RealTime IT News

It's the Economics, Techie

Computer security isn't a technological problem -- it's an economic one.

That is the message Bruce Schneier, CTO of Counterpane Internet Security and the author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World," repeated throughout his keynote address here Thursday at the infoSecurity Conference in New York's Jacob K. Javits Center.

Schneier, a security technologist, said the future of security is getting harder to predict and warned the several hundred tech professionals on hand that they must start paying attention to the economics of security if they hoped for technology to keep pace.

"To understand the difference it's necessary to understand the basic economic incentives of companies and how businesses are affected by liabilities," he said.

The key is to think of security not in absolutes, but rather in terms of sensible trade-offs, said Schneier.

Schneier argued that profit-making ventures refuse to make decisions based on both short- and long-term profitability. Organizations, he says, find it cheaper to weather the occasional bad press and fix public problems after the fact, rather design security properly from the beginning.

However, until the cost paradigms shift, there will continue to be shoddy software and insecure security practices, he said.

"The problem is that most of the costs of insecure software fall on the users."

In economics, this is known as an externality: an effect of a decision not borne by the decision maker, according to Schneier.

"When ChoicePoint leaked data they weren't the victim -- you were," he told the audience. "The loss was to us."

"Depending on where you put liability, security improves or it doesn't," he added, noting that ChoicePoint had calculated its risks of losing data, and had weighed the financial burdens of protecting it no matter the cost. Ultimately the data service chose a certain level of protection before it would allow the information to be compromised.

"Put the liability on the responsible party than we can do something," he said. That liability usually comes through legislation or lawsuits, according to Schneier.

And those losses, as in the case of ChoicePoint last February , signal another important shift in how companies need to protect themselves.

The problem is the inadequacy of computer and network-security systems originally geared to protect against the cracker who hacks as a hobby, not the career criminal.

"Criminal attacks represent a new threat for most organizations," Schneier said.

A recent example is the discovery this week of the latest Sober variant that will automatically download some unknown code on Jan. 5, 2006, the anniversary of the founding of the Nazi party and the eve of a major German political convention.

Schneier also said the governments attempt to create a national identification card was nothing more than selling the American public another "bill of goods" that "won't make us any safer." In fact, he argued, the money invested in the program would divert much needed money in security matters that actually need addressing.

"Security is a process, it is not a product," he said.