Schneier Questions Need for Security Industry
Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.
Speaking at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, “the fact this show even exists is a problem. You should not have to come to this show ever.”
“We shouldn’t have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn’t have to buy from somebody to secure our network or servers. Our networks and servers should already be secure.”
Schneier, chief technology officer at BT Counterpane, said his own company was bought by BT Group last year because the UK telecommunications giant realized the need for security to be part of any service, not an add-on at additional cost and inconvenience to the user.
His words echoed those of Lord Alec Broers, chair of the House of Lords science and technology committee, who suggested every company, from operating system and application vendors to ISPs, needs to take greater responsibility for the security of end users.
“Security is a small but important piece of the bigger picture,” Schneier said. He added that consumers shouldn’t accept any product that is inherently insecure.
However, Graham Cluley, senior technology consultant at Sophos, suggested Schneier’s dream may be a long way from reality. “Why didn’t everybody think about this sooner?” said Cluley. “It would be great.”
“It would be great if robberies didn’t happen and if road accidents didn’t happen and if I didn’t stub my toe,” he added. “But what you have to realize is that software developers are human and humans make mistakes.
“I can’t imagine there ever being a 100 percent secure operating system, because a vital component of programming that operating system is human.”
Jon Collins, service director at analyst house Freeform Dynamics, expressed his own doubts about the value of the security industry but said it will always be fed by dual forces of end-user error and the shipping of insecure products.
“I always used to think the security industry existed to make people scared and then sell them something to protect them from what they were afraid of. But now I think it exists because of what people are prepared to buy,” he said, adding that investment in security products tends to be reactive to a problem a company has already suffered, making security a “fire extinguisher industry.”
But Collins added that it is not true to suggest that user reaction is always due to inherently insecure software or hardware.
“Even if everything was secured, the end user would still find a way to configure it wrong or install it wrong or enable the wrong privileges and permissions,” he said.