April 26, 2007 10:07 AM PDT

Schneier questions need for security industry

LONDON--Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.

Speaking this week at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever."

"We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."

Schneier, chief technology officer at BT Counterpane, said his own company was bought by BT Group last year because the U.K. telecommunications giant realized the need for security to be part of any service, not an add-on at additional cost and inconvenience to the user.

His words echoed those of Lord Alec Broers, chair of the House of Lords science and technology committee, who suggested every company, from operating system and application vendors to ISPs, needs to take greater responsibility for the security of end users.

"Security is a small but important piece of the bigger picture," Schneier said. He added that consumers shouldn't accept any product that is inherently insecure.

However, Graham Cluley, senior technology consultant at Sophos, suggested Schneier's dream may be a long way from reality. "Why didn't everybody think about this sooner?" said Cluley. "It would be great."

"It would be great if robberies didn't happen and if road accidents didn't happen and if I didn't stub my toe," he added. "But what you have to realize is that software developers are human and humans make mistakes.

"I can't imagine there ever being a 100 percent secure operating system, because a vital component of programming that operating system is human."

Jon Collins, service director at analyst house Freeform Dynamics, expressed his own doubts about the value of the security industry but said it will always be fed by dual forces of end-user error and the shipping of insecure products.

"I always used to think the security industry existed to make people scared and then sell them something to protect them from what they were afraid of. But now I think it exists because of what people are prepared to buy," he said, adding that investment in security products tends to be reactive to a problem a company has already suffered, making security a "fire extinguisher industry."

But Collins added that it is not true to suggest that user reaction is always due to inherently insecure software or hardware.

"Even if everything was secured, the end user would still find a way to configure it wrong or install it wrong or enable the wrong privileges and permissions," he said.

Will Sturgeon of Silicon.com reported from London.

See more CNET content tagged:
Graham Cluley, trade show, security, London, operating system

7 comments

Join the conversation!
Add your comment
Short sighted idiots...
As a security professional there is so much I could say about/against this article - but it would only be deleted for use of bad language, so I won't bother.
Posted by Marcus Westrup (630 comments )
Reply Link Flag
Such as...
"As a security professional" I'm guessing your main beef is that systems that didn't need securing would put you out of a job.
Posted by solrosenberg (124 comments )
Link Flag
Yes, but
"Yes, but" is how every sentence should start regarding this article because the causes of in-security are as diverse as snow flakes.

Sometimes, the product is pushed out too early - yes, but if it waited to be tested to a zero-fault it would never get to market.

Sometimes, the user is an idiot - yes, but not always.

Sometimes, the default settings are not secure - yes, but that what customization is all about. The OS is not necessarily less secure because the default setting is "open."

Security is one important aspect of network design, but it is not the only aspect. As password policy that it too tight merely leads to end users taping the password under their keyboard or only changing the number of the month. ****** and Toilet Water consider this a "more secure" environment.

Standardization is inherently insecure because the network rules are known - but then if they weren't the Internet wouldn't work.

This could go on ad nauseum. Yes, many an OS or software suite goes on the market with holes, but even the well-tested products have to face hackers and attakers who've learned a few things over the years.

Many of the security products on the market are ineffective and not especially innovative, but that could be said about any industry. In the meanwhile, pick your security solution and take your chances.
Posted by phillynets (73 comments )
Reply Link Flag
Finally...
I used to work for CHKP and I had said (about 4 years ago) to my colleagues that security cannot exist as a standalone industry. It will be and needs to be inherent in the applications, os, hardware we buy and use.

The security assumes that buying their product will mitigate 100% of the risk. If they don't sell it as mitigating 100% of the risk, then we as users have to accept some risk. Life is full of assuming risks. You do the best you can, life isn't perfect and neither can we expect security to be perfect.

An example, with Vista, the OS is much secure but the pain of that is just too much for an end user to bear. Similarly, a corporation wants to manager their business, customers, financial transactions,etc. They don't want to, but have to, manage security. Security is not a revenue generating option. It is strictly a cost overhead.

I am glad that someone like Bruce brings it out in the open and hopefully can start a healthy debate.
Posted by ngehani (3 comments )
Reply Link Flag
Finally...
I used to work for CHKP and I had said (about 4 years ago) to my colleagues that security cannot exist as a standalone industry. It will be and needs to be inherent in the applications, os, hardware we buy and use.

The security assumes that buying their product will mitigate 100% of the risk. If they don't sell it as mitigating 100% of the risk, then we as users have to accept some risk. Life is full of assuming risks. You do the best you can, life isn't perfect and neither can we expect security to be perfect.

An example, with Vista, the OS is much secure but the pain of that is just too much for an end user to bear. Similarly, a corporation wants to manager their business, customers, financial transactions,etc. They don't want to, but have to, manage security. Security is not a revenue generating option. It is strictly a cost overhead.

I am glad that someone like Bruce brings it out in the open and hopefully can start a healthy debate.
Posted by ngehani (3 comments )
Reply Link Flag
Why we need Securityhmmmmm
Yes" why do we need Security that is the Question?
Answer->Microsoft.
If Microsoft would come out with a Good OS without having all these flaws in it.Plus have the Hackers,they"HIRE" help them come with a great Program to Protect the OS.like the Blackhats do with Linux.
Really this Guy is a real nut case.
Enough said...........................Mark T
Posted by dogteams1 (11 comments )
Reply Link Flag
RE:: near flat InfoSec EEG
 
And the blame resides equally with "vendors" as with "customers."

Too many vendors "blow smoke" (aka over sell a product's true capabilities, largely by selling "features" as if they were a vetted architecture) and "flash mirrors" (withholding vital information, some times in the face of direct questions) about what their latest-and-greatest does not manage to accomplish. (For the vendors of "bad" products, disclosing the truth would be a matter of "confession.")

Both failures are not to be excused.

Customers have to be faulted for being predisposed to seek out SnakeOil/SilverBullet/EasyButton "solutions" to complicated InfoSec problems.

The brain *is* *barely* functioning.

People are not thinking strategically and pro-actively. They are mostly reacting and they are well conditioned to spending out their quarterly budgets according to a deadline, not according to a well defined mission.

That's why so much garbage gets sold and bought in the name of Security.

Security is hard and the hardest parts are very easy to get wrong.

Concrete facts have to be sussed out, hypotheses have to be made, analyzed/tested, and "good" *conclusions* drawn, before we can begin to know what really needs to be done in a given situation. Only then can we begin to piece together the parts that might solve the problem.

This a much bigger problem than, "these products/technologies are good," and, "those are bad." That is the most simplistic sift that *always* has to be made; but even the "good" products can only be sanely utilized within the scope of their own strengths and weaknesses.

When "security" is built directly into a product's core, if it isn't scrupulously standards-based and intended to be fully interoperable according to those standards, we wind up with more proprietary crap that deliberately creates new gaps along its seams.

We abhor and ignore complexity.

An EasyButton is fine for photocopiers and buying office supplies.

There is just no such thing in RealWord InfoSec.
Posted by wti (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.