Expert Bruce Schneier: It’s Hard Not to Despair over the State of IT Security
The more things change the more they stay the same, goes an old saying. That certainly seems to be true in IT security.
Despite decades of experience almost every day there’s another story about a data breach, software vulnerability or new malware discovered.
So perhaps it’s no surprise that the 15th anniversary edition of veteran security expert Bruce Schneier’s book Secrets and Lies: Digital Security in a Networked World begins with a foreword that admits how little things have changed since the book first came out in 2000.
Not, he said in an interview Monday, that there’s evidence the amount of malware itself has increased. But his arguments on the limits of cryptography, on authentication, threats and attacks haven’t changed. Nor in his prescription—vital to CEOs—that technology alone can’t secure the enterprise: There has to be defence in depth, and the organization has to be ready to respond to the inevitable intrusion.
The only thing that might be different is the speed of response ‘We’re living in a world where we need to be resilient,’ he said in the interview. ‘We need to deal with things in real time because the notion that we’re going to build protection fails. We really have to take a more active and responsive view of security.
A prolific writer, he’s the author or co-author of 14 books on security and a popular blog. Schneier is CTO of managed service provider Resilient Sytems, a fellow at Harvard University’s Berkman Center, and a board member of the Electronic Frontier Foundation.
Those looking for an update or revision of what Schneier wrote 15 years ago in this edition (issued this month) will be disappointed—it is the same book. So the strengths remain. That means it outlines the same vulnerabilities—complexity in systems, poor software coding—that he wrote about in 2000. There’s also the complaint that until vendors are held responsible for product weaknesses nothing will change.
But there’s no mention of Target, Home Depot, Android, iOS or Bitcoin. I’d have liked an update on the technologies to watch section. Regrettably, even the resources (books, Web sites) mentioned at the back of the book are the same as he set down in 2000.
Here’s why: Schneier acknowledged that the publisher, Wiley, wanted to tag on to the publicity he’s getting for his latest book, Data and Goliaths, which is put out by another publisher. The main change is a new introduction, which talks about a new way to think about incident response: The way the military does—in OODA loops (observe, orient, decide, act.)
‘The goal here is to bring people, process and technology together in a way we haven’t seen before in network security,’ he writes.
That doesn’t mean the 15th edition has no value. CEOs who haven’t read the book may find it useful to keep up with their CIOs/CSOs in crafting their organization’s IT security.
The chapters on threat modelling and risk assessment, and on security processes will help a chief executive better understand what the IT staff is talking about.
He agreed in the interview it’s hard not to despair over the current state of IT security. ‘Things are getting better in places, but staying the same in a lot of places. And a lot of it is because we just don’t know how to secure things. We’re just doing the best we can patching things, doing the best we can. There’s no real theory of doing it securely.’
I finished by asking him if 15 years from now, on the 30th anniversary of the initial publication of the book, will he write a new introduction that—again—says ‘things haven’t changed’?
‘My guess is yes. I think we will get better at some things, but complexity will get worse—and complexity is the worst enemy of security. We really are just muddling through. There’s no theoretical security that will make things better. It’s still an arms race, and its an arms race where the attacker has an advantage. So I hope we’ll give the defender more of an even score, but giving the defender an advantage? I don’t think that’s going to happen in the next 15 years. That will need some fundamental advances in computing, and I don’t see that happening soon.’
In the meantime, remember two words: Risk management.