are implemented, tested, fixed, retested, and combined into larger functional units, which must be tested all over. This try-and-fix approach doesn't work for security, Schneier points out, precisely because security is not a functional aspect of the software. The only way to "test" security is to perform expensive and time-consuming manual reviews. And since no company has time to simulate an attack on every possible point of weakness, reviews never actually prove that a product is secure. "No company will say to you: 'here, take two years and do a proper security review'," Schneier says.

Complexity, expressed as the number of options in a program that may interact in unexpected ways, makes a bad situation worse. "As software gets more complex, the number of potential security flaws goes up exponentially," he says. Hackers with malicious intent have a good grip on this dynamic. And increasingly, they are homing in on points of interaction among features in a program, or among programs.

Schneier finds this state-of-siege demoralizing. "I am downbeat about the future of security," he admits. Complexity is built into the tasks we require from computers. "The Net itself is complex," Schneier notes. "You could avoid many security issues by ripping the Net down, but nobody wants that to happen."

Even where countermeasures are possible, however, Schneier finds that software vendors don't learn from their failings. "We've been finding and fixing security bugs for years. But none of those fixes are transferred forward, when products are upgraded," he says. "Each time a new version comes out, we take a step back." Just when the bugs were ironed out of early Web browsers, for example, the products were "enhanced" with Java code, opening up whole new security weaknesses. By the time those problems are ironed out, there will be something new, he predicts.

ALL EARS. Schneier has always been attracted to tall challenges. Growing up the son of a judge in New York, he was drawn to science and math at an early age. After receiving an MS in physics from Rochester University, he spent five years at the Defense Dept. That was followed by a brief stint at AT&T Bell Labs. And in 1991, he turned to consulting and writing.

Today, Schneier has no difficulty getting his message out -- especially to young software companies. For startups in the security business, a review in Crypto-gram can be harrowing. In August, Schneier published a brief, rather gentle critique of the security features in a novel e-mail service called HushMail, which was created by Hush Communications Corp. in the British West Indies. The company responded with a seven-page, point-by-point rebuttle -- in a tone that was pointedly deferential to Schneier. "Bruce is one of the world's best-known cryptographic experts, and we're happy he has taken the time to comment on our system," the writers gushed at the top of the memo.

A few weeks later, a HushMail competitor called QVTech, of Colorado Springs, pondered the risks of a similar writeup in Crypto-gram. Before explaining to the public how his new system worked, QVTech CEO and co-founder John Blumenthal said he planned to give Schneier a chance to inspect the program. Indeed, he added, "some of the techniques we're using were described in a recent Schneier paper."

While basic security problems may be intractable, Schneier says companies can still strive to adopt best practices. Consumers of software can also be more wary. Whether the product is a browser, a firewall, or an operating system, people can pay closer attention to security advisories, bulletin boards, and vendor updates. Software developers can also improve their processes. It's possible, for example, to reduce complex interactions among options in software by dividing blocks of functions into modules that are clearly defined and segrated from one another. Such modularity "is the hallmark of good design," Schneier writes.

And software developers can help in a more fundamental way, he notes: "Since complexity is the enemy, designers of security systems should keep products simple." Easy to say -- and so hard to do. This simple fact should keep Schneier in business for many years to come.

earlier story: Editors' Choice: Security Suites
later story: The Encryption Algorithm Demolition Derby
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..