Security expert/pundit/provocateur Bruce Schneier, always entertaining, had one of those “He’s right but so what?” columns on Wired.com recently.
The headline — “Do We Really Need a Security Industry?” — is the giveaway in that you’d expect Schneier’s answer to the question to be no, just as you might expect the TV news tease “Big storm headed our way?” to mean that there’s a big storm headed our way. We know better in the latter case, and you’ll see the same in Schneier’s essay. (Of course, the headline may be the work of a Wired editor.) Schneier writes: “The primary reason the IT security industry exists is because IT products and services aren’t naturally secure. If computers were already secure against viruses, there wouldn’t be any need for antivirus products. If bad network traffic couldn’t be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure.” See what I mean so far? He’s right. Unassailably right, in fact. Go ahead and try to pick a fight with any sentence in that paragraph. And he’s on a roll.
“Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn’t help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity — companies who will lose money if the Internet becomes more secure.”
That first sentence is constructed quite cleverly: Naturally, the best antivirus product on the market cannot “improve” the security of even the most porous IT product; the best you can expect is for the security product to “compensate” for the vulnerabilities.
Now Schneier begins to touch upon his real point: “Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the Internet. Initially we’d still be spending a comparable amount of money per year on security — on secure development practices, on embedded security and so on — but some of that money would be going into improving the quality of the IT products we’re buying, and would reduce the amount we spend on security in future years.”
The whereabouts of that initial “incentive to invest in security upfront” is something of a mystery — were it there today in sufficient quantities we wouldn’t be having this discussion — but once located and widely acknowledged it’s difficult to argue that the other pieces wouldn’t fall into place. Today, however, the more prominent incentive for vendors is that so many customers appear perfectly comfortable buying today’s level of security, so why should vendors invest the time, effort and money to provide more?
He spends the balance of the column touting security services, which his company provides (not that there’s anything wrong with it), and piling up caveats to counter this type of critique of the headline and top half of the piece. So, do we really need a security industry? Heck, yes….But we wouldn’t if pigs could fly.