By Sumner Lemon
IDG News Service
20 September 2006
Companies are losing the battle to secure their IT systems from attacks
by hackers and other threats, influential security expert Bruce Schneier
"I don't think, on the whole, we are winning the security war; I think
we are losing it," said the founder and chief technology officer of
Counterpane Internet Security in a speech, at the Hack In The Box
Security Conference (HITB) in Malaysia.
As systems get more complex, they get less secure, according to
Schneier. Even as security technology improves, the complexity of modern
IT systems has increased at a faster rate.
"The Internet is the most complex machine ever built," Schneier said.
"This explains why security is getting worse."
In addition, the nature of the threat that companies face has changed in
important ways. Where hacking was once considered a profession for
hobbyists, a growing number of hackers are now criminals with a profit
"The nature of the attacks are changing because the adversaries are
changing," Schneier warned. "They have different motivations, different
skill sets and different risk aversions."
Hobbyists now represent the minority of hackers, according to Schneier.
This change means hackers pose an even greater threat to companies. "The
hobbyist is more interested in street cred, the criminal wants results,"
To turn the battle in its favour, the security industry must look beyond
purely technical measures, according to Schneier. "Look for the economic
levers," he said. "If you get the economic levers right, the technology
will work. If you get the economics wrong, the technology will never
Externalities, an economic term used to describe the effects of one
person's actions on another, are central to building effective security,
For example, U.S banks do not spend heavily to defend against identity
theft because they are not affected when such theft occurs. To the
banks, this is an externality. However, when banks bear liability for a
security breach, such as an unauthorised ATM withdrawal, they make the
investments necessary to prevent these incidents from taking place, he
The same economic lessons can be applied to software vendors. To improve
the security of software, Microsoft and others should be made liable for
selling software that is not secure. "When you use buggy software and
you lose data, that's your loss and not the software company's loss,"
That needs to change, according to Schneier. "The organisation that has
the capability to mitigate the risk needs to be responsible for the
risk," he said.
Visit the InfoSec News store!